Spike on a Ruby SSL Server with Client Certificate Authentication

This is, as part of the Cloud Foundry bits-service, a spike on a simple Ruby web server that uses SSL certificates to authenticate clients on the TLS layer.

It is based on an earlier article and adds:

• Certificate generation using scripts borrowed from Cloud Foundry, which internally use certstrap
• Client certificate authentication (mainly by adding the OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT flag, as recommended in this article)
• A simple test using curl

Test

Don't run this on OSX due to its old OpenSSL library. It does work on a Linux system, e.g. using the provided Vagrant file:

1. Add cc.service.cf.internal as an additional alias of localhost to /etc/hosts
2. Start the server

cd /vagrant/
ruby ssl-server.rb

1. Run tests using curl:

curl https://cc.service.cf.internal:8443/ \
    --cacert certificates/ca.crt          \
    --cert certificates/bits-service.crt  \
    --key certificates/bits-service.key

This one must fail due to VERIFY_FAIL_IF_NO_PEER_CERT:

curl https://cc.service.cf.internal:8443/ --cacert certificates/ca.crt

Certificate Rotation

TBD