Error on send Certificate array chain in ssl

Question

Error on send Certificate array chain in ssl

SystemBack opened this issue 2 years ago · 6 comments

Basic Info

Faraday Version: 1.4
Ruby Version: 3.0.2

Issue description

I am trying to send the array of chain certificates in the SSL hash but I cannot have an error when sending the request, to be honest, I am not sure if Faraday or the current version of faraday supports this SSL request

Steps to reproduce

Create the Certificate array chain [OpenSSL::X509::Certificate, .... n]
Add in the SSL hash in the request

post = {...}
ssl = {
   verify: true,
   client_cert: [cert_1, cert_2, cert_3],
   client_key: OpenSSL::PKey::RSA.new("Key_String")
 }
 headers = {
   'Content-Type': 'application/json'
 }
url = "https://demo.com/test"

response = JSON.parse(Faraday.new(url, ssl: ssl).send(:put, url, post.to_json, headers).body)

Answer 1 · 2022-02-23T16:30:27.000Z

Hi @EduardCerv 👋!
It seems like you're using the default adapter in your code, so that would be :net_http.
In that case, the value of client_cert is passed as-is to Net::HTTP (see https://github.com/lostisland/faraday-net_http/blob/main/lib/faraday/adapter/net_http.rb#L161).

What you're trying to do will only work if Net::HTTP supports cert to be an array.

Answer 2 · 2022-02-23T16:50:31.000Z

Hi @iMacTia I found a way to implement the array of certificates with Net:::HTTP like this

Net::HTTP.start(
"demo.com",
:use_ssl => true,
:cert => root_cert,
:extra_chain_cert => [intermediate_cert, store_cert],
:key => OpenSSL::PKey::RSA.new('string_key')
) do |http|
http.put("/test", post.to_json)
end

And it works, the problem here is when I tried to implement it in Faraday it throws this error wrong argument type Array (expected OpenSSL/X509)

Answer 3 · 2022-02-23T16:59:15.000Z

Aha, OK there's the issue then.
You are passing the root certificate as :cert, and the others as :extra_chain_cert.
But what the net_http adapter is doing is passing client_cert as cert to Net::HTTP, hence causing the error.
I don't see extra_chain_cert mentioned anywhere in the adapter, so I don't think this is possible, yet.

Two possible ways to fix this:

Support an additional extra_chain_cert property for SSLOptions and manage that in Net::HTTP
Make the net_http adapter smarter, so that when an array is passed as client_cert, the first value will be forwarded to Net::HTTP as cert, and the subsequent ones as extra_chain_cert.

I'd prefer option 2 as it would require only changes to Net::HTTP (where option 1 would require changes to Faraday as well).

I'm moving this issue over to the faraday-net_http repo 👍
@EduardCerv would you like to work on a PR that implements option 2 in https://github.com/lostisland/faraday-net_http?

Answer 4 · 2022-02-23T17:05:38.000Z

Sure let me check the repo and try to make a fix as you suggested to me :D thanks @iMacTia

Answer 5 · 2022-10-23T14:54:20.000Z

Is this issue still actual?

Suggested solution №2 sounds reasonable and easy to solve. I would be happy to figure out on solution if it is still actual

Answer 6 · 2022-10-24T09:16:29.000Z

I didn't bump into this issue myself, but I also haven't seen any PR addressing this.
So I suspect this is still not possible if someone wants to do it and thus ready to be picked up if you'd like to give it a stab @aka-nez 🙌