Net::HTTPS client certificate authentication

Hi,

I’m trying to authenticate with an apache web server using client
certificate authentication, here is the code snippet:

        http = Net::HTTP.new(appliance.hostname,

Net::HTTP.https_default_port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

        File.open("/tmp/controller.pem") do |cert_file|
          key_data = cert_file.read
          http.cert = OpenSSL::X509::Certificate.new(key_data)
          #http.key = OpenSSL::PKey::RSA.new(key_data, nil)
          logger.info key_data
        end

        req = Net::HTTP::Post.new('/policy/upload_and_apply')
        req.set_form_data({
          'filename'=>@baseline.name,
          'baseline'=>@baseline.baseline,
          'description'=>@baseline.description}, ';')

        result = http.start {|http| http.request(req)}

If I use the line http.key = I get an exception with the error:

Neither PUB key nor PRIV key:: nested asn1 error

without it I get the error:

SSL_read:: ssl handshake failure

On the apache side it shows this:

[Tue Nov 14 16:31:39 2006] [debug] ssl_engine_kernel.c(1745): OpenSSL:
Write: SSLv3 read client certificate B
[Tue Nov 14 16:31:39 2006] [debug] ssl_engine_kernel.c(1764): OpenSSL:
Exit: error in SSLv3 read client certificate B
[Tue Nov 14 16:31:39 2006] [error] Re-negotiation handshake failed: Not
accepted by client!?
[Tue Nov 14 16:31:39 2006] [debug] ssl_engine_io.c(1483): [client
192.168.0.203] read from buffered SSL brigade, mode 0, 8192 bytes
[Tue Nov 14 16:31:39 2006] [debug] ssl_engine_io.c(1542): [client
192.168.0.203] buffered SSL brigade now exhausted; removing filter

(There’s lots more, this seems like the most pertinent bit).

The same certificate works fine when supplied in Firefox but not from
my ruby code.
Any ideas?

Cheers,
John

The same certificate works fine when supplied in Firefox but not from
my ruby code.
Any ideas?

Doesn’t sound like the private key is actually in controller.pem.

Chris

If Firefox can successfully authenticate with the certificate but Ruby
cannot, surely not having a private key in the certificate makes no
difference.

Or is the Ruby HTTPS module not capable of using the same
authentication method?

On 11/15/06, azathoth [email protected] wrote:

If Firefox can successfully authenticate with the certificate but Ruby
cannot, surely not having a private key in the certificate makes no
difference.

That’s not quite how it works. The certificate contains the public
key, the private key is separate, and both are required for client
authentication. When you export a certificate from firefox it exports
a PKCS12 envelope that contains both the certificate and the private
key.

Chris

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs