Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL guide is incomplete #174

Open
duckinator opened this issue Oct 28, 2016 · 9 comments
Open

SSL guide is incomplete #174

duckinator opened this issue Oct 28, 2016 · 9 comments

Comments

@duckinator
Copy link
Member

duckinator commented Oct 28, 2016

The SSL guide appears to only work if you're not using a version manager for Ruby (RVM, rbenv, etc).

I'm still collecting information about and helping resolve this in rubygems/rubygems#1758.

However, some relevant links from that thread:

EDIT: The gist has insecure instructions.

@drbrain
Copy link
Member

drbrain commented Oct 28, 2016

The gist has an insecure set of instructions since that uses HTTP to download the CA certificates. We can't tell people to use these instructions since they don't establish a complete chain of trust.

@duckinator
Copy link
Member Author

Ah, good catch.

I'm not sure what the RVM one is doing: https://github.com/rvm/rvm/blob/master/scripts/osx-ssl-certs

@drbrain
Copy link
Member

drbrain commented Oct 28, 2016

Looks like RVM extracts its CA cert list from the OS X keychain:

https://github.com/rvm/rvm/blob/master/scripts/functions/osx-ssl-certs#L43-L47

Unfortunately this list includes CA certificates you've marked as untrusted. There should be a way around this.

@duckinator
Copy link
Member Author

duckinator commented Oct 28, 2016

hmm, that's no good at all. I imagine there'd be a flag you could pass or something, but I don't have access to a macOS system to try to find it.

@indirect
Copy link
Member

Don't forget this blog post and its associated script (which have saved me from SSL errors I did not understand many times over at this point): http://mislav.net/2013/07/ruby-openssl/

@indirect
Copy link
Member

Also, please note that haxx.se now provides the Curl CA bundle via HTTPS: https://curl.haxx.se/ca/cacert.pem

@drbrain
Copy link
Member

drbrain commented Oct 29, 2016

It's hard to get the Curl CA bundle via HTTPS if you don't already have the CA certificate to verify the server certificate

@indirect
Copy link
Member

I am assuming the existence of a browser (eg Firefox, Chrome) with its own set of trusted certs, so a user can fetch cacert.pem securely and then manually use it to validate future Ruby SSL connections.

@drbrain
Copy link
Member

drbrain commented Oct 29, 2016

Yes, or bundle the CA certificate inside the script doing the fetching (like RubyGems)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants