Client Certificate error on Mac OS X 10.6.4
I’ve been trying to connect to a web service over https where the
service requires the client to be authenticated using a server signed
certificate (note the server’s certificate is signed from a trusted root
certification authority).
The code below shows a sample that I used to test the communication
(with some tweak to hide my own details). The code works OK on Windows
and Linux (kernel 2.6.x) systems, but fails on Mac OS X 10.6.4 with
(Timeout::Error). When I traced the wire messages I found the error is
due to encryption - the server responds with Encrypted Alert =
decryption_failed(21) which, acording to SSL/TLS proocol RFC2246
http://www.ietf.org/rfc/rfc2246.txt, is:
A TLSCiphertext decrypted in an invalid way: either it wasnt an even multiple of the block length or its padding values, when checked, weren
t correct. This message is always fatal.
Does anyone know the cause of this error or how to fix it? Is this an
error in the core Net:HTTPS and SSL core Ruby libraries specific to Mac
OS X?
cer_file = File.dirname(__FILE__) + '/cert.pem'
key_file = File.dirname(__FILE__) + '/key.pem'
cert = File.read(cer_file)
key = File.read(key_file)
uri = URI.parse("https://myservice.com/servicestatus")
http = Net::HTTP.new(uri.host, uri.port)
http.open_timeout = 5
http.read_timeout = 5
http.use_ssl = (uri.scheme == "https")
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
http.cert = OpenSSL::X509::Certificate.new(cert)
http.key = OpenSSL::PKey::RSA.new(key)
http.verify_callback = Proc.new {
puts "===> in verify_callback -- #{Time.now}"
true
}
request = Net::HTTP::Post.new(uri.request_uri)
request.body =
'<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:wsdl="http://myservice.com/ws/protocol"
xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Body>
<wsdl:NodesListRequest>
<AppID>MyAPP</AppID>
<Timestamp>2010-01-01T00:00:00</Timestamp>
</wsdl:NodesListRequest>
</env:Body>
</env:Envelope>'
resp = http.request(request)
puts "response => #{resp.inspect}"
Note the same code (and same certificate and key files) works on Windows
and Linux but not Mac OSX.
I tried on the Mac with Ruby 1.8.6 and 1.8.7.