Yoshihisa Sugano
2017-04-18 00:58:13 UTC
ããã®ã§ãã
ãããã®ã¬ã³ã¿ã«ãµãŒãäžã§ ruby 2.4.1 ã rbenv ã§å ¥ããŠå©çšããŠãç°å¢ããããŸãã
ãã®ç°å¢ã§ https æ¥ç¶ãããããšãããš SSL é¢é£ã®ãšã©ãŒãåºãŠæ¥ç¶ã§ããŸããã§ãã(æ«å°Ÿã«ãšã©ãŒã¡ãã»ãŒãžãæžããŸã)ã
åå ãšããŠã¯ OpenSSL::X509::DEFAULT_CERT_FILE ãæã瀺ããã¹ã«èšŒææžãååšããªãããšã§ãã
irb(main):001:0> require 'openssl'
=> true
irb(main):002:0> p OpenSSL::X509::DEFAULT_CERT_FILE
"/etc/ssl/cert.pem"
=> "/etc/ssl/cert.pem"
$ ls -l /etc/ssl
total 12
-rw-r--r-- 1 root wheel 9483 Dec 4 2012 openssl.cnf
ã¬ã³ã¿ã«ãµãŒããªã®ã§ /etc/ssl ã«èšŒææžã眮ãããšãã§ããŸããããã©ãã«ã OpenSSL::X509::DEFAULT_CERT_FILE
ãäžæžãããããšèããŠãããŸãã
ããã¥ã¡ã³ãã«ã¯ OpenSSL::X509::DEFAULT_CERT_FILE_ENV ãæã瀺ãç°å¢å€æ°ã§äžæžãã§ãããšããã®ã§ãirb
ã§èŠãŠã¿ããšãã SSL_CERT_FILE ãšããæååãåºãŠããŸããã
ããã§ç°å¢å€æ° SSL_CERT_FILE
ã«èªåã®ããŒã ãã£ã¬ã¯ããªä»¥äžã«ãã蚌ææžã®ãã¹ãæå®ããŠã¿ãã®ã§ãããOpenSSL::X509::DEFAULT_CERT_FILE
ã«å€åã¯ãããŸããããSSL æ¥ç¶ãšã©ãŒãå€ãããŸããããã¡ããã«ãç°å¢ãªã©ã«ãã£ãŠåäœããªãããšãããåŸãã®ã§ãããã?
ãã«ãæã« OpenSSL::X509::DEFAULT_CERT_FILE
ãæå®ã§ããã°è§£æ±ºããããšèããã®ã§ããããã«ããªãã·ã§ã³ãçºããŠãã¡ãã£ãšæ¹æ³ãèŠã€ããããŸããã§ããã
ext/openssl/ossl_x509.c ã® 182 è¡ç®
DefX509Default(CERT_FILE, cert_file);
ã§èšå®ãããŠããã®ããšã¯æãã®ã§ããã
ã©ãã«ã OpenSSL::X509::DEFAULT_CERT_FILE ããã«ãæã§ãå®è¡æã§ãäžæžãããæ¹æ³ã¯ãªãã§ãããã?
ãšã©ãŒã®å 容ã¯ä»¥äžã®ãšããã§ãã
net/https ãå©çšããå Žåã¯ä»¥äžã
```
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in
`connect_nonblock': Connection reset by peer - SSL_connect
(Errno::ECONNRESET)
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in
`ssl_socket_connect'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:948:in
`connect'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:887:in
`do_start'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:876:in `start'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:1407:in
`request'
from ./myscript.rb:52:in `<main>'
```
open-uri ãå©çšããå Žåã¯ä»¥äžã®ããã«ãªããŸãã
```
irb(main):006:0> open('https://www.google.com/')
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read
server c
ertificate B: certificate verify failed
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in
`connect_nonblock'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in
`ssl_socket_connect'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:948:in
`connect'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:887:in
`do_start'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:876:in `start'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:323:in
`open_http'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:741:in
`buffer_open'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:212:in `block
in open_loop'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:210:in `catch'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:210:in
`open_loop'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:151:in
`open_uri'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:721:in `open'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:35:in `open'
from (irb):6
from /home/XXXXXX/.rbenv/versions/2.4.1/bin/irb:11:in `<main>'
```
ãããã®ã¬ã³ã¿ã«ãµãŒãäžã§ ruby 2.4.1 ã rbenv ã§å ¥ããŠå©çšããŠãç°å¢ããããŸãã
ãã®ç°å¢ã§ https æ¥ç¶ãããããšãããš SSL é¢é£ã®ãšã©ãŒãåºãŠæ¥ç¶ã§ããŸããã§ãã(æ«å°Ÿã«ãšã©ãŒã¡ãã»ãŒãžãæžããŸã)ã
åå ãšããŠã¯ OpenSSL::X509::DEFAULT_CERT_FILE ãæã瀺ããã¹ã«èšŒææžãååšããªãããšã§ãã
irb(main):001:0> require 'openssl'
=> true
irb(main):002:0> p OpenSSL::X509::DEFAULT_CERT_FILE
"/etc/ssl/cert.pem"
=> "/etc/ssl/cert.pem"
$ ls -l /etc/ssl
total 12
-rw-r--r-- 1 root wheel 9483 Dec 4 2012 openssl.cnf
ã¬ã³ã¿ã«ãµãŒããªã®ã§ /etc/ssl ã«èšŒææžã眮ãããšãã§ããŸããããã©ãã«ã OpenSSL::X509::DEFAULT_CERT_FILE
ãäžæžãããããšèããŠãããŸãã
ããã¥ã¡ã³ãã«ã¯ OpenSSL::X509::DEFAULT_CERT_FILE_ENV ãæã瀺ãç°å¢å€æ°ã§äžæžãã§ãããšããã®ã§ãirb
ã§èŠãŠã¿ããšãã SSL_CERT_FILE ãšããæååãåºãŠããŸããã
ããã§ç°å¢å€æ° SSL_CERT_FILE
ã«èªåã®ããŒã ãã£ã¬ã¯ããªä»¥äžã«ãã蚌ææžã®ãã¹ãæå®ããŠã¿ãã®ã§ãããOpenSSL::X509::DEFAULT_CERT_FILE
ã«å€åã¯ãããŸããããSSL æ¥ç¶ãšã©ãŒãå€ãããŸããããã¡ããã«ãç°å¢ãªã©ã«ãã£ãŠåäœããªãããšãããåŸãã®ã§ãããã?
ãã«ãæã« OpenSSL::X509::DEFAULT_CERT_FILE
ãæå®ã§ããã°è§£æ±ºããããšèããã®ã§ããããã«ããªãã·ã§ã³ãçºããŠãã¡ãã£ãšæ¹æ³ãèŠã€ããããŸããã§ããã
ext/openssl/ossl_x509.c ã® 182 è¡ç®
DefX509Default(CERT_FILE, cert_file);
ã§èšå®ãããŠããã®ããšã¯æãã®ã§ããã
ã©ãã«ã OpenSSL::X509::DEFAULT_CERT_FILE ããã«ãæã§ãå®è¡æã§ãäžæžãããæ¹æ³ã¯ãªãã§ãããã?
ãšã©ãŒã®å 容ã¯ä»¥äžã®ãšããã§ãã
net/https ãå©çšããå Žåã¯ä»¥äžã
```
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in
`connect_nonblock': Connection reset by peer - SSL_connect
(Errno::ECONNRESET)
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in
`ssl_socket_connect'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:948:in
`connect'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:887:in
`do_start'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:876:in `start'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:1407:in
`request'
from ./myscript.rb:52:in `<main>'
```
open-uri ãå©çšããå Žåã¯ä»¥äžã®ããã«ãªããŸãã
```
irb(main):006:0> open('https://www.google.com/')
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read
server c
ertificate B: certificate verify failed
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in
`connect_nonblock'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:44:in
`ssl_socket_connect'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:948:in
`connect'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:887:in
`do_start'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:876:in `start'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:323:in
`open_http'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:741:in
`buffer_open'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:212:in `block
in open_loop'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:210:in `catch'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:210:in
`open_loop'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:151:in
`open_uri'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:721:in `open'
from
/home/XXXXXX/.rbenv/versions/2.4.1/lib/ruby/2.4.0/open-uri.rb:35:in `open'
from (irb):6
from /home/XXXXXX/.rbenv/versions/2.4.1/bin/irb:11:in `<main>'
```
--
Sugano Yoshihisa(E) <mailto:***@foxking.org>
Sugano Yoshihisa(E) <mailto:***@foxking.org>