Client certificate login with thin is not forwarding CA to browser => annoying dialog which certificate to use pops up.

13 views
Skip to first unread message

Dr. Marc Arnold Bach

unread,
Oct 5, 2018, 10:13:46 AM10/5/18
to thin-ruby
HI,
I already asked this question in stockoverflow

but had no luck...

I am running a small sinatra application which re-uses a company-wide client certificate every employee has already installed (signed by an internal SSO_CA). My Sinatra/Thin combination is using the server certificate signed by an internal company CA but is expecting the client certificate signed by leading SSO_CA in the trutchain..

Technically this worked fine until we got a second self-signed client certificate on our PCs. The browser is unsure which certificate to use and most users do not read and use the new certificate, which ends in a 403 error.

In addition, browsers remember the decision and you have to explain to many people how to reset the SSL state.

=> Sinatra / Thin/ Eventmachine are not providing an option like :SSLCACertificateFiles '/usr/sinatra/certs/SSO_CA.crt' to tell the browser "please show up with client certificate from SSO_CA"

Webrick has it but this is not the right choice for "production". Moving to Nginx feels strange as I cannot be the first having this issue in Thin. I remember there was somewhere in a forum (cannot find it again) someone telling me that the feature is missing but I found this before I had an understanding that this is going to be my problem as well.

Has anybody an idea how to force Thin/Eventmachine to forward a specific CA suggestion for client certificate? It is not :SSLCACertificateFiles, I tried it already.



:cert_chain_file  => File.dirname(__FILE__) + "/keys/comp_key/s3l.cer",
:private_key_file => File.dirname(__FILE__) + "/keys/comp_key/s3l.key",
:verify_peer => true,
:SSLVerifyClient => true

Wha ever I do, the browser shows me all certificates to chose ...  

I want to stay with THIN, i there a way?

Marc

r007

unread,
Oct 5, 2018, 11:10:13 AM10/5/18
to thin-ruby
Hi Marc,

Have you tried https://ssltools.digicert.com/ or any other SSL checker tools? What does it say?

Basically, as I remember by configuring nginx servers, CA file is not needed. Because both the SSL and CA are concatenated together into one single chain file.

Concatenate the SSL and Intermediate CA Certificate
  1. You need to combine the ssl_certificate.crt file and the IntermediateCA.crt into a single concatenated file
  2. To get a single concatenated file out of the Intermediate CA and the SSL Certificate run the following command:
     
    cat IntermediateCA.crt >> ssl_certificate.crt
Have you tried this?

Sergey

пятница, 5 октября 2018 г., 17:13:46 UTC+3 пользователь Dr. Marc Arnold Bach написал:
Reply all
Reply to author
Forward
0 new messages