SSL Client Certificate error on Mac OS X 10.6.4

katrash · August 9, 2010, 11:46pm

Client Certificate error on Mac OS X 10.6.4

I’ve been trying to connect to a web service over https where the
service requires the client to be authenticated using a server signed
certificate (note the server’s certificate is signed from a trusted root
certification authority).

The code below shows a sample that I used to test the communication
(with some tweak to hide my own details). The code works OK on Windows
and Linux (kernel 2.6.x) systems, but fails on Mac OS X 10.6.4 with
(Timeout::Error). When I traced the wire messages I found the error is
due to encryption - the server responds with Encrypted Alert =
decryption_failed(21) which, acording to SSL/TLS proocol RFC2246
http://www.ietf.org/rfc/rfc2246.txt, is:
A TLSCiphertext decrypted in an invalid way: either it wasnt an even multiple of the block length or its padding values, when checked, werent correct. This message is always fatal.

Does anyone know the cause of this error or how to fix it? Is this an
error in the core Net:HTTPS and SSL core Ruby libraries specific to Mac
OS X?

cer_file = File.dirname(__FILE__) + '/cert.pem'
key_file = File.dirname(__FILE__) + '/key.pem'

cert = File.read(cer_file)
key = File.read(key_file)

uri = URI.parse("https://myservice.com/servicestatus")
http = Net::HTTP.new(uri.host, uri.port)
http.open_timeout = 5
http.read_timeout = 5

http.use_ssl = (uri.scheme == "https")
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
http.cert = OpenSSL::X509::Certificate.new(cert)
http.key = OpenSSL::PKey::RSA.new(key)

http.verify_callback = Proc.new {
  puts "===> in verify_callback -- #{Time.now}"
  true
}

request = Net::HTTP::Post.new(uri.request_uri)

request.body =
  '<?xml version="1.0" encoding="UTF-8"?>
  <env:Envelope xmlns:wsdl="http://myservice.com/ws/protocol"
xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
    <env:Body>
      <wsdl:NodesListRequest>
      <AppID>MyAPP</AppID>
      <Timestamp>2010-01-01T00:00:00</Timestamp>
      </wsdl:NodesListRequest>
    </env:Body>
  </env:Envelope>'

resp = http.request(request)
puts "response => #{resp.inspect}"

Note the same code (and same certificate and key files) works on Windows
and Linux but not Mac OSX.
I tried on the Mac with Ruby 1.8.6 and 1.8.7.

katrash · January 27, 2011, 2:27pm

Hi George,

Have you found a solution for this problem? I’m struggling with this for
2 days already.

10x in advance for any help.

Stan.

katrash · January 27, 2011, 3:41pm

Hi Stan,

After posting this by about a week or so, everything started working as
if has never been. The only thing I did was installing an OS X update
Friday afternoon then Monday morning I discovered it was working. Since
then I forgot about this issue.

George

katrash · January 27, 2011, 4:53pm

Hm, I’m fighting with this now! Mac OS X 10.6.6

I’ll hope to disappear here too

Anyway, 10x for your time!

katrash · January 27, 2011, 9:29pm

Stan, here is a sample standalone file that might be helpful to you in
testing. You have to put your own certificate and key files where
specified, substitute the URL string, and the XML message to send. Try
with both VERIFY_PEER and
VERIFY_NONE. Here is the code which I hope might be useful to you

#!/usr/bin/env ruby
require "uri"
require "net/https"

cer_file = File.dirname(__FILE__) + '/cer.pem'
key_file = File.dirname(__FILE__) + '/key.pem'
url_str = 'https://www.myservice.com/service_path/service_method'

pem = File.read(cer_file)
key = File.read(key_file)

uri = URI.parse(url_str)
http = Net::HTTP.new(uri.host, uri.port)
http.open_timeout = 3
http.read_timeout = 5

http.use_ssl = (uri.scheme == "https")  # enable SSL/TLS
http.verify_mode = OpenSSL::SSL::VERIFY_PEER #also try VERIFY_NONE
http.cert = OpenSSL::X509::Certificate.new(pem)
http.key = OpenSSL::PKey::RSA.new(key)

http.verify_callback = Proc.new {
  puts "===> in verify_callback -- #{Time.now}"
  true
}
request = Net::HTTP::Post.new(uri.request_uri)

request.body =
  '<?xml version="1.0" encoding="UTF-8"?>
  <env:Envelope xmlns:wsdl="http://tempuri.com/"
xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
    <env:Body>
      <wsdl:TransactionRequest>
      <Var1>MyName</Var1>
      <VarTimestamp>2000-01-01T00:00:00</VarTimestamp>
      </wsdl:TransactionRequest>
    </env:Body>
  </env:Envelope>'

#request.headers["Content-Type"] = "text/xml"
resp = http.request(request)
puts "response => #{resp.inspect}"

BTW, I tested this code on Windows 7, Mac OS X 10.6.4/5/6, and Linux
virtual machine and it worked on all of them.