Issue #14630 has been reported by paul_coppinger (Paul Coppinger).

----------------------------------------
Bug #14630: Uncaught exception: SSL_connect returned=1 errno=0 state=error: certificate verify failed (error number 1)
https://bugs.ruby-lang.org/issues/14630

* Author: paul_coppinger (Paul Coppinger)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: ruby 2.5.0p0 (2017-12-25 revision 61468) [x86_64-darwin17]
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
I'm attempting to connect to a server with verify_mode = OpenSSL::SSL::VERIFY_PEER. It fails with the error:

Uncaught exception: SSL_connect returned=1 errno=0 state=error: certificate verify failed (error number 1)
	/usr/local/Cellar/ruby/2.5.0_2/lib/ruby/2.5.0/net/protocol.rb:44:in `connect_nonblock'
	/usr/local/Cellar/ruby/2.5.0_2/lib/ruby/2.5.0/net/protocol.rb:44:in `ssl_socket_connect'
	/usr/local/Cellar/ruby/2.5.0_2/lib/ruby/2.5.0/net/http.rb:981:in `connect'
	/usr/local/Cellar/ruby/2.5.0_2/lib/ruby/2.5.0/net/http.rb:920:in `do_start'
	/usr/local/Cellar/ruby/2.5.0_2/lib/ruby/2.5.0/net/http.rb:909:in `start'
	/usr/local/Cellar/ruby/2.5.0_2/lib/ruby/2.5.0/net/http.rb:609:in `start'
	/Users/pc/work/unipagos/node/test/tester.rb:93:in `request'
	/Users/pc/work/unipagos/node/test/unipagos_tester.rb:79:in `authenticate_user'
	/Users/pc/work/unipagos/node/test/authenticate.rb:111:in `<top (required)>'

Strange thing is, if I attempt to verify the certificates directly there is no problem.

This is two-level PKI with a root CA (root.pem) that has two sub-CAs. One sub-CA (admin.pem) is used to issue server certificates and the other sub-CA (user.pem) is used to issue user certificates (such as mobile.pem). I have included the PEM files for all four certificates.

Here's the code to setup the options for the connection:

    store = OpenSSL::X509::Store.new
    store.add_cert(OpenSSL::X509::Certificate.new(File.read('./root.pem')))
    store.add_cert(OpenSSL::X509::Certificate.new(File.read('./admin.pem')))
    store.add_cert(OpenSSL::X509::Certificate.new(File.read('./user.pem')))
    @options = {
        use_ssl: true,
        ssl_version: :TLSv1_2,
        verify_mode: OpenSSL::SSL::VERIFY_PEER,
        store: store,
        keep_alive_timeout: 30,
        cert: config[:cert].nil? ? nil : OpenSSL::X509::Certificate.new(File.read(config[:cert])),
        key: config[:key].nil? ? nil : OpenSSL::PKey::EC.new(File.read(config[:key]))
    }
    result = store.verify(@options[:cert])
    puts result
    result = store.verify(OpenSSL::X509::Certificate.new(File.read('./mobile.pem')))
    puts result

The output of the above is:
true
true

However, I get the above error when I try to connect to the server (identified by mobile.pem) as follows:

    req = Net::HTTP::Get.new(uri, headers)
    res = Net::HTTP::start(req.uri.hostname, req.uri.port, @options) do |http|
        http.request(req)
    end

Any ideas?


---Files--------------------------------
admin.pem (835 Bytes)
mobile.pem (955 Bytes)
root.pem (782 Bytes)
user.pem (830 Bytes)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>