-
Notifications
You must be signed in to change notification settings - Fork 189
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL guide is incomplete #174
Comments
The gist has an insecure set of instructions since that uses HTTP to download the CA certificates. We can't tell people to use these instructions since they don't establish a complete chain of trust. |
Ah, good catch. I'm not sure what the RVM one is doing: https://github.com/rvm/rvm/blob/master/scripts/osx-ssl-certs |
Looks like RVM extracts its CA cert list from the OS X keychain: https://github.com/rvm/rvm/blob/master/scripts/functions/osx-ssl-certs#L43-L47 Unfortunately this list includes CA certificates you've marked as untrusted. There should be a way around this. |
hmm, that's no good at all. I imagine there'd be a flag you could pass or something, but I don't have access to a macOS system to try to find it. |
Don't forget this blog post and its associated script (which have saved me from SSL errors I did not understand many times over at this point): http://mislav.net/2013/07/ruby-openssl/ |
Also, please note that haxx.se now provides the Curl CA bundle via HTTPS: https://curl.haxx.se/ca/cacert.pem |
It's hard to get the Curl CA bundle via HTTPS if you don't already have the CA certificate to verify the server certificate |
I am assuming the existence of a browser (eg Firefox, Chrome) with its own set of trusted certs, so a user can fetch |
Yes, or bundle the CA certificate inside the script doing the fetching (like RubyGems) |
The SSL guide appears to only work if you're not using a version manager for Ruby (RVM, rbenv, etc).
I'm still collecting information about and helping resolve this in rubygems/rubygems#1758.
However, some relevant links from that thread:
https://gist.github.com/fnichol/867550EDIT: The gist has insecure instructions.
The text was updated successfully, but these errors were encountered: