Charles R. wrote:
Thanx Brian for your points…
- I checked whether the certificate is signed using the following cmd:
openssl x509 -text -in sdk-cert.pem
You need to look at the certificate of the other side that you are
connecting to (openssl s_client -connect whatever.com:443)
- Here am not sure whether the certificate is signed or not…
– Also i tried the following cmd as you mentioned:
openssl s_client -connect www.paypal.com:443
Loading ‘screen’ into random state - done
depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=© 2006
nc. - For authorized use only/CN=VeriSign Class 3 Public Primary
uthority - G5
verify error:num=20:unable to get local issuer certificate
OK that’s good. So this means:
(1) you’re trying to connect to www.paypal.com
(2) www.paypal.com presents a certificate signed by VeriSign
(3) openssl doesn’t have a copy of VeriSign’s root certificate, so
cannot verify PayPal’s certificate.
You need a copy of Verisign’s certificate stored on your machine.
Normally your machine would come with it pre-installed.
What platform are you running this under? For example, Ubuntu has a
package called “ca-certificates”, which installs links in
/etc/ssl/certs. You can make a fully verified SSL connection like this:
openssl s_client -CApath /etc/ssl/certs -connect www.paypal.com:443
Verify return code: 0 (ok)
Once you’ve got that working, then you can do the equivalent in Ruby,
e.g. using http.ca_path = “/etc/ssl/certs”
NB: The PEM certificate file has both the private key & the certificate.
That’s your private key and certificate, which you’re presenting to
Paypal to prove your identity.
The problem is in the other direction, with Paypal presenting their
certificate to you to prove their identity. (Which of course they have
to do: you wouldn’t want someone impersonating Paypal to intercept the
connection and collect all these credit card details you’re sending