<qrush>
after years of being handrolled we finally have a community built and run infrastructure - i'd say yes, if you want to see something happen, it has to happen in chef
<swills>
don't know what what is?
<swills>
ok
<swills>
having a Mac is a requirement to using Vagrant, right?
<raggi>
makes me want to pull a damato and go around screaming REEWWWBBYY!!!
newUser1234 has joined #rubygems
tux91 has joined #rubygems
<pencil>
:)
havenwood has joined #rubygems
tux91 has quit [Remote host closed the connection]
<raggi>
why doesn't brew link curl-ca-bundle link the ca-bundle.crt into /usr/local/etc/certs ?
tux91 has joined #rubygems
<raggi>
s/certs/openssl\/certs/
<tux91>
'gem update' asks me if I want to overwrite certain executables, shouldn't it do it automatically if it's installing a newer version, and skip if it's an older one?
tux91 has quit [Remote host closed the connection]
stevenharman has joined #rubygems
<sikachu>
raggi: i'm not sure. if that's the location that openssl will look for certs, then i think we should submit them a pull request.
<sikachu>
maybe i should test that
<sikachu>
brb
<raggi>
sikachu: they will want to be bundled in a pem, and then run rehash afterward
<sikachu>
oh
<raggi>
i'm sure there's some appallingly written docs around somewhere
mockra has joined #rubygems
mockra has quit [Remote host closed the connection]
<sikachu>
yeah, maybe i should look at it afterward … try to find the way to sooth this pain for others. that took me quite a while to find that ENV VAR
<sikachu>
anyway, froyo and coffee time.
dvu has quit [Remote host closed the connection]
dvu has joined #rubygems
yerhot has quit [Remote host closed the connection]
dvu has quit [Ping timeout: 276 seconds]
wolfeidau has quit [Remote host closed the connection]
yerhot has joined #rubygems
yerhot has quit [Remote host closed the connection]
cowboyd has joined #rubygems
huoxito has joined #rubygems
wolfeidau has joined #rubygems
cowboyd has quit [Remote host closed the connection]
mockra has joined #rubygems
nirvdrum has quit [Read error: No route to host]
postmodern has joined #rubygems
<postmodern>
man good job on rubygems 2.0.0!
<postmodern>
like how documentation is generated after each gem is installed
<postmodern>
and `gem clean` doesn't remove necessary dependencies accidentally anymore
mockra has quit [Ping timeout: 256 seconds]
<postmodern>
hey where did rubygems/builder go in 2.0.0?
mockra has joined #rubygems
mockra has quit [Remote host closed the connection]
fromonesrc_tmp has joined #rubygems
fromonesrc_tmp has quit [Client Quit]
<wolfeidau>
qrush: Heya you around, been lookin at that cert issue
fromonesrc has joined #rubygems
fromonesrc has quit [Client Quit]
<wolfeidau>
raggi: It is a very interesting issue, using a different bundle is an interesting solution
fromonesrc has joined #rubygems
<raggi>
wolfeidau: well, rubygems should probably ship wiht the CF ones too
<raggi>
as we ship certs to avoid this on our side
<raggi>
but, for users in general, if they're goign to rely on brew installed ssl, they probably want to configure their system properly
<wolfeidau>
raggi: The thing is you should only need to ship the intermediate cert for your rapid ssl
<wolfeidau>
raggi: Have you tried that?
<raggi>
wolfeidau: have you looked at the rubygems source?
yerhot has joined #rubygems
<wolfeidau>
raggi: Not yet mate, just looking from the outside in atm :P
<wolfeidau>
raggi: Links through to RapidSSL_CA_bundle.pem I would love to try this in that search path RapidSSL_CA_bundle.pem
<raggi>
well who did that?
<wolfeidau>
woops double paste lol
<raggi>
heh
<raggi>
lol
<wolfeidau>
raggi: About to be dragged off to meeting sorry, just got to work after a holiday.. Does that look helpful?
fromonesrc has quit [Quit: fromonesrc]
the_mentat has quit [Quit: Computer has gone to sleep.]
newUser1234 has quit [Remote host closed the connection]
Elhu has quit [Quit: Computer has gone to sleep.]
<wolfeidau>
wycats__: Yes a lot of people are having those cert issues, it MAY be due to ruby 2.0 requiring the new openssl and new certs used by rubygems.org
vertis has joined #rubygems
<wycats__>
wolfeidau: hm
<wycats__>
indirect: do we know anything more?
<wolfeidau>
wycats__: I want to try adding that intermediate to rubygems sources but I am busy at work right now :(
<wolfeidau>
wycats__: If you can read up a bit I linked it and raggi linked the folder existing intermediate certs bundled
<wycats__>
there's usually a flurry of (potentially dangerous) solutions
<wycats__>
that people peddle
<wycats__>
that then persist for YEARS
newUser1234 has quit [Remote host closed the connection]
<wolfeidau>
wycats__: Agreed! and they work, but no one looks into why or how dangerous they are :(
newUser1234 has joined #rubygems
<wolfeidau>
as mentioned above installing curl in brew and using export SSL_CERT_FILE=/usr/local/Cellar/curl-ca-bundle/1.87/share/ca-bundle.crt works too
<wolfeidau>
I wish I had more time right now to look into it in more detail but just got to work
<wycats__>
wolfeidau: do you know exactly WHY that works?
<vertis>
wolfeidau: gives openssl access to the intermediate cert required to validate rubygems.org?
<wolfeidau>
wycats__: Something has changed with the way ca certs are bundled with openssl as far as i can tell from the rather oblique answers on the openssl mailing list
<wolfeidau>
wycats__: vertis: The issue is something has changed between openssl 0.x and 1.0.x in how it completes the chain of trust
<wolfeidau>
wycats__: As far as i can tell applications now need to bundle the intermediate cert to complete the chain, this can't be completed by bundling the cert from the server
<vertis>
wolfeidau: yeah, so previously it would be happy with the download from the server and now...
newUser1234 has quit [Remote host closed the connection]
<wolfeidau>
vertis: Exactly
<wycats__>
wolfeidau: and why does moving the file to cert.pem work?
<wolfeidau>
wycats__: I think that is a ca-bundle file
<wolfeidau>
will grab it down and look
<wycats__>
ok :)
<wolfeidau>
wycats__: That ca-bundle.crt -- Bundle of CA Root Certificates
<wolfeidau>
wycats__: From mozilla
<wolfeidau>
wycats__: Hence it working
<wycats__>
wolfeidau: so why doesn't OpenSSL stick it where it looks?
<wolfeidau>
wycats__: Probably bundles the intermeidate certs
<wycats__>
it bundles it for the heck of it but you need to move it into place?
<wolfeidau>
wycats__: I think the crypto people are bundling less in thier cert chain than the browsers at the moment
<wycats__>
I think I'm missing something critical here :/
<wolfeidau>
wycats__: Browsers always bundle more as it anoys big companies when they don't work
<wolfeidau>
wycats__: And users of course
<wycats__>
wolfeidau: so OpenSSL includes the moz certs
<wolfeidau>
wycats__: That cert chain is the entire chain from a mozilla app
<wolfeidau>
wycats__: not 'mozilla' certs
<swills>
um
<wycats__>
wolfeidau: I know
<wycats__>
I was using shorthand :P
<swills>
are you guys sending your intermediary cert?
<wolfeidau>
wycats__: Sorry mate
<wycats__>
"the cert chain mozilla ships with Firefox"
<wycats__>
is what I meant
<wycats__>
wolfeidau: no problem
yerhot has joined #rubygems
<wycats__>
so is ^ true? they're shipping the cert chain mozilla ships but don't want it to be used by default?
<sikachu>
>might not be the right solution
<vertis>
swills: as I understand it, yes we are
<sikachu>
but somewhat usable ruby > broken ruby
<swills>
then i think the bundle file shouldn't be an issue
<sikachu>
or else we can't test anything on ruby 2 ;_;
<wycats__>
if you want "usable ruby" stick with 1.9 until a good solution is worked out
<wycats__>
:P
<sikachu>
but yeah, i don't know nothing about SSL stuff ...
<wolfeidau>
wycats__: Yeah rvm looks like it is shipping that JUST for thier install of openssl
<sikachu>
but i need to test stuff against ruby 2 :P
<wycats__>
wolfeidau: makes sense
<wolfeidau>
wycats__: And pushing it into the certs folder as a 'fix' of sorts
<wycats__>
sikachu: "I don't know about SSL" should be a good reason not to apply hacks to OpenSSL
<sikachu>
anyway, i can't wait to get rid of my hax though
<wycats__>
we've had enough security issues lately
<sikachu>
ha
<wycats__>
;)
<wycats__>
it seems ok for testing
<wycats__>
but I'm sure people are going to be applying some hack and then forgetting about it
<wycats__>
and some of these hacks are probably not kosher
<sikachu>
yeah, i'm totally agree by that -_-'
<swills>
hmm, i don't see the intermediate
<wolfeidau>
wycats__: You could isolate and bundle JUST the certs in the chain linked above to get gem working
<wolfeidau>
If you go to https://rubygems.org in your browser and extract each of the certs to a .pem file then append them together and bundle that it will work
<swills>
do you have SSLCertificateChainFile in the nginx config?
<wolfeidau>
swills: no
<swills>
there you go
<wolfeidau>
swills: The chain is completed by apending all the certs together
<wolfeidau>
swills: Rubygems is doing this now
<wolfeidau>
swills: The issue is openssl out of the box isn't trusting that now for some reason
<swills>
try the chain file
<wolfeidau>
swills: That is an apache httpd thing
<wycats__>
wolfeidau: we should figure out why openssl isn't trusting the rubygems certs
<swills>
no
<wycats__>
and fix that
<swills>
nginx has the same option
<wolfeidau>
swills: From what i have read that doesn't fix it
<wolfeidau>
swills: O where is that option i had a search around
yerhot has quit [Ping timeout: 260 seconds]
<swills>
oh, no, you're right, nginx does say to cat the files together, sorry, i misread.
<swills>
weird
<swills>
are you sure they're cat'd in the right order?
<swills>
cause when i test with openssl s_client i don't see the chain
<wolfeidau>
swills: yeah same
<wolfeidau>
swills: Then use an older openssl
<wolfeidau>
same command
<wolfeidau>
wycats__: The issue seems to be with the either the intermeidate or parent cert these are issued by geotrust
<swills>
sorry, i'm stupid, i do see the chain.
<swills>
1.0.1e fwiw
<swills>
hmmph, seems valid. where are the issues?
<wolfeidau>
swills: in the newer it is even more confusing
workmad3 has quit [Ping timeout: 252 seconds]
<wolfeidau>
wycats__: It is one of the cheapest certs available, I would probably use a more reliable source for certs used on a canonical service but that is another thing
adkron has joined #rubygems
<wycats__>
scumbag rubygems :P
<wolfeidau>
wycats__: haha you said it :P
<wolfeidau>
It is much easier when you get a certificate from a more reputable provider though
<wolfeidau>
geotrust is pretty much the bottom of the tree
<sikachu>
lolol
<wolfeidau>
ROFL
<sikachu>
maybe we should start a kickstarted project to get rubygems a better cert
* sikachu
runs away
fromonesrc has joined #rubygems
<raggi>
re
<swills>
many "good" ssl sites are doing intermediate certs now to improve their cert management...
<raggi>
i'm gunna head to a cafe, and i'll get a valid intermediate into the rubygems source
<raggi>
and ask drbrain to roll a 2.0.1 after
<sikachu>
:+1:
<swills>
raggi: could you do it for rubygems 1.8 as well? and perhaps release a 1.8.26?
<sikachu>
<raggi>
but that won't solve OSX users general problems with brew openssl
<swills>
not everyone can move to rubygems 2.0 given all the breakages, right?
<raggi>
swills: i'm not sure what the branch arragements are, but in principle, yes
<sikachu>
yeah, nor ruby 2, unless you use http connection to Rubygems (don't)
<wolfeidau>
swills: Intermediate isn't the problem i am guessing it mite be that geotrust top level ca cert isn't bundled in openssl?
<raggi>
so that solution in ruby-build is actually reasonable
<raggi>
other than the fact that it won't get up to date CRLs
<swills>
wolfeidau: that would definitely cause a problem, but i'd think it would be bundled...
<raggi>
if it was cron'd up, i wouldn't have much of an issue wiht it
<raggi>
having a brew package handle this would also be valid
<raggi>
(one that expands the curl bundle into a valid pem, links into the right place, and runs rehash)
havenwood has quit [Remote host closed the connection]
<raggi>
or one that pulls the mozilla bundles properly, more like debian does
<raggi>
but managing ssl certs is something you want someone to /own/
<raggi>
and i doubt that can be said for brew, generally
<raggi>
did our odl cert actualy run out?
<wolfeidau>
raggi: I can check it at lunch time but I am putting out fires at the moment :(
<raggi>
omg
<raggi>
lol
<raggi>
curl.haxx.se has no ssl
* raggi
shakes head
<wycats__>
that's hilarious
<wycats__>
raggi: what's the tl;dr?
<raggi>
wycats__: "welcome to the political fearmongering clusterfuck that is ssl CA lists"
<raggi>
wycats__: two valid solutions
<swills>
raggi: +1
<raggi>
wycats__: 1. use curl-ca-bundle from homebrew, despite it's appalling trust model - you can do this two ways, 1. use the env var to set CAfile, or 2. expand the installed cert list into .pems in the right place and run rehash
<raggi>
wycats__: 2. use the ruby-build approach to extract the system certs into files, and run rehash
<raggi>
with 2, there's the caveat that you're in danger of those not being updated, so i'd recommend you cron that up or something
<wycats__>
raggi: it seems like doing your own downloading and moving opts you into also handling revocation
<wycats__>
which really 0% of the Ruby community will realize that they're doing
<raggi>
with 1, there's the caveat that you're pulling certs from curl.haxx.se that were pulled without ssl, and then rebundled by *someone* (i have no idea who), and mounted on sf.net
<wycats__>
raggi: and that you are now opting into keeping it up to date
<raggi>
in short, there's no ideal option, openssl will never ship with a cert bundle by default
<wycats__>
which, again, nobody is going to do
<raggi>
agreed
<wycats__>
"it works" is gonna be good enough
<raggi>
but, to follow the usual political fearmongering
<swills>
so adding the bundle to rubygems makes sense
<raggi>
do we really want to become an authoritative source of a ca bundle?
<raggi>
swills: no, hold up
<wycats__>
which means that a future MITM exploit for rubygems is: wait for a cert to get exposed and revoked, then use that cert knowing that the entire Ruby community will have it in their cert chain
<raggi>
(for some value of "we" that includes ruby/rubygems)
<raggi>
wycats__: for rubygems itself, we can package certs we *know* to trust
<wolfeidau>
wycats__: raggi: you don't need the entire bundle just the relavent certs
<raggi>
wycats__: that is, our CAs cert, as we've already done
<raggi>
wolfeidau: i know
<swills>
raggi: i don't mean the whole bundle
<raggi>
wycats__: but people are still going to have trouble wiht ruby 2.0+ on OSX wiht `require "open-uri"; open("https://google.com/")`
<wycats__>
the solution I've considered in the past (for Tokaido) is to use Apple's OpenSSL which uses the keychain
<wycats__>
for OSC
<swills>
just the geotrust root
<wycats__>
OSX*
<raggi>
wycats__: not compatible with ruby 2.0
<wycats__>
raggi: I know
<raggi>
wycats__: the openssl patch doesn't apply
<wycats__>
that's why I said "in the past"
* raggi
nods
<raggi>
c
<wycats__>
someone can try to figure out how to rebuild it against 1.0e?
<swills>
1.0.1e
<wycats__>
surely we're not the only ones in this predicament?
<wycats__>
1.0.1e
<raggi>
i think adding a brew that "sorts this out", by adding a cron to extract from keychain regularly, seems fine
<raggi>
wycats__: ^^^
<wycats__>
raggi: that seems fine, except that I don't trust homebrew to actually do the work
<wycats__>
:/
<wycats__>
ah
<wycats__>
from keychain
<wycats__>
seems good
<wycats__>
+1
<raggi>
yep
<wycats__>
that works
<wycats__>
someone should do that
<raggi>
it's the ruby-build solution, but updated regularly
<raggi>
i'll do it when i get a decent coffee
<wycats__>
yeah... doing it once is a non-starter for me
<raggi>
this homebrew (lol) shit isn't doing it for me
<wycats__>
I'm horrified that people are like "seems gooooood"
<raggi>
wycats__: totally
yerhot has joined #rubygems
<raggi>
i get the feelign installing cron's from homebrew is going to be a ... horrible ticket
<wycats__>
raggi: I could tell from the first tweet that I saw that this was going to be "one of those"
<raggi>
yep
<wycats__>
like the encoding issue
<raggi>
wycats__: and we only just got most of the verify_nones out the way
<raggi>
wycats__: although
<wycats__>
force_encoding("UTF-8") done
<wycats__>
and verify_none
<wycats__>
indeed
<raggi>
wycats__: do something else - do a locate(1)/find(1)/whatever for .pems
<raggi>
wycats__: the mozilla bundle is also shipped inside the airbrake gem
<raggi>
wycats__: srsly bro
<wycats__>
raggi: but that has the same issue
<raggi>
shoot me
<wycats__>
not updated
<raggi>
yep
<raggi>
exactly
<raggi>
just because osx had to do it different
<raggi>
for some notion of "keychain is more secure than files"
<wycats__>
I mean, it's fair enough
<wycats__>
keychain is actually a good feature
<raggi>
sure
<raggi>
keychain is a good feature
<raggi>
but it's not largely different from files
<wycats__>
OSX is allowed to have a system security feature
<raggi>
which is the supposition
<wolfeidau>
wycats__: raggi: I think ubuntu 12.10 has the same error btw bundled openssl is very new
<raggi>
integration != replacement
<wycats__>
I'm not crying too hard
<wycats__>
it is what it is
<raggi>
wolfeidau: huh?
<wycats__>
OpenSSL should have been managing the OSX support
<wycats__>
instead of making Apple do it
<wycats__>
Ruby has OSX stuff all over the place
<raggi>
wolfeidau: 12.10 just needs the ca bundle package installed
sferik has joined #rubygems
<wolfeidau>
raggi: I will try that and see if it works
<wycats__>
raggi: I think Apple would also tell you that the extraction approach is easy enough
<swills>
wycats__: that's backwards, openssl can't control what apple does.
<raggi>
wolfeidau: that should install them into /etc/ssl/cert/* and run c_rehash
<raggi>
swills: they could make it easier to plug
<wolfeidau>
raggi: Yeah i have certs in that location
<raggi>
wolfeidau: do you have the id links?
<wolfeidau>
raggi: Just rebooting as i moved network
<raggi>
o0
<swills>
what's easier than installing some crt bundles?
<raggi>
wolfeidau: also, how did you install ruby?
havenwood has joined #rubygems
<wycats__>
swills: keychain is not a new feature
<raggi>
wolfeidau: if you installed wiht something that builds it's own openssl, then your openssl probably has a different prefix and won't pick up system chains
<wolfeidau>
raggi: I am only testing with openssl s_client at the moment
<raggi>
wolfeidau: s_client should pick up certs from /etc/ssl/certs
<raggi>
oooh
<wolfeidau>
raggi: Yes and it complains
<swills>
keychain is great, but not the kind of thing openssl typically has to work with, so without someone sending them patches it isn't going to happen *shrug*
<raggi>
omg lol
<raggi>
don't tell me
<wolfeidau>
raggi: What?
<swills>
perhaps you could say Apple should have added keychain support to openssl
<raggi>
wolfeidau: um, yeah, s_client bug
<wycats__>
swills: they did!
<wycats__>
there was a patch set ages ago
<raggi>
wolfeidau: do this: `openssl s_client -connect rubygems.org:443 -CApath a`
<wycats__>
it just doesn't apply to 1.0
<raggi>
wolfeidau: where 'a' is any char you like
<wycats__>
Apple has abandoned OpenSSL
<wycats__>
I'm saying OpenSSL should have picked up that patch
<swills>
oh, that's right, didn't they have a replacement, i forgot that
<raggi>
wolfeidau: or a path, which would be more valid...