When you install Ruby, https won't work, because `OpenSSL::X509::DEFAULT_CERT_FILE` points to incorrect certificate location (C:/Users/Luis/Code/luislavena/knap-build/var/knapsack/software/x64-windows/openssl/1.0.0l/ssl/cert.pem)
And worse it's not documented anywhere. RubyInstaller doesn't mention that it won't work and there aren't anything about this in FAQ either.
Firstly I would suggest that Ruby would use relative path to pem, if that's not possible then hardcode it to something like "C:/Ruby/cert.pem" which is much better than current default path.
Now next thing, need to document, that this can be changed with SSL_CERT_FILE env variable which should point to location of valid CA bundle. Currently I see RubyGems and other applications/gems bundle their own certificates, because there's just no other way.
I see mostly everyone uses certificates provided by Mozilla NSS project from https://mxr.mozilla.org/mozilla-release/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1 and with CURL's perl script they can be converted to usable PEM format.
So IMO best solution would be, for installer, after Ruby installing, download certificates from Mozilla and convert to PEM format and put in Ruby directory and then optionally if it's installed elsewhere than hardcoded path then set SSL_CERT_FILE env variable.
Also there should be some utility/script which could update certificates. I might make something like this in Ruby, to convert from NSS format to PEM, because I don't like that currently need perl for that.
Checksums are listed in the release email and also available on the downloads page and the downloads on bintray.
Sorry for top posting. Sent from mobile.
--
You received this message because you are subscribed to the Google Groups "RubyInstaller" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyinstalle...@googlegroups.com.
To post to this group, send email to rubyin...@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyinstaller.
For more options, visit https://groups.google.com/d/optout.
Stephen Henson from OpenSSL replied about patch, but there haven't been any response from original author Yui NARUSE. Maybe he's busy or not interested pursuing it anymore. So in any case, if someone have time it would be great if could adopt this patch and finally get proper certificate support for Windows.
I think no one before had need for Windows certificate store in OpenSSL, because generally when you're writing application you use OpenSSL only on *nix and for Windows use Cryptography API directly, which is more easier because don't have to compile OpenSSL for windows, especially if using MSVC.
So another way how to go about this, could be implementing usage of Cryptography API in Ruby for Windows instead of OpenSSL. But that's probably huge work and because currently Ruby doesn't have any abstraction layer (OpenSSL leaks directly in ruby's code when using `https` eg.) and many gems depends on this behavior (catching SSL's exceptions) it's probably not practical. But overall it would be nice if Ruby could use other libraries for cryptography not only OpenSSL.
oops, didn't saw, sorry.
only md5 aren't safe anymore to use because collisions have been found and can be calculated, take a look at http://www.mscs.dal.ca/~selinger/md5collision/ and http://stackoverflow.com/questions/1999824/whats-the-shortest-pair-of-strings-that-causes-an-md5-collision
It would have been great if OpenSSL offered a wrapper around Windows own functionality so it could be used transparently, which is not the case.
There has been attempts to provide a better and sane cryptography library for Ruby, called Krypt:It has the option of pluggable providers (openssl being one) and is written mostly in Ruby, which is more easy to understand.But, as usual with good tools, it didn't catch on developers to aim this to replace Ruby's OpenSSL from standard library or any Ruby on Windows developer to help.I'm by no means an expert on Windows API and even less on cryptography, so I cannot take the challenge and work on this to provide a Windows provider.Even so, it will be a challenge by itself to replace OpenSSL usage all over libraries and others that depend on it.
Life will be much easier if OpenSSL could setup it's constant at compile time that are relative to the library current directory (at runtime) and not at build time (which is the current issue).
If OpenSSL project could accept a patch for that, perhaps using a special flag to the configure script, then we could build a version of OpenSSL that uses it and build Ruby against it.That could allow us provide a script or something that obtains the certs from Windows and place them in the relative PEM/CRT file.While it doesn't fix OpenSSL on Windows, it might fix the issue most of the Rubyst hits.
Do you think is a viable compromise?I'm not sure how much I can contribute to make it happen, and not sure if OpenSSL team will apply/include that patch, but we most likely can do custom builds for that (as long the changes are not too big).
Sounds like an interesting challenge you would like to participate? :-D
Indeed MD5 are not safe anymore, which checksum algorithm do you recommend?
By the way I saw that Ruby is going to Gemify OpenSSL (Feature #9612) which I think is a good step forward.