├── LICENSE.md
├── create-cert
├── der2pem
├── doctor.rb
├── faraday_example.rb
├── net_http_example.rb
├── readme.md
├── remote-cert
└── show-cert


/LICENSE.md:
--------------------------------------------------------------------------------
  1 | CC0 1.0 Universal
  2 | 
  3 | Statement of Purpose
  4 | 
  5 | The laws of most jurisdictions throughout the world automatically confer
  6 | exclusive Copyright and Related Rights (defined below) upon the creator and
  7 | subsequent owner(s) (each and all, an "owner") of an original work of
  8 | authorship and/or a database (each, a "Work").
  9 | 
 10 | Certain owners wish to permanently relinquish those rights to a Work for the
 11 | purpose of contributing to a commons of creative, cultural and scientific
 12 | works ("Commons") that the public can reliably and without fear of later
 13 | claims of infringement build upon, modify, incorporate in other works, reuse
 14 | and redistribute as freely as possible in any form whatsoever and for any
 15 | purposes, including without limitation commercial purposes. These owners may
 16 | contribute to the Commons to promote the ideal of a free culture and the
 17 | further production of creative, cultural and scientific works, or to gain
 18 | reputation or greater distribution for their Work in part through the use and
 19 | efforts of others.
 20 | 
 21 | For these and/or other purposes and motivations, and without any expectation
 22 | of additional consideration or compensation, the person associating CC0 with a
 23 | Work (the "Affirmer"), to the extent that he or she is an owner of Copyright
 24 | and Related Rights in the Work, voluntarily elects to apply CC0 to the Work
 25 | and publicly distribute the Work under its terms, with knowledge of his or her
 26 | Copyright and Related Rights in the Work and the meaning and intended legal
 27 | effect of CC0 on those rights.
 28 | 
 29 | 1. Copyright and Related Rights. A Work made available under CC0 may be
 30 | protected by copyright and related or neighboring rights ("Copyright and
 31 | Related Rights"). Copyright and Related Rights include, but are not limited
 32 | to, the following:
 33 | 
 34 |   i. the right to reproduce, adapt, distribute, perform, display, communicate,
 35 |   and translate a Work;
 36 | 
 37 |   ii. moral rights retained by the original author(s) and/or performer(s);
 38 | 
 39 |   iii. publicity and privacy rights pertaining to a person's image or likeness
 40 |   depicted in a Work;
 41 | 
 42 |   iv. rights protecting against unfair competition in regards to a Work,
 43 |   subject to the limitations in paragraph 4(a), below;
 44 | 
 45 |   v. rights protecting the extraction, dissemination, use and reuse of data in
 46 |   a Work;
 47 | 
 48 |   vi. database rights (such as those arising under Directive 96/9/EC of the
 49 |   European Parliament and of the Council of 11 March 1996 on the legal
 50 |   protection of databases, and under any national implementation thereof,
 51 |   including any amended or successor version of such directive); and
 52 | 
 53 |   vii. other similar, equivalent or corresponding rights throughout the world
 54 |   based on applicable law or treaty, and any national implementations thereof.
 55 | 
 56 | 2. Waiver. To the greatest extent permitted by, but not in contravention of,
 57 | applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and
 58 | unconditionally waives, abandons, and surrenders all of Affirmer's Copyright
 59 | and Related Rights and associated claims and causes of action, whether now
 60 | known or unknown (including existing as well as future claims and causes of
 61 | action), in the Work (i) in all territories worldwide, (ii) for the maximum
 62 | duration provided by applicable law or treaty (including future time
 63 | extensions), (iii) in any current or future medium and for any number of
 64 | copies, and (iv) for any purpose whatsoever, including without limitation
 65 | commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes
 66 | the Waiver for the benefit of each member of the public at large and to the
 67 | detriment of Affirmer's heirs and successors, fully intending that such Waiver
 68 | shall not be subject to revocation, rescission, cancellation, termination, or
 69 | any other legal or equitable action to disrupt the quiet enjoyment of the Work
 70 | by the public as contemplated by Affirmer's express Statement of Purpose.
 71 | 
 72 | 3. Public License Fallback. Should any part of the Waiver for any reason be
 73 | judged legally invalid or ineffective under applicable law, then the Waiver
 74 | shall be preserved to the maximum extent permitted taking into account
 75 | Affirmer's express Statement of Purpose. In addition, to the extent the Waiver
 76 | is so judged Affirmer hereby grants to each affected person a royalty-free,
 77 | non transferable, non sublicensable, non exclusive, irrevocable and
 78 | unconditional license to exercise Affirmer's Copyright and Related Rights in
 79 | the Work (i) in all territories worldwide, (ii) for the maximum duration
 80 | provided by applicable law or treaty (including future time extensions), (iii)
 81 | in any current or future medium and for any number of copies, and (iv) for any
 82 | purpose whatsoever, including without limitation commercial, advertising or
 83 | promotional purposes (the "License"). The License shall be deemed effective as
 84 | of the date CC0 was applied by Affirmer to the Work. Should any part of the
 85 | License for any reason be judged legally invalid or ineffective under
 86 | applicable law, such partial invalidity or ineffectiveness shall not
 87 | invalidate the remainder of the License, and in such case Affirmer hereby
 88 | affirms that he or she will not (i) exercise any of his or her remaining
 89 | Copyright and Related Rights in the Work or (ii) assert any associated claims
 90 | and causes of action with respect to the Work, in either case contrary to
 91 | Affirmer's express Statement of Purpose.
 92 | 
 93 | 4. Limitations and Disclaimers.
 94 | 
 95 |   a. No trademark or patent rights held by Affirmer are waived, abandoned,
 96 |   surrendered, licensed or otherwise affected by this document.
 97 | 
 98 |   b. Affirmer offers the Work as-is and makes no representations or warranties
 99 |   of any kind concerning the Work, express, implied, statutory or otherwise,
100 |   including without limitation warranties of title, merchantability, fitness
101 |   for a particular purpose, non infringement, or the absence of latent or
102 |   other defects, accuracy, or the present or absence of errors, whether or not
103 |   discoverable, all to the greatest extent permissible under applicable law.
104 | 
105 |   c. Affirmer disclaims responsibility for clearing rights of other persons
106 |   that may apply to the Work or any use thereof, including without limitation
107 |   any person's Copyright and Related Rights in the Work. Further, Affirmer
108 |   disclaims responsibility for obtaining any necessary consents, permissions
109 |   or other rights required for any use of the Work.
110 | 
111 |   d. Affirmer understands and acknowledges that Creative Commons is not a
112 |   party to this document and has no duty or obligation with respect to this
113 |   CC0 or use of the Work.
114 | 
115 | For more information, please see
116 | <http://creativecommons.org/publicdomain/zero/1.0/>
117 | 


--------------------------------------------------------------------------------
/create-cert:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | # Usage: create-cert [CNAME=localhost] [ORGANIZATION]
 3 | #
 4 | # Creates a self-signed certificate and outputs it and its private key.
 5 | set -e
 6 | 
 7 | name="${1:-localhost}"
 8 | org="$2"
 9 | temp="${TMPDIR:-/tmp}/openssl-req.$$.$(date +%s)"
10 | 
11 | openssl req \
12 |   -x509 -nodes -days 365 \
13 |   -subj "/O=$org/CN=$name" \
14 |   -newkey rsa:1024 -keyout "$temp" -out "$temp" 2>/dev/null
15 | 
16 | cat "$temp"
17 | rm -f "$temp"
18 | 


--------------------------------------------------------------------------------
/der2pem:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | set -e
 3 | while [ -n "$1" ]; do
 4 |   if ! [ -f "$1" ]; then
 5 |     echo "invalid .cer file: \`$1'" >&2
 6 |     exit 1
 7 |   fi
 8 |   openssl x509 -inform der -in "$1" -outform pem
 9 |   shift 1
10 | done
11 | 


--------------------------------------------------------------------------------
/doctor.rb:
--------------------------------------------------------------------------------
 1 | # Usage: ruby doctor.rb [HOST=status.github.com[:PORT=443]]
 2 | require 'rbconfig'
 3 | require 'net/https'
 4 | 
 5 | if ARGV[0] =~ /^[^-]/
 6 |   host, port = ARGV[0].split(':', 2)
 7 | else
 8 |   host = 'status.github.com'
 9 | end
10 | port ||= 443
11 | 
12 | ruby = File.join(RbConfig::CONFIG['bindir'], RbConfig::CONFIG['ruby_install_name'])
13 | ruby_version = RUBY_VERSION
14 | if patch = RbConfig::CONFIG['PATCHLEVEL']
15 |   ruby_version += "-p#{patch}"
16 | end
17 | puts "%s (%s)" % [ruby, ruby_version]
18 | 
19 | openssl_dir = OpenSSL::X509::DEFAULT_CERT_AREA
20 | mac_openssl = '/System/Library/OpenSSL' == openssl_dir
21 | puts "%s: %s" % [OpenSSL::OPENSSL_VERSION, openssl_dir]
22 | [OpenSSL::X509::DEFAULT_CERT_DIR_ENV, OpenSSL::X509::DEFAULT_CERT_FILE_ENV].each do |key|
23 |   puts "%s=%s" % [key, ENV[key].to_s.inspect]
24 | end
25 | 
26 | ca_file = ENV[OpenSSL::X509::DEFAULT_CERT_FILE_ENV] || OpenSSL::X509::DEFAULT_CERT_FILE
27 | ca_path = (ENV[OpenSSL::X509::DEFAULT_CERT_DIR_ENV] || OpenSSL::X509::DEFAULT_CERT_DIR).chomp('/')
28 | 
29 | puts "\nHEAD https://#{host}:#{port}"
30 | http = Net::HTTP.new(host, port)
31 | http.use_ssl = true
32 | 
33 | # Explicitly setting cert_store like this is not needed in most cases but it
34 | # seems necessary in edge cases such as when using `verify_callback` in some
35 | # combination of Ruby + OpenSSL versions.
36 | http.cert_store = OpenSSL::X509::Store.new
37 | http.cert_store.set_default_paths
38 | 
39 | http.verify_mode = OpenSSL::SSL::VERIFY_PEER
40 | failed_cert = failed_cert_reason = nil
41 | 
42 | if mac_openssl
43 |   warn "warning: will not be able show failed certificate info on OS X's OpenSSL"
44 |   # This drives me absolutely nuts. It seems that on Rubies compiled against OS X's
45 |   # system OpenSSL, the mere fact of defining a `verify_callback` makes the
46 |   # cert verification fail for requests that would otherwise be successful.
47 | else
48 |   http.verify_callback = lambda { |verify_ok, store_context|
49 |     if !verify_ok
50 |       failed_cert = store_context.current_cert
51 |       failed_cert_reason = "%d: %s" % [ store_context.error, store_context.error_string ]
52 |     end
53 |     verify_ok
54 |   }
55 | end
56 | 
57 | user_agent = "net/http #{ruby_version}"
58 | req = Net::HTTP::Head.new('/', 'user-agent' => user_agent)
59 | 
60 | begin
61 |   res = http.start { http.request(req) }
62 |   abort res.inspect if res.code.to_i >= 500
63 |   puts "OK"
64 | rescue Errno::ECONNREFUSED
65 |   puts "Error: connection refused"
66 |   exit 1
67 | rescue OpenSSL::SSL::SSLError => e
68 |   puts "#{e.class}: #{e.message}"
69 | 
70 |   if failed_cert
71 |     puts "\nThe server presented a certificate that could not be verified:"
72 |     puts "  subject: #{failed_cert.subject}"
73 |     puts "  issuer: #{failed_cert.issuer}"
74 |     puts "  error code %s" % failed_cert_reason
75 |   end
76 | 
77 |   ca_file_missing = !File.exist?(ca_file) && !mac_openssl
78 |   ca_path_empty = Dir["#{ca_path}/*"].empty?
79 | 
80 |   if ca_file_missing || ca_path_empty
81 |     puts "\nPossible causes:"
82 |     puts "  `%s' does not exist" % ca_file if ca_file_missing
83 |     puts "  `%s/' is empty" % ca_path if ca_path_empty
84 |   end
85 | 
86 |   exit 1
87 | end
88 | 


--------------------------------------------------------------------------------
/faraday_example.rb:
--------------------------------------------------------------------------------
 1 | require 'faraday'
 2 | 
 3 | connection = Faraday.new('https://example.com', :ssl => {
 4 |   # Peer verification is true by default
 5 |   :verify => true,
 6 |   # Rarely needed. If you need to be explicit, set:
 7 |   :verify_mode => OpenSSL::SSL::VERIFY_PEER,
 8 | 
 9 |   # Override SSL_CERT_FILE: the path to your CA bundle
10 |   :ca_file => '/path/to/ca_cert.pem',
11 |   # Override SSL_CERT_DIR: the directory with individual cert files
12 |   :ca_path => '/path/to/certs/',
13 | 
14 |   # Optional. Store extra certificates that you will trust.
15 |   :cert_store => OpenSSL::X509::Store.new,
16 | 
17 |   # Max length of cert chain to be verified
18 |   :verify_depth => 3,
19 | 
20 |   # Rarely needed. Set client certificate and private key.
21 |   :client_cert => OpenSSL::X509::Certificate.new,
22 |   :client_key => OpenSSL::PKey::RSA.new
23 | }) do
24 |   conn.request :url_encoded
25 |   conn.response :raise_error
26 |   conn.response :logger
27 |   conn.adapter :net_http
28 | end
29 | 
30 | connection.get('/hello')
31 | 


--------------------------------------------------------------------------------
/net_http_example.rb:
--------------------------------------------------------------------------------
 1 | require 'https'
 2 | 
 3 | uri = URI('https://example.com/hello?world')
 4 | 
 5 | http = Net::HTTP.new(uri.host, uri.port)
 6 | http.use_ssl = uri.scheme == 'https' || uri.port == 443
 7 | 
 8 | if http.use_ssl?
 9 |   ## Important. Turns on certificate verification
10 |   http.verify_mode = OpenSSL::SSL::VERIFY_PEER
11 | 
12 |   ## Override SSL_CERT_FILE: the path to your CA bundle
13 |   http.ca_file = '/path/to/ca_cert.pem'
14 |   ## Override SSL_CERT_DIR: the directory with individual cert files
15 |   http.ca_path = '/path/to/certs/'
16 | 
17 |   ## Optional. Configure extra certificates that you will trust.
18 |   http.cert_store = OpenSSL::X509::Store.new
19 |   http.cert_store.set_default_paths
20 |   http.cert_store.add_file('/path/to/cacert.pem')
21 |   # ...or:
22 |   cert = OpenSSL::X509::Certificate.new(File.read('mycert.pem'))
23 |   http.cert_store.add_cert(cert)
24 | 
25 |   http.ssl_timeout = 5 # seconds
26 |   http.verify_depth = 3 # max length of cert chain to be verified
27 | 
28 |   ## Optional. Set the client certificate. This enables servers which support it
29 |   ## to verify that YOU are who you claim to be as well. You probably don't need this.
30 |   # http.cert = OpenSSL::X509::Certificate.new(...)
31 |   # Provide the private key for the client certificate
32 |   # http.key = OpenSSL::PKey::RSA.new(...)
33 | end
34 | 
35 | user_agent = "net/http #{RUBY_VERSION}"
36 | req = Net::HTTP::Get.new(uri.request_uri, 'user-agent' => user_agent)
37 | 
38 | begin
39 |   res = http.start { http.request(req) }
40 |   abort res.inspect if res.code.to_i >= 300
41 |   puts res.body
42 | rescue Errno::ECONNREFUSED
43 |   abort "Error: connection refused"
44 | rescue OpenSSL::SSL::SSLError
45 |   abort "SSLError: #{$!.message}"
46 | end
47 | 


--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
 1 | # SSL tools
 2 | 
 3 |     der2pem FILES...
 4 | 
 5 |     remote-cert status.github.com | show-cert
 6 | 
 7 |     create-cert example.com "My Organization" > cert_and_key.pem
 8 | 
 9 |     ruby doctor.rb example.com:443
10 | 
11 | Sample output of `doctor.rb`:
12 | 
13 | ```
14 | /Users/mislav/.rbenv/versions/2.0.0-p247/bin/ruby (2.0.0-p247)
15 | OpenSSL 1.0.1e 11 Feb 2013: /usr/local/etc/openssl
16 | SSL_CERT_DIR=""
17 | SSL_CERT_FILE=""
18 | 
19 | HEAD https://status.github.com:443
20 | OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
21 | 
22 | The server presented a certificate that could not be verified:
23 | subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
24 | issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
25 | error code 20: unable to get local issuer certificate
26 | 
27 | Possible causes:
28 | - `/usr/local/etc/openssl/cert.pem' does not exist
29 | - `/usr/local/etc/openssl/certs/' is empty
30 | ```
31 | 


--------------------------------------------------------------------------------
/remote-cert:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | # Usage: remote-cert HOST[:PORT] [HOST[:PORT] ...]
 3 | set -e
 4 | 
 5 | while [ -n "$1" ]; do
 6 |   host="${1%:*}"
 7 |   port="${1#*:}"
 8 |   [ "$host" = "$port" ] && port=443
 9 | 
10 |   echo | openssl s_client -connect ${host}:${port} 2>&1 |\
11 |     sed -nEe '/^-+BEGIN/,/^-+END/p'
12 | 
13 |   shift 1
14 | done
15 | 


--------------------------------------------------------------------------------
/show-cert:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | # Display human-readable information from a certificate.
 3 | set -e
 4 | 
 5 | file="$1"
 6 | [ "$file" = "-" ] && file=""
 7 | 
 8 | if [ -n "$file" -a ! -f "$file" ] || [ -z "$file" -a -t 0 ]; then
 9 |   echo "Usage: show-cert <file>" >&2
10 |   exit 1
11 | fi
12 | 
13 | format=pem
14 | [ "${file##*.}" = "cer" ] && format=der
15 | 
16 | exec openssl x509 -inform "$format" ${1:+-in "$1"} -noout -text \
17 |   -nameopt multiline -certopt no_pubkey,no_sigdump
18 | 


--------------------------------------------------------------------------------