Ruby OpenSSL: Why valid TLS certs are not detected?

luislavena · November 7, 2011, 7:23pm

Hi, I’m playing with Ruby OpenSSL in order to validate certificates.
I’ve started with a code very similar to the present in
https://github.com/negativecode/vines/blob/master/lib/vines/store.rb.

Basically I get the list of CA Root Certificates from Mozilla:
http://curl.haxx.se/ca/cacert.pem

I add all the certificates present in that file to a
OpenSSL::X509::Store instance.
Then I try to validate the certificate of www.github.com (which of
course is valid). But always get “invalid”

I would appreciate if somebody could check the code and explain me why
it does not work at all. To test it:

Get this tar.gz: http://public.aliax.net/ruby-ssl.tar.gz
Decompress it. You will get:
- cacert.pem (CA Root Certificates from Mozilla)
- github.crt (Github valid certificate)
- check-cert.rb (the script)
Run: ./check-cert.rb github.crt

As you can see it fails to validate the certificate from Github. Could
somebody help me please?
Thanks a lot.

SSISSaki_Baz_C.SS_S · November 7, 2011, 7:39pm

One thing to note is that the github.com cert you’ve provided isn’t
directly signed by a root CA. It is signed by an intermediate CA:
DigiCert
High Assurance EV CA-1 (attached). That cert is is in turn signed by
DigiCert High Assurance EV Root CA. When I run the attached cert through
your code I find it is valid.

SSISSaki_Baz_C.SS_S · November 7, 2011, 8:08pm

2011/11/7 John D. [email protected]:

One thing to note is that the github.com cert you’ve provided isn’t directly
signed by a root CA. It is signed by an intermediate CA: DigiCert High
Assurance EV CA-1 (attached). That cert is is in turn signed by DigiCert
High Assurance EV Root CA. When I run the attached cert through your code I
find it is valid.

Thanks John. But then I don’t fully understand how to make it work. I
expect that browsers use the list of root CA as provided in
http://curl.haxx.se/ca/cacert.pem, am I wrong? or do the browsers also
have another list of intermediate CAs?

SSISSaki_Baz_C.SS_S · November 7, 2011, 8:26pm

What happens in this case (and you can see it by using Wireshark to
watch
your traffic to github.com) is that the github server sends you both its
cert and the intermediary cert. Essentially what it is saying is I am
valid
and here is another cert you’re probably going to need to prove that.

Depending on how you’re receiving these certificates they should be
bundled
with any intermediate CA certs you will need.
OpenSSL::X509::Store#verify
takes a second parameter which is an array representing the certificate
chain. You will need to pass it an array of OpenSSL::X509::Certificate
representing all the intermediate CAs needed to validate the first
parameter.

SSISSaki_Baz_C.SS_S · November 7, 2011, 8:28pm

2011/11/7 John D. [email protected]:

parameter.
Great, thanks a lot for the explanation.

SSISSaki_Baz_C.SS_S · November 7, 2011, 11:36pm

unsubscribe