Eventmachine talk - Nov 2007 - Passing parameters to start_tls doesn''t work

For some reason, in EventMachine 0.9.0 on Mac OS X 10.5, passing a valid
private key and certificate chain to start_tls doesn''t seem to work for
me.
When I make a test connection to the server via OpenSSL''s s_client, I
get
the "steamheat.net" self-signed certificate instead.

Here''s my silly code in post_init:

start_tls(:cert_chain_file => File.join(File.dirname(__FILE__),
"server.pem"),

             :private_key_file => File.join(File.dirname(__FILE__),
"key.pem
"))

Any ideas?  When I run it under the debugger, it looks like the filenames
are being passed into start_tls_args, but once it''s in the C++ module
it''s
opaque to me.

Best regards,

--Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://rubyforge.org/pipermail/eventmachine-talk/attachments/20071118/0543a149/attachment.html

On Nov 19, 2007 1:24 AM, Michael S. Fischer <michael at dynamine.net>
wrote:
> For some reason, in EventMachine 0.9.0 on Mac OS X 10.5, passing a valid
> private key and certificate chain to start_tls doesn''t seem to
work for me.
> When I make a test connection to the server via OpenSSL''s
s_client, I get
> the " steamheat.net" self-signed certificate instead.
>
> Here''s my silly code in post_init:
>
> start_tls(:cert_chain_file => File.join(File.dirname(__FILE__),
"server.pem
> "),
>              :private_key_file => File.join(File.dirname(__FILE__),
> "key.pem"))

This feature is definitely known to work. You might try removing the
extraneous blank space in "server.pem "

Are you doing start_tls on a server or as a client?

On Nov 19, 2007 5:11 AM, Francis Cianfrocca <garbagecat10 at gmail.com>
wrote:
> On Nov 19, 2007 1:24 AM, Michael S. Fischer <michael at dynamine.net>
wrote:
> > For some reason, in EventMachine 0.9.0 on Mac OS X 10.5, passing a
valid
> > private key and certificate chain to start_tls doesn''t seem
to work for
> me.
> > When I make a test connection to the server via OpenSSL''s
s_client, I
> get
> > the " steamheat.net" self-signed certificate instead.
> >
> > Here''s my silly code in post_init:
> >
> > start_tls(:cert_chain_file => File.join(File.dirname(__FILE__),
"
> server.pem
> > "),
> >              :private_key_file => File.join(File.dirname(__FILE__),
> > "key.pem"))
>
>
> This feature is definitely known to work. You might try removing the
> extraneous blank space in "server.pem "

It''s not in the actual code; it was probably just a paste-related
mishap.

Would EventMachine raise some kind of error if I accidentally used a key
file for a certificate, or failed to supply both values when operating as a
server?  I''ve checked to ensure that the .pem files contain what I
claim
they do, but it''s not clear whether EventMachine will silently ignore
problems such as these.

Are you doing start_tls on a server or as a client?


This is in server-side code.

I''m going to test in an Ubuntu 7.10 VM to determine whether this might
be an
OS- or build-specific issue.  Something is not right.

Best regards,

--Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://rubyforge.org/pipermail/eventmachine-talk/attachments/20071119/67b4f17e/attachment.html

> Would EventMachine raise some kind of error if I accidentally used a key
> file for a certificate, or failed to supply both values when operating as a
> server?  I''ve checked to ensure that the .pem files contain what I
claim
> they do, but it''s not clear whether EventMachine will silently
ignore
> problems such as these.
>
I believe from looking at the code that it would throw a fatal error
with malformed X509 material.
>
> > Are you doing start_tls on a server or as a client?
>
> This is in server-side code.
>
That might be the problem. I''ve used this feature extensively with
client-side code. I''ll test with the server side.

On Nov 19, 2007 8:07 AM, Francis Cianfrocca <garbagecat10 at gmail.com>
wrote:
>  > Would EventMachine raise some kind of error if I accidentally used a
> key
> > file for a certificate, or failed to supply both values when operating
> as a
> > server?  I''ve checked to ensure that the .pem files contain
what I claim
> > they do, but it''s not clear whether EventMachine will
silently ignore
> > problems such as these.
> >
> I believe from looking at the code that it would throw a fatal error
> with malformed X509 material.

Doesn''t seem to do that.  I can set these values to nonexistent
filenames
and I get the same result; no errors are thrown.

Also, I just tested this on RHEL 5 with the same result.

Best regards,

--Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://rubyforge.org/pipermail/eventmachine-talk/attachments/20071119/6f9ac45b/attachment-0001.html

On Nov 19, 2007 5:05 PM, Michael S. Fischer <michael at dynamine.net>
wrote:
> On Nov 19, 2007 8:07 AM, Francis Cianfrocca <garbagecat10 at
gmail.com> wrote:
>
> >
> >  > Would EventMachine raise some kind of error if I accidentally
used a
> key
> > > file for a certificate, or failed to supply both values when
operating
> as a
> > > server?  I''ve checked to ensure that the .pem files
contain what I claim
> > > they do, but it''s not clear whether EventMachine will
silently ignore
> > > problems such as these.
> > >
> > I believe from looking at the code that it would throw a fatal error
> > with malformed X509 material.
>
> Doesn''t seem to do that.  I can set these values to nonexistent
filenames
> and I get the same result; no errors are thrown.
>
> Also, I just tested this on RHEL 5 with the same result.

i think the problem is related to the fact that you''re running a
server. I''ll post back here as soon as I figure it out.

On Nov 19, 2007 5:05 PM, Michael S. Fischer <michael at dynamine.net>
wrote:
 > Doesn''t seem to do that.  I can set these values to nonexistent
filenames
> and I get the same result; no errors are thrown.
>
Fixed. Sync to HEAD revision and recompile. It WILL throw a fatal
error if you hand it bad X509 materials.

On Nov 19, 2007 3:36 PM, Francis Cianfrocca <garbagecat10 at gmail.com>
wrote:
> On Nov 19, 2007 5:05 PM, Michael S. Fischer <michael at dynamine.net>
wrote:
>  > Doesn''t seem to do that.  I can set these values to
nonexistent
> filenames
> > and I get the same result; no errors are thrown.
> >
>
> Fixed. Sync to HEAD revision and recompile. It WILL throw a fatal
> error if you hand it bad X509 materials.

Sorry if this is a dumb question, but - how do I do this?  I''m not
accustomed to living on the bleeding edge of Ruby gems.

Best regards,

--Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://rubyforge.org/pipermail/eventmachine-talk/attachments/20071119/5a6c1999/attachment.html

go to the event machine page on ruby forge, click on the ''scm''
link
and it tells you how to ''checkout the latest svn''

Basically run
svn checkout svn://rubyforge.org/var/svn/eventmachine eventmachine
then go to version_0/ext subdirectory, run ''make'' and try and
use
those binaries instead of the gem ones.  GL!
-Roger

On Nov 19, 2007 5:27 PM, Michael S. Fischer <michael at dynamine.net>
wrote:
> On Nov 19, 2007 3:36 PM, Francis Cianfrocca <garbagecat10 at
gmail.com> wrote:
>
> >
> > On Nov 19, 2007 5:05 PM, Michael S. Fischer <michael at
dynamine.net> wrote:
> >  > Doesn''t seem to do that.  I can set these values to
nonexistent
> filenames
> > > and I get the same result; no errors are thrown.
> > >
> >
> > Fixed. Sync to HEAD revision and recompile. It WILL throw a fatal
> > error if you hand it bad X509 materials.
>
> Sorry if this is a dumb question, but - how do I do this?  I''m not
> accustomed to living on the bleeding edge of Ruby gems.
>
> Best regards,
>
> --Michael
>
> _______________________________________________
> Eventmachine-talk mailing list
> Eventmachine-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/eventmachine-talk
>


--
-Roger Pack
For God hath not given us the spirit of fear; but of power, and of
love, and of a sound mind" -- 2 Timothy 1:7

On Nov 19, 2007 3:36 PM, Francis Cianfrocca <garbagecat10 at gmail.com>
wrote:
> On Nov 19, 2007 5:05 PM, Michael S. Fischer <michael at dynamine.net>
wrote:
>  > Doesn''t seem to do that.  I can set these values to
nonexistent
> filenames
> > and I get the same result; no errors are thrown.
> >
>
> Fixed. Sync to HEAD revision and recompile. It WILL throw a fatal
> error if you hand it bad X509 materials.

Seems to work so far.  Thanks!

--Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://rubyforge.org/pipermail/eventmachine-talk/attachments/20071119/539345f9/attachment.html

Any idea when you''re going to do another release?

On Nov 19, 2007 4:36 PM, Francis Cianfrocca <garbagecat10 at gmail.com>
wrote:
> On Nov 19, 2007 5:05 PM, Michael S. Fischer <michael at dynamine.net>
wrote:
>  > Doesn''t seem to do that.  I can set these values to
nonexistent
> filenames
> > and I get the same result; no errors are thrown.
> >
>
> Fixed. Sync to HEAD revision and recompile. It WILL throw a fatal
> error if you hand it bad X509 materials.
> _______________________________________________
> Eventmachine-talk mailing list
> Eventmachine-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/eventmachine-talk
>


--
Tony Arcieri
ClickCaster, Inc.
tony at clickcaster.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://rubyforge.org/pipermail/eventmachine-talk/attachments/20071120/a84b193e/attachment.html

On Nov 20, 2007 2:45 PM, Tony Arcieri <tony at clickcaster.com>
wrote:
> Any idea when you''re going to do another release?
>
>

We can do a dot release anytime. I was saving 0.10 for a formal
release of the JRuby EM. Anything else we should squeeze into 0.9.1?

Maybe the peer-cert verification for start_tls.

> We can do a dot release anytime. I was saving 0.10 for a formal
> release of the JRuby EM. Anything else we should squeeze into 0.9.1?
There was some code in the diffs I sent that helps errors be more
informative--that might be nice.  It helps me :)