Client Certificate error on Mac OS X 10.6.4

Dev Shed Forums Sponsor:

August 6th, 2010, 04:49 PM

katrash

Registered User

Join Date: Aug 2010

Posts: 2

Time spent in forums: 35 m 22 sec
Reputation Power: 0

Client Certificate error on Mac OS X 10.6.4

I've been trying to connect to a web service over https where the service requires the client to be authenticated using a server signed certificate (note the server's certificate is signed from a trusted root certification authority).

The code below shows a sample that I used to test the communication (with some tweak to hide my own details). The code works OK on Windows and Linux (kernel 2.6.x) systems, but fails on Mac OS X 10.6.4 with (Timeout::Error). When I traced the wire messages I found the error is due to encryption - the server responds with Encrypted Alert = decryption_failed(21) which, acording to SSL/TLS proocol RFC2246 http://www.ietf.org/rfc/rfc2246.txt, is:
A TLSCiphertext decrypted in an invalid way: either it wasn`t an
even multiple of the block length or its padding values, when
checked, weren`t correct. This message is always fatal.

Does anyone know the cause of this error or how to fix it? Is this an error in the core Net:HTTPS and SSL core Ruby libraries specific to Mac OS X?

Code:

cer_file = File.dirname(__FILE__) + '/cert.pem'
key_file = File.dirname(__FILE__) + '/key.pem'

cert = File.read(cer_file)
key = File.read(key_file)

uri = URI.parse("https://myservice.com/servicestatus")
http = Net::HTTP.new(uri.host, uri.port)
http.open_timeout = 5
http.read_timeout = 5

http.use_ssl = (uri.scheme == "https")
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
http.cert = OpenSSL::X509::Certificate.new(cert)
http.key = OpenSSL::PKey::RSA.new(key)

http.verify_callback = Proc.new {
	puts "===> in verify_callback -- #{Time.now}"
	true
}

request = Net::HTTP::Post.new(uri.request_uri)

request.body = 
	'<?xml version="1.0" encoding="UTF-8"?>
	<env:Envelope xmlns:wsdl="http://myservice.com/ws/protocol" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
		<env:Body>
		  <wsdl:NodesListRequest>
			<AppID>MyAPP</AppID>
			<Timestamp>2010-01-01T00:00:00</Timestamp>
		  </wsdl:NodesListRequest>
		</env:Body>
	</env:Envelope>'

resp = http.request(request)
puts "response => #{resp.inspect}"

Note the same code (and same certificate and key files) works on Windows and Linux but not Mac OSX.
I tried on the Mac with Ruby 1.8.6 and 1.8.7.

March 18th, 2011, 01:36 PM

dearlbry

Registered User

Join Date: Mar 2011

Posts: 1

Time spent in forums: 18 m 51 sec
Reputation Power: 0

katrash,

I have a very similar issue that I traced back to OS X's stock curl library. I am using client certificates to connect to a webservice over SOAP and REST, and had this service break with an OS X update over a year ago. I was able to resolve the issue by installing macport's version of curl. However, I really don't like having to do that and was hoping you had found a solution?

David

March 19th, 2011, 01:10 AM

katrash

Registered User

Join Date: Aug 2010

Posts: 2

Time spent in forums: 35 m 22 sec
Reputation Power: 0

Hi David,

After posting this by about a week or so, everything started working as if has never been. The only thing I did was installing an OS X update Friday afternoon then Monday morning I discovered it was working. Since then I forgot about this issue.

I haven't found what was causing this.

Client Certificate error on Mac OS X 10.6.4

Developer Shed Advertisers and Affiliates