You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As a developer I would like to see (DEBUG) logging from OpenSSL. We have a Ruby application that connects to Amazon Cloudfront to retrieve a file. This runs through a network outside of our control containing NAT gateways, proxies, etc.
This works 99% of the time, but Intermittently we get a self signed certificate error:
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0
peeraddr=18.66.171.65:443 state=error: certificate verify failed
(self signed certificate in certificate chain))
But it doesn't show WHICH certificate (or subject, fignerprint, ...) is being seen.
Question / Request
Ideally we would have a ruby OpenSSL flag that instructs OpenSSL to do its (DEBUG) logging so we can get this information. I can see OpenSSL is logging the desired information in:
This is not ideal as it requires code changes in our Ruby apps, which is using httparty as a wrapper. Also we would be replicating logging that is already done by OpenSSL.
The fact that this SSL Docter script exists seems to confirm there is no Ruby OpenSSL::xxx flag to achieve this?
Would it be possible to implement such a flag? Is there an alternative way to achieve the same?
The text was updated successfully, but these errors were encountered:
I don't think the comparison is fair about reuse - the code linked is from the openssl x509 utility, not the OpenSSL library. Both use the same callback mechanism to hook into the verification process.
Would it be possible to implement such a flag? Is there an alternative way to achieve the same?
You could open a PR to tweak the error message here:
Hi,
Problem
As a developer I would like to see (DEBUG) logging from OpenSSL. We have a Ruby application that connects to Amazon Cloudfront to retrieve a file. This runs through a network outside of our control containing NAT gateways, proxies, etc.
This works 99% of the time, but Intermittently we get a self signed certificate error:
But it doesn't show WHICH certificate (or subject, fignerprint, ...) is being seen.
Question / Request
Ideally we would have a ruby OpenSSL flag that instructs OpenSSL to do its (DEBUG) logging so we can get this information. I can see OpenSSL is logging the desired information in:
https://github.com/openssl/openssl/blob/6288aa440c1ba111eaf52cf79659a25329205022/crypto/x509/t_x509.c#L484-L501
Is it possible to get the Ruby app to log this information?
I have found
OpenSSL::debug=true
, but this only seems to trigger debug logging done in this Ruby Gem.In java we have -Djava.net.debug=ssl, but I realize that is not using OpenSSL underneath.
Alternative
I have found a way to get Ruby to log the self-signed certificate that is being seen in Ruby via https://github.com/mislav/ssl-tools/blob/master/doctor.rb. Something along these lines, where the
store_context
contains the failed certificat:This is not ideal as it requires code changes in our Ruby apps, which is using httparty as a wrapper. Also we would be replicating logging that is already done by OpenSSL.
The fact that this SSL Docter script exists seems to confirm there is no Ruby OpenSSL::xxx flag to achieve this?
Would it be possible to implement such a flag? Is there an alternative way to achieve the same?
The text was updated successfully, but these errors were encountered: