jamesgolick / always_verify_ssl_certificates Goto Github PK

Historically, using Net::HTTP (and thus TCPSocket.open) on a hostname as opposed to an ip address causes it to look up the address using gethostbyname, which is a blocking system call. If DNS is down, that system call blocks for $a_long_time, Timeout fails to interrupt it since it's using green threads to set the timeout, and your app is down until the system call shakes off the hangover.

The way to work around that has been to use Resolv to cache the IP, and feed Net::HTTP that rather than a hostname since Resolv is theoretically nonblocking. This obviously breaks the certificate verification process, since you're passing in an IP and I'm not aware of anyone getting a cert for their IP address (that of course breaking for anyone using proper verification)

I don't have a solution for these issues, but I'm curious what you think about it - is it possible to fix Net::HTTP to a) always verify AND b) not block forever-ish on broken DNS? If it is, I'd be happy to work on a patch to address that issue. If it's not actually an issue, I'd be interested in that, too.

Hi James

I've had a problem with SSL using gtranslate-two (on github) with jRuby

• https://github.com/marcinwyszynski/gtranslate-two

Anyway I get the same issue with Ruby 1.9 too and while I expect the problem is some place between gtranslate-two and the HTTP.rb module, there's little in the way of diagnostics to point me in the right direction.

Is there a 'verbose' mode or something that I can use? There's a small IRB session below.

Thanks,

Will

-----------[ irb session ]------------------

irb(main):001:0>  require 'gtranslate-two'
=> true
irb(main):002:0> require 'always_verify_ssl_certificates'
=> true
irb(main):003:0> GTranslator.key ="(key)"
 => "(key)"
irb(main):004:0> new_text = GTranslator.translate( "hello world.", GLanguage::Chinese_Simplified, GLanguage::English )
 TypeError: wrong argument (NilClass)! (Expected kind of OpenSSL::SSL::SSLContext)
    from c:/bin/ruby/v1.9/lib/ruby/gems/1.9.1/gems/always_verify_ssl_certificates-0.2.0/lib/always_verify_ssl_certificates.rb:13:in `initialize'
    from c:/bin/ruby/v1.9/lib/ruby/gems/1.9.1/gems/always_verify_ssl_certificates-0.2.0/lib/always_verify_ssl_certificates.rb:13:in `new'
    from c:/bin/ruby/v1.9/lib/ruby/gems/1.9.1/gems/always_verify_ssl_certificates-0.2.0/lib/always_verify_ssl_certificates.rb:13:in `connect'
    from c:/bin/ruby/v1.9/lib/ruby/1.9.1/net/http.rb:637:in `do_start'
    from c:/bin/ruby/v1.9/lib/ruby/1.9.1/net/http.rb:626:in `start'
    from c:/bin/ruby/v1.9/lib/ruby/1.9.1/open-uri.rb:306:in `open_http'
    from c:/bin/ruby/v1.9/lib/ruby/1.9.1/open-uri.rb:769:in `buffer_open'
    from c:/bin/ruby/v1.9/lib/ruby/1.9.1/open-uri.rb:203:in `block in open_loop'
    from c:/bin/ruby/v1.9/lib/ruby/1.9.1/open-uri.rb:201:in `catch'
    from c:/bin/ruby/v1.9/lib/ruby/1.9.1/open-uri.rb:201:in `open_loop'
    from c:/bin/ruby/v1.9/lib/ruby/1.9.1/open-uri.rb:146:in `open_uri'
    from c:/bin/ruby/v1.9/lib/ruby/1.9.1/open-uri.rb:671:in `open'
    from c:/bin/ruby/v1.9/lib/ruby/1.9.1/open-uri.rb:33:in `open'
    from c:/bin/ruby/v1.9/lib/ruby/gems/1.9.1/gems/gtranslate-two-0.1.3/lib/gtranslate-two.rb:21:in `translate'
    from (irb):4
    from c:/bin/ruby/v1.9/bin/irb:12:in `<main>'

The RubyInside artcile mentions the CA certificates bundle:

To get going, you need a local CA certificates bundle, the official 
curl site maintains an up to date cacert.pem / ca-bundle.crt file containing
all of the major certificates if you need one.

The README does not. This confuses me, do I need the CA certificates bundle or will the gem does it job without it? Thanks!

(I'm using the redis 2.2 library with ruby 1.8.7-2011.03 :002)

require 'rubygems'
=> true
require 'redis'
=> true
Redis.new(:host => 'localhost', :port => 6379)
=> #<Redis client v2.2.0 connected to redis://localhost:6379/0 (Redis v2.6.2)>
require 'always_verify_ssl_certificates'
=> true
Redis.new(:host => 'localhost', :port => 6379)
Errno::ECONNREFUSED: Connection refused - Unable to connect to Redis on localhost:6379

/Users/carl/.rvm/gems/ruby-1.9.2-p136/gems/always_verify_ssl_certificates-0.3.0/lib/always_verify_ssl_certificates.rb:17:in initialize': wrong argument (NilClass)! (Expected kind of OpenSSL::SSL::SSLContext) (TypeError) from /Users/carl/.rvm/gems/ruby-1.9.2-p136/gems/always_verify_ssl_certificates-0.3.0/lib/always_verify_ssl_certificates.rb:17:innew'
from /Users/carl/.rvm/gems/ruby-1.9.2-p136/gems/always_verify_ssl_certificates-0.3.0/lib/always_verify_ssl_certificates.rb:17:in connect' from /Users/carl/.rvm/rubies/ruby-1.9.2-p136/lib/ruby/1.9.1/net/http.rb:637:indo_start'
from /Users/carl/.rvm/rubies/ruby-1.9.2-p136/lib/ruby/1.9.1/net/http.rb:626:in start' from /Users/carl/.rvm/rubies/ruby-1.9.2-p136/lib/ruby/1.9.1/net/http.rb:1160:inrequest'
from /Users/carl/.rvm/gems/ruby-1.9.2-p136/gems/httparty-0.7.4/lib/httparty/request.rb:69:in perform' from /Users/carl/.rvm/gems/ruby-1.9.2-p136/gems/httparty-0.7.4/lib/httparty.rb:394:inperform_request'
from /Users/carl/.rvm/gems/ruby-1.9.2-p136/gems/httparty-0.7.4/lib/httparty.rb:346:in get' from /Volumes/1TB Storage/Carl/Dropbox/code/opensource/contextio/lib/contextio/request.rb:79:inget'
from /Volumes/1TB Storage/Carl/Dropbox/code/opensource/contextio/lib/contextio/request.rb:22:in all_files' from test/unit/test.rb:9:in