SSL guide is incomplete #174
Comments
|
The gist has an insecure set of instructions since that uses HTTP to download the CA certificates. We can't tell people to use these instructions since they don't establish a complete chain of trust. |
|
Ah, good catch. I'm not sure what the RVM one is doing: https://github.com/rvm/rvm/blob/master/scripts/osx-ssl-certs |
|
Looks like RVM extracts its CA cert list from the OS X keychain: https://github.com/rvm/rvm/blob/master/scripts/functions/osx-ssl-certs#L43-L47 Unfortunately this list includes CA certificates you've marked as untrusted. There should be a way around this. |
|
hmm, that's no good at all. I imagine there'd be a flag you could pass or something, but I don't have access to a macOS system to try to find it. |
|
Don't forget this blog post and its associated script (which have saved me from SSL errors I did not understand many times over at this point): http://mislav.net/2013/07/ruby-openssl/ |
|
Also, please note that haxx.se now provides the Curl CA bundle via HTTPS: https://curl.haxx.se/ca/cacert.pem |
|
It's hard to get the Curl CA bundle via HTTPS if you don't already have the CA certificate to verify the server certificate |
|
I am assuming the existence of a browser (eg Firefox, Chrome) with its own set of trusted certs, so a user can fetch |
|
Yes, or bundle the CA certificate inside the script doing the fetching (like RubyGems) |
The SSL guide appears to only work if you're not using a version manager for Ruby (RVM, rbenv, etc).
I'm still collecting information about and helping resolve this in rubygems/rubygems#1758.
However, some relevant links from that thread:
https://gist.github.com/fnichol/867550EDIT: The gist has insecure instructions.
The text was updated successfully, but these errors were encountered: