Object
Represents SSL configuration for HTTPClient instance. The implementation depends on OpenSSL.
SSLConfig loads ‘httpclient/cacert.p7s’ as a trust anchor (trusted certificate(s)) with set_trust_ca in initialization time. This means that HTTPClient instance trusts some CA certificates by default, like Web browsers. ‘httpclient/cacert.p7s’ is created by the author and included in released package.
‘cacert.p7s’ is automatically generated from JDK 1.6.
You may want to change trust anchor by yourself. Call clear_cert_store then set_trust_ca for that purpose.
OpenSSL::X509::Certificate | certificate for SSL client authenticateion. |
nil by default. (no client authenticateion)
OpenSSL::PKey::PKey | private key for SSL client authentication. |
nil by default. (no client authenticateion)
A number which represents OpenSSL’s verify mode. Default value is OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT.
A number of verify depth. Certification path which length is longer than this depth is not allowed.
A callback handler for custom certificate verification. nil by default. If the handler is set, handler.call is invoked just after general OpenSSL’s verification. handler.call is invoked with 2 arguments, ok and ctx; ok is a result of general OpenSSL’s verification. ctx is a OpenSSL::X509::StoreContext.
A number of OpenSSL’s SSL options. Default value is OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv2
A String of OpenSSL’s cipher configuration. Default value is ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH See ciphers(1) man in OpenSSL for more detail.
OpenSSL::X509::X509::Store used for verification. You can reset the store with clear_cert_store and set the new store with cert_store=.
Creates a SSLConfig.
# File lib/httpclient/ssl_config.rb, line 73 73: def initialize(client) 74: return unless SSLEnabled 75: @client = client 76: @cert_store = X509::Store.new 77: @client_cert = @client_key = @client_ca = nil 78: @verify_mode = SSL::VERIFY_PEER | SSL::VERIFY_FAIL_IF_NO_PEER_CERT 79: @verify_depth = nil 80: @verify_callback = nil 81: @dest = nil 82: @timeout = nil 83: @options = defined?(SSL::OP_ALL) ? SSL::OP_ALL | SSL::OP_NO_SSLv2 : nil 84: @ciphers = "ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH" 85: load_cacerts 86: end
Sets new certificate store (OpenSSL::X509::Store). don’t use if you don’t know what it is.
Calling this method resets all existing sessions.
# File lib/httpclient/ssl_config.rb, line 133 133: def cert_store=(cert_store) 134: @cert_store = cert_store 135: change_notify 136: end
Sets cipher configuration. New value must be a String.
Calling this method resets all existing sessions.
# File lib/httpclient/ssl_config.rb, line 214 214: def ciphers=(ciphers) 215: @ciphers = ciphers 216: change_notify 217: end
Drops current certificate store (OpenSSL::X509::Store) for SSL and create new one for the next session.
Calling this method resets all existing sessions.
# File lib/httpclient/ssl_config.rb, line 124 124: def clear_cert_store 125: @cert_store = X509::Store.new 126: change_notify 127: end
Sets certificate (OpenSSL::X509::Certificate) for SSL client authentication. client_key and client_cert must be a pair.
Calling this method resets all existing sessions.
# File lib/httpclient/ssl_config.rb, line 93 93: def client_cert=(client_cert) 94: @client_cert = client_cert 95: change_notify 96: end
Sets private key (OpenSSL::PKey::PKey) for SSL client authentication. client_key and client_cert must be a pair.
Calling this method resets all existing sessions.
# File lib/httpclient/ssl_config.rb, line 102 102: def client_key=(client_key) 103: @client_key = client_key 104: change_notify 105: end
Default callback for verification: only dumps error.
# File lib/httpclient/ssl_config.rb, line 270 270: def default_verify_callback(is_ok, ctx) 271: if $DEBUG 272: puts "#{ is_ok ? 'ok' : 'ng' }: #{ctx.current_cert.subject}" 273: end 274: if !is_ok 275: depth = ctx.error_depth 276: code = ctx.error 277: msg = ctx.error_string 278: STDERR.puts "at depth #{depth} - #{code}: #{msg}" 279: end 280: is_ok 281: end
Sets SSL options. New value must be a combination of # constants OpenSSL::SSL::OP_*
Calling this method resets all existing sessions.
# File lib/httpclient/ssl_config.rb, line 206 206: def options=(options) 207: @options = options 208: change_notify 209: end
Sample callback method: CAUTION: does not check CRL/ARL.
# File lib/httpclient/ssl_config.rb, line 284 284: def sample_verify_callback(is_ok, ctx) 285: unless is_ok 286: depth = ctx.error_depth 287: code = ctx.error 288: msg = ctx.error_string 289: STDERR.puts "at depth #{depth} - #{code}: #{msg}" if $DEBUG 290: return false 291: end 292: 293: cert = ctx.current_cert 294: self_signed = false 295: ca = false 296: pathlen = nil 297: server_auth = true 298: self_signed = (cert.subject.cmp(cert.issuer) == 0) 299: 300: # Check extensions whatever its criticality is. (sample) 301: cert.extensions.each do |ex| 302: case ex.oid 303: when 'basicConstraints' 304: /CA:(TRUE|FALSE), pathlen:(\d+)/ =~ ex.value 305: ca = ($1 == 'TRUE') 306: pathlen = $2.to_i 307: when 'keyUsage' 308: usage = ex.value.split(/\s*,\s*/) 309: ca = usage.include?('Certificate Sign') 310: server_auth = usage.include?('Key Encipherment') 311: when 'extendedKeyUsage' 312: usage = ex.value.split(/\s*,\s*/) 313: server_auth = usage.include?('Netscape Server Gated Crypto') 314: when 'nsCertType' 315: usage = ex.value.split(/\s*,\s*/) 316: ca = usage.include?('SSL CA') 317: server_auth = usage.include?('SSL Server') 318: end 319: end 320: 321: if self_signed 322: STDERR.puts 'self signing CA' if $DEBUG 323: return true 324: elsif ca 325: STDERR.puts 'middle level CA' if $DEBUG 326: return true 327: elsif server_auth 328: STDERR.puts 'for server authentication' if $DEBUG 329: return true 330: end 331: 332: return false 333: end
Sets certificate and private key for SSL client authentication.
cert_file | must be a filename of PEM/DER formatted file. |
key_file | must be a filename of PEM/DER formatted file. Key must be an RSA key. If you want to use other PKey algorithm, use client_key=. |
Calling this method resets all existing sessions.
# File lib/httpclient/ssl_config.rb, line 114 114: def set_client_cert_file(cert_file, key_file) 115: @client_cert = X509::Certificate.new(File.open(cert_file).read) 116: @client_key = PKey::RSA.new(File.open(key_file).read) 117: change_notify 118: end
Adds CRL for verification.
crl | a OpenSSL::X509::CRL or a filename of a PEM/DER formatted OpenSSL::X509::CRL. |
Calling this method resets all existing sessions.
# File lib/httpclient/ssl_config.rb, line 159 159: def set_crl(crl) 160: unless crl.is_a?(X509::CRL) 161: crl = X509::CRL.new(File.open(crl).read) 162: end 163: @cert_store.add_crl(crl) 164: @cert_store.flags = X509::V_FLAG_CRL_CHECK | X509::V_FLAG_CRL_CHECK_ALL 165: change_notify 166: end
Sets trust anchor certificate(s) for verification.
trust_ca_file_or_hashed_dir | a filename of a PEM/DER formatted OpenSSL::X509::Certificate or a ‘c-rehash’eddirectory name which stores trusted certificate files. |
Calling this method resets all existing sessions.
# File lib/httpclient/ssl_config.rb, line 145 145: def set_trust_ca(trust_ca_file_or_hashed_dir) 146: if FileTest.directory?(trust_ca_file_or_hashed_dir) 147: @cert_store.add_path(trust_ca_file_or_hashed_dir) 148: else 149: @cert_store.add_file(trust_ca_file_or_hashed_dir) 150: end 151: change_notify 152: end
Sets SSL timeout in sec.
Calling this method resets all existing sessions.
# File lib/httpclient/ssl_config.rb, line 197 197: def timeout=(timeout) 198: @timeout = timeout 199: change_notify 200: end
Sets callback handler for custom certificate verification. See verify_callback.
Calling this method resets all existing sessions.
# File lib/httpclient/ssl_config.rb, line 189 189: def verify_callback=(verify_callback) 190: @verify_callback = verify_callback 191: change_notify 192: end
Sets verify depth. New value must be a number.
Calling this method resets all existing sessions.
# File lib/httpclient/ssl_config.rb, line 180 180: def verify_depth=(verify_depth) 181: @verify_depth = verify_depth 182: change_notify 183: end
Sets verify mode of OpenSSL. New value must be a combination of constants OpenSSL::SSL::VERIFY_*
Calling this method resets all existing sessions.
# File lib/httpclient/ssl_config.rb, line 172 172: def verify_mode=(verify_mode) 173: @verify_mode = verify_mode 174: change_notify 175: end
# File lib/httpclient/ssl_config.rb, line 337 337: def change_notify 338: @client.reset_all 339: end
# File lib/httpclient/ssl_config.rb, line 341 341: def load_cacerts 342: [ 343: [DIST_CERT, 'cacert.p7s'], 344: [DIST_CERT_SHA1, 'cacert_sha1.p7s'] 345: ].each do |cert_str, ca_file| 346: file = File.join(File.dirname(__FILE__), ca_file) 347: if File.exist?(file) 348: p7 = PKCS7.read_smime(File.open(file) { |f| f.read }) 349: selfcert = X509::Certificate.new(cert_str) 350: store = X509::Store.new 351: store.add_cert(selfcert) 352: if (p7.verify(nil, store, p7.data, 0)) 353: set_trust_ca(file) 354: return 355: end 356: end 357: end 358: STDERR.puts("cacerts loading failed") 359: end
Disabled; run with --debug to generate this.
Generated with the Darkfish Rdoc Generator 1.1.6.