1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2010
    Rep Power

    Client Certificate error on Mac OS X 10.6.4

    I've been trying to connect to a web service over https where the service requires the client to be authenticated using a server signed certificate (note the server's certificate is signed from a trusted root certification authority).

    The code below shows a sample that I used to test the communication (with some tweak to hide my own details). The code works OK on Windows and Linux (kernel 2.6.x) systems, but fails on Mac OS X 10.6.4 with (Timeout::Error). When I traced the wire messages I found the error is due to encryption - the server responds with Encrypted Alert = decryption_failed(21) which, acording to SSL/TLS proocol RFC2246 http://www.ietf.org/rfc/rfc2246.txt, is:
    A TLSCiphertext decrypted in an invalid way: either it wasn`t an
    even multiple of the block length or its padding values, when
    checked, weren`t correct. This message is always fatal.

    Does anyone know the cause of this error or how to fix it? Is this an error in the core Net:HTTPS and SSL core Ruby libraries specific to Mac OS X?

    cer_file = File.dirname(__FILE__) + '/cert.pem'
    key_file = File.dirname(__FILE__) + '/key.pem'
    cert = File.read(cer_file)
    key = File.read(key_file)
    uri = URI.parse("https://myservice.com/servicestatus")
    http = Net::HTTP.new(uri.host, uri.port)
    http.open_timeout = 5
    http.read_timeout = 5
    http.use_ssl = (uri.scheme == "https")
    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
    http.cert = OpenSSL::X509::Certificate.new(cert)
    http.key = OpenSSL::PKey::RSA.new(key)
    http.verify_callback = Proc.new {
    	puts "===> in verify_callback -- #{Time.now}"
    request = Net::HTTP::Post.new(uri.request_uri)
    request.body = 
    	'<?xml version="1.0" encoding="UTF-8"?>
    	<env:Envelope xmlns:wsdl="http://myservice.com/ws/protocol" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
    resp = http.request(request)
    puts "response => #{resp.inspect}"
    Note the same code (and same certificate and key files) works on Windows and Linux but not Mac OSX.
    I tried on the Mac with Ruby 1.8.6 and 1.8.7.
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2011
    Rep Power

    I have a very similar issue that I traced back to OS X's stock curl library. I am using client certificates to connect to a webservice over SOAP and REST, and had this service break with an OS X update over a year ago. I was able to resolve the issue by installing macport's version of curl. However, I really don't like having to do that and was hoping you had found a solution?

  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2010
    Rep Power
    Hi David,

    After posting this by about a week or so, everything started working as if has never been. The only thing I did was installing an OS X update Friday afternoon then Monday morning I discovered it was working. Since then I forgot about this issue.

    I haven't found what was causing this.

IMN logo majestic logo threadwatch logo seochat tools logo