Clobber Windows Ruby HTTPS connectivity issues with the new Net::HTTP SSL Fix gem
April 12, 2016 · Chris Peters
My new little Ruby gem with a fix for HTTP connectivity via the Net::HTTP library.
From the Net::HTTP
SSL Fix Ruby gem’s README:
No more / (╯°□°)╯︵ ┻━┻!
But you probably want a more detailed description of the gem’s purpose, so here it is:
A Community-updated
Net::HTTP
certificate authority file hack. Very useful for authoring Ruby-based HTTP clients that must run on Windows.
Ruby development on Windows is not so peachy
While writing a Ruby-based CLI that needed to install and run properly on Windows, so I started the process of actually building it on a Windows 7 VM.
I’ve been calling this process “developing for the lowest common denominator” because Ruby isn’t traditionally a very Windows-friendly scripting environment.
Looks like I'll be developing a couple gems on Windows. #LowestCommonDenominator
— Chris Peters (@chrisdpeters) January 28, 2016
All was well in this new Windowsy adventure until I tried to start making calls to Amazon S3’s API over the HTTPS protocol. That yields this awesome error:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
As it turns out, the installers for Ruby on Windows are missing a CA file, thus
breaking Net::HTTP
calls over HTTPS.
Google searches return a couple common (and awful) solutions to this problem:
- Disabling peer verification, thus opening up possible man-in-the-middle attacks.
- Downloading a CA certificate file, placing it in a folder, and
configuring an environment variable named
SSL_CERT_FILE
to register it within Ruby.
The 2nd solution listed above is better than the first and a good one in many
scenarios, but I don’t want for users of the CLI to need to go through that
extra step. Also, I don’t have the time right now to build an installer that
does it for them. I just want for the gem to work after running gem install
my_cli
, no matter what OS you’re on.
The solution: a new Ruby gem called net_http_ssl_fix
After looking at some other Ruby-based CLIs built to run on Windows, like Heroku’s CLI, I noticed a trend where the Ruby gems needed to include a certificate authority file if they needed to make any HTTP calls over HTTPS.
I initially started including a CA file with the liveeditor_cli
gem, along
with a clever monkey patch for Net::HTTP
. The hack also forces SSL calls
via Net::HTTP
to verify the peer. Those seeking security shall find it.
I felt that this hack was so useful that it would serve well as a separate gem,
hence a new net_http_ssl_fix
Ruby gem. Use it if you want for SSL to
just work in your Ruby-based HTTP clients, and especially use it if your
client must run reliably on Windows.
The main trade-off (and isn’t there always a trade-off?) is that after you install this gem, you are relying on it to provide an up-to-date certificate authority file. Because of this, I will be monitoring the cURL certificate authority file and will update the gem each time the CA file is updated. Because the gem is open source, the community can continue to maintain it if at some point I am no longer able.
Go ahead and checkout the net_http_ssl_fix
repo on GitHub for source
code, installation instructions, and more. I hope that it helps you out in your
projects.