[Eventmachine-talk] Eventmachine ssl

166 views
Skip to first unread message

Dan Mayer

unread,
Aug 5, 2008, 12:38:04 PM8/5/08
to eventmac...@rubyforge.org
I have an eventmachine client connecting to an eventmachine server,
and I wanted to use ssl. Originally I was just using start_tls() in
the post_init methods of both my client and server. Then I decided I
should use my own certificate, so I passes one in on the server
using :cert_chain_file => X, :private_key_file => Y... The client
happily accepted this cert. I used openssl and verified my the server
was sending out the expected cert information. I then read the client
would accept an signed cert, so I thought if I passed it the public
side of the cert info it would only accept the same public key,
allowing it to only accept my cert. I guess no matter what is passed
to start_tls when the client connects to the server it accepts?

This seems bad, correct me if I am wrong, but this could lead to the
old man in the middle, since the client accepts any signed cert and
starts passing sensitive data... If someone got between the client and
my server, it could pass back its own self signed cert, and then
connect to me and pass through any commands sent to the middle man,
and return any results... essentially all communication would be
encrypted but the server would be encrypting and sending the data back
to the middle man which in turn passes it back to the client (after
presumably recording or messing with the data)

Is there anyways to get a hold of the cert information that was sent
to the client side so I can verify this is the public key I was
expecting? I looked through all the documentation and didn't find
anyways to access anything about the SSL information after the
connection is made. could start_tls pass back the certificate that was
received so I can then decide if I trust it, much like the warning web
browsers pop up on self signed certs?

Anyways perhaps I am missing something, but I couldn't find much out
there about this.

--
Dan Mayer
Co-founder, Devver
(http://devver.net)
follow us on twitter: http://twitter.com/devver
My Blog (http://mayerdan.com)
_______________________________________________
Eventmachine-talk mailing list
Eventmac...@rubyforge.org
http://rubyforge.org/mailman/listinfo/eventmachine-talk

Dan Mayer

unread,
Aug 7, 2008, 11:06:38 AM8/7/08
to eventmac...@rubyforge.org
I wanted to send out what I ended up doing to solve this problem for
anyone else searching around for a solution.

I ended up moving the client side of the code over to Rev, while the
server is still EventMachine. The two play nicely together.

Thanks Tony for sending me the tip

"If you don't find an EventMachine-based solution to this, Rev
(http://rev.rubyforge.org) is an EventMachine-like event framework
built on libev which interfaces with Ruby's OpenSSL extension
directly.

Rev has an "on_peer_cert" callback which is fired when the SSL
certificate is received that hands you an OpenSSL::X509::Certificate
object. This lets you check the cert to ensure it's one you trust,
and if it isn't you can close the socket and do whatever error
handling you desire."

Basically I moved from "class Client < EventMachine::Connection" to
"class RevClient < Rev::SSLSocket"

After that it was really only a few modifications to the code to get it working.

Simple stuff like "def post_init" => "def on_ssl_connect"

I think I ended up changing perhaps 25 lines of code. So it was pretty
nice to quickly be able to get SSL cert verification and swap out one
client for another.

Thanks to everyone who got back to me off the list, I appreciated the support.

peace,
Dan

James Tucker

unread,
Aug 7, 2008, 11:33:09 AM8/7/08
to eventmac...@rubyforge.org

On 7 Aug 2008, at 16:06, Dan Mayer wrote:

> I wanted to send out what I ended up doing to solve this problem for
> anyone else searching around for a solution.
>
> I ended up moving the client side of the code over to Rev, while the
> server is still EventMachine. The two play nicely together.
>
> Thanks Tony for sending me the tip
>
> "If you don't find an EventMachine-based solution to this, Rev
> (http://rev.rubyforge.org) is an EventMachine-like event framework
> built on libev which interfaces with Ruby's OpenSSL extension
> directly.
>
> Rev has an "on_peer_cert" callback which is fired when the SSL
> certificate is received that hands you an OpenSSL::X509::Certificate
> object. This lets you check the cert to ensure it's one you trust,
> and if it isn't you can close the socket and do whatever error
> handling you desire."
>
> Basically I moved from "class Client < EventMachine::Connection" to
> "class RevClient < Rev::SSLSocket"
>
> After that it was really only a few modifications to the code to get
> it working.

That's very encouraging :)

We definitely need to get our cert checking stuff completed.

Roger Pack

unread,
Aug 7, 2008, 1:32:35 PM8/7/08
to eventmac...@rubyforge.org
> After that it was really only a few modifications to the code to get it working.
>
> Simple stuff like "def post_init" => "def on_ssl_connect"
>
> I think I ended up changing perhaps 25 lines of code. So it was pretty
> nice to quickly be able to get SSL cert verification and swap out one
> client for another.

There's also an EM -> Rev compatibility layer that seems to work, if
that's any help in going back and forth between the two without any
code changes.
http://rev.rubyforge.org/svn/contrib/revem/revem.rb

I use it to go back and forth and it seems to work. For production
you might want to choose just one or the other. I use both
interchangeably :)

-R

Dan Mayer

unread,
Aug 7, 2008, 2:46:36 PM8/7/08
to eventmac...@rubyforge.org
I saw the Rev compatibility layer, but it didn't look like it would
match my needs as well so I just went with the conversion.

That is cool that you use both and switch back and forth, gives nice
flexibility for anything that might come up.

Dan

--

Dan Mayer
Co-founder, Devver
(http://devver.net)
follow us on twitter: http://twitter.com/devver
My Blog (http://mayerdan.com)

garbag...@gmail.com

unread,
Aug 6, 2008, 2:03:08 PM8/6/08
to eventmac...@rubyforge.org

Currently, there's no way to constrain the certs that a client will
accept, but this is something we need to support.

Reply all
Reply to author
Forward
0 new messages