[ci skip] The real issue with GnuTLS is actually a flaw in OpenSSL

which accepts several server misconfigurations OpenSSL is very liberal about the order and content of the supplied cert chain. GnuTLS however is very crucial about it. So to support GnuTLS we need to tell our community to fix their servers (joindiaspora.com is broken too). You can check it with gnutls-cli -V --x506cafile=/etc/ssl/ca-certificates.crt $domain It will print the certs in the order received and say at the end if it could be verifed. Note that not only the order is important but also the content. Many example configurations, especially for Nginx, include the root cert of the CA in the chain which is wrong. Note from a GnuTLS maintainer: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23573736#29 Revert "Fix federation with GnuTLS by passing the ca_file to Typhoeus" This reverts commit 640a0181ab.
2012-01-29 00:08:28 +01:00 · 2012-01-29 00:08:28 +01:00 · 2d98c57cf1
commit 2d98c57cf1
parent 3ec09930fe
2 changed files with 1 additions and 23 deletions
--- a/lib/hydra_wrapper.rb
+++ b/lib/hydra_wrapper.rb
@ -8,7 +8,6 @@ require 'active_support/base64'
 class HydraWrapper

  OPTS = {:max_redirects => 3, :timeout => 25000, :method => :post,
-          :ssl_capath => EnviromentConfiguration.ca_cert_file_location,
          :headers => {'Expect'            => '',
                       'Transfer-Encoding' => ''}
         }
--- a/spec/lib/hydra_wrapper_spec.rb
+++ b/spec/lib/hydra_wrapper_spec.rb
@ -2,7 +2,7 @@
 #   licensed under the Affero General Public License version 3 or later.  See
 #   the COPYRIGHT file.

-require 'spec_helper'
+require 'hydra_wrapper'

 describe HydraWrapper do
  before do
@ -74,27 +74,6 @@ describe HydraWrapper do

  end

-  describe "#insert_job" do
-    before do
-      @wrapper.hydra.stub!(:queue)
-      @wrapper.stub!(:prepare_request!)
-    end
-    
-    it 'passes the correct options' do
-      xml = "<XML>"
-      url = "blub"
-      Typhoeus::Request.should_receive(:new).with(url, {
-        :max_redirects => 3, :timeout => 25000, :method => :post,
-        #:ssl_capath => EnvironmentConfiguration.
-         :headers => {'Expect'            => '',
-                      'Transfer-Encoding' => ''},
-         :ssl_capath => EnviromentConfiguration.ca_cert_file_location,
-         :params => {:xml => CGI.escape(xml)}
-         })
-      @wrapper.insert_job(url, xml, stub)
-    end
-  end
-
  describe '#redirecting_to_https?!' do
    it 'does not execute unless response has a 3xx code' do
      resp = stub(:code => 200)