diff options
| author | Davin Walker <dishcandanty@gmail.com> | 2018-12-20 13:58:46 -0700 |
|---|---|---|
| committer | Davin Walker <dishcandanty@gmail.com> | 2018-12-20 13:58:46 -0700 |
| commit | afc8ff0b56f8cdb7d598ec4e38ecbdce95083f71 (patch) | |
| tree | b3b6415dc6e2eaa3288a7af1643f4a5924159b50 | |
| parent | 30dfffa904cc7dc9f0fab1c019836ae0e4af93a0 (diff) | |
| download | gitlab-ce-43516-wip-rake-task-to-test-ssl-connection-certificate-verification.tar.gz | |
Check Trusted Certs43516-wip-rake-task-to-test-ssl-connection-certificate-verification
Add additional debug output to include the peer certificates received as well as what custom certificates are installed.
| -rw-r--r-- | lib/gitlab/ssl_checker.rb | 43 |
1 files changed, 41 insertions, 2 deletions
diff --git a/lib/gitlab/ssl_checker.rb b/lib/gitlab/ssl_checker.rb index b8a8f08d805..6dd1da19bea 100644 --- a/lib/gitlab/ssl_checker.rb +++ b/lib/gitlab/ssl_checker.rb @@ -20,9 +20,11 @@ module Gitlab rescue Errno::ECONNREFUSED, Errno::ECONNRESET, Errno::EHOSTUNREACH, SocketError => e @error = 'Network Failure: ' + e.message + false rescue OpenSSL::SSL::SSLError => e @error = 'SSL Error: ' + e.message + ssl_print_stores false end @@ -40,9 +42,46 @@ module Gitlab private - def ssl_context + def ssl_print_stores + tcp_client = TCPSocket.new(@host, @port) + @ssl_client = OpenSSL::SSL::SSLSocket.new tcp_client, ssl_context(false) + @ssl_client.connect + + peers = @ssl_client.peer_cert_chain.map do |cert| + "Subject: #{cert.subject}\n Issuer: #{cert.issuer}" + end + + @ssl_client.close + + store = store_entries + @error += "\nReceived Peer Certificates:\n#{peers.join("\n")}" + + if store.empty? + @error += "\nNo Additional Trusted Certificates" + else + @error += "\nStore Certificates:\n#{store.join("\n")}" + end + end + + def store_entries + Dir.entries(OpenSSL::X509::DEFAULT_CERT_DIR).grep(/.0/).each do |cert| + raw = File.read("#{OpenSSL::X509::DEFAULT_CERT_DIR}/#{cert}") + raw.split("-----END CERTIFICATE-----\n").each do |entry| + certificate = OpenSSL::X509::Certificate.new( + entry + "-----END CERTIFICATE-----\n" + ) + certificate.subject.to_s + end + end + end + + def ssl_context(verify = true) context = OpenSSL::SSL::SSLContext.new - context.verify_mode = OpenSSL::SSL::VERIFY_PEER + if verify + context.verify_mode = OpenSSL::SSL::VERIFY_PEER + else + context.verify_mode = OpenSSL::SSL::VERIFY_NONE + end cert_store = OpenSSL::X509::Store.new cert_store.set_default_paths context.cert_store = cert_store |