Error on send Certificate array chain in ssl
SystemBack opened this issue ยท 6 comments
Basic Info
- Faraday Version: 1.4
- Ruby Version: 3.0.2
Issue description
I am trying to send the array of chain certificates in the SSL hash but I cannot have an error when sending the request, to be honest, I am not sure if Faraday or the current version of faraday supports this SSL request
Steps to reproduce
Create the Certificate array chain [OpenSSL::X509::Certificate, .... n]
Add in the SSL hash in the request
post = {...}
ssl = {
verify: true,
client_cert: [cert_1, cert_2, cert_3],
client_key: OpenSSL::PKey::RSA.new("Key_String")
}
headers = {
'Content-Type': 'application/json'
}
url = "https://demo.com/test"
response = JSON.parse(Faraday.new(url, ssl: ssl).send(:put, url, post.to_json, headers).body)
Hi @EduardCerv ๐!
It seems like you're using the default adapter in your code, so that would be :net_http
.
In that case, the value of client_cert
is passed as-is to Net::HTTP
(see https://github.com/lostisland/faraday-net_http/blob/main/lib/faraday/adapter/net_http.rb#L161).
What you're trying to do will only work if Net::HTTP
supports cert
to be an array.
Hi @iMacTia I found a way to implement the array of certificates with Net:::HTTP
like this
Net::HTTP.start(
"demo.com",
:use_ssl => true,
:cert => root_cert,
:extra_chain_cert => [intermediate_cert, store_cert],
:key => OpenSSL::PKey::RSA.new('string_key')
) do |http|
http.put("/test", post.to_json)
end
And it works, the problem here is when I tried to implement it in Faraday it throws this error wrong argument type Array (expected OpenSSL/X509)
Aha, OK there's the issue then.
You are passing the root certificate as :cert
, and the others as :extra_chain_cert
.
But what the net_http
adapter is doing is passing client_cert
as cert
to Net::HTTP
, hence causing the error.
I don't see extra_chain_cert
mentioned anywhere in the adapter, so I don't think this is possible, yet.
Two possible ways to fix this:
- Support an additional
extra_chain_cert
property forSSLOptions
and manage that inNet::HTTP
- Make the
net_http
adapter smarter, so that when an array is passed asclient_cert
, the first value will be forwarded toNet::HTTP
ascert
, and the subsequent ones asextra_chain_cert
.
I'd prefer option 2 as it would require only changes to Net::HTTP
(where option 1 would require changes to Faraday as well).
I'm moving this issue over to the faraday-net_http
repo ๐
@EduardCerv would you like to work on a PR that implements option 2 in https://github.com/lostisland/faraday-net_http?
Sure let me check the repo and try to make a fix as you suggested to me :D thanks @iMacTia
Is this issue still actual?
Suggested solution โ2 sounds reasonable and easy to solve. I would be happy to figure out on solution if it is still actual