Clobber Windows Ruby HTTPS connectivity issues with the new Net::HTTP SSL Fix gem
Net::HTTP SSL Fix Ruby gem’s README:
No more / (╯°□°）╯︵ ┻━┻!
But you probably want a more detailed description of the gem’s purpose, so here it is:
Net::HTTPcertificate authority file hack. Very useful for authoring Ruby-based HTTP clients that must run on Windows.
Ruby development on Windows is not so peachy
While writing a Ruby-based CLI that needed to install and run properly on Windows, so I started the process of actually building it on a Windows 7 VM.
I’ve been calling this process “developing for the lowest common denominator” because Ruby isn’t traditionally a very Windows-friendly scripting environment.
Looks like I'll be developing a couple gems on Windows. #LowestCommonDenominator
— Chris Peters (@chrisdpeters) January 28, 2016
All was well in this new Windowsy adventure until I tried to start making calls to Amazon S3’s API over the HTTPS protocol. That yields this awesome error:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
As it turns out, the installers for Ruby on Windows are missing a CA file, thus breaking
Net::HTTP calls over HTTPS.
Google searches return a couple common (and awful) solutions to this problem:
- Disabling peer verification, thus opening up possible man-in-the-middle attacks.
- Downloading a CA certificate file, placing it in a folder, and configuring an environment variable named
SSL_CERT_FILEto register it within Ruby.
The 2nd solution listed above is better than the first and a good one in many scenarios, but I don’t want for users of the CLI to need to go through that extra step. Also, I don’t have the time right now to build an installer that does it for them. I just want for the gem to work after running
gem install my_cli, no matter what OS you’re on.
The solution: a new Ruby gem called
After looking at some other Ruby-based CLIs built to run on Windows, like Heroku’s CLI, I noticed a trend where the Ruby gems needed to include a certificate authority file if they needed to make any HTTP calls over HTTPS.
I initially started including a CA file with the
liveeditor_cli gem, along with a clever monkey patch for
Net::HTTP. The hack also forces SSL calls via
Net::HTTP to verify the peer. Those seeking security shall find it.
I felt that this hack was so useful that it would serve well as a separate gem, hence a new
net_http_ssl_fix Ruby gem. Use it if you want for SSL to just work in your Ruby-based HTTP clients, and especially use it if your client must run reliably on Windows.
The main trade-off (and isn’t there always a trade-off?) is that after you install this gem, you are relying on it to provide an up-to-date certificate authority file. Because of this, I will be monitoring the cURL certificate authority file and will update the gem each time the CA file is updated. Because the gem is open source, the community can continue to maintain it if at some point I am no longer able.
Go ahead and checkout the
net_http_ssl_fix repo on GitHub for source code, installation instructions, and more. I hope that it helps you out in your projects.