From 2d98c57cf1a342610918718f9034d52151a3e434 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonne=20Ha=C3=9F?= Date: Sun, 29 Jan 2012 00:08:28 +0100 Subject: [PATCH] [ci skip] The real issue with GnuTLS is actually a flaw in OpenSSL which accepts several server misconfigurations OpenSSL is very liberal about the order and content of the supplied cert chain. GnuTLS however is very crucial about it. So to support GnuTLS we need to tell our community to fix their servers (joindiaspora.com is broken too). You can check it with gnutls-cli -V --x506cafile=/etc/ssl/ca-certificates.crt $domain It will print the certs in the order received and say at the end if it could be verifed. Note that not only the order is important but also the content. Many example configurations, especially for Nginx, include the root cert of the CA in the chain which is wrong. Note from a GnuTLS maintainer: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23573736#29 Revert "Fix federation with GnuTLS by passing the ca_file to Typhoeus" This reverts commit 640a0181abfce1cafdefa85b2347db03813487e0. --- lib/hydra_wrapper.rb | 1 - spec/lib/hydra_wrapper_spec.rb | 23 +---------------------- 2 files changed, 1 insertion(+), 23 deletions(-) diff --git a/lib/hydra_wrapper.rb b/lib/hydra_wrapper.rb index bd04f53fb..6edf54c93 100644 --- a/lib/hydra_wrapper.rb +++ b/lib/hydra_wrapper.rb @@ -8,7 +8,6 @@ require 'active_support/base64' class HydraWrapper OPTS = {:max_redirects => 3, :timeout => 25000, :method => :post, - :ssl_capath => EnviromentConfiguration.ca_cert_file_location, :headers => {'Expect' => '', 'Transfer-Encoding' => ''} } diff --git a/spec/lib/hydra_wrapper_spec.rb b/spec/lib/hydra_wrapper_spec.rb index 08b9fe4d8..1218642e3 100644 --- a/spec/lib/hydra_wrapper_spec.rb +++ b/spec/lib/hydra_wrapper_spec.rb @@ -2,7 +2,7 @@ # licensed under the Affero General Public License version 3 or later. See # the COPYRIGHT file. -require 'spec_helper' +require 'hydra_wrapper' describe HydraWrapper do before do @@ -74,27 +74,6 @@ describe HydraWrapper do end - describe "#insert_job" do - before do - @wrapper.hydra.stub!(:queue) - @wrapper.stub!(:prepare_request!) - end - - it 'passes the correct options' do - xml = "" - url = "blub" - Typhoeus::Request.should_receive(:new).with(url, { - :max_redirects => 3, :timeout => 25000, :method => :post, - #:ssl_capath => EnvironmentConfiguration. - :headers => {'Expect' => '', - 'Transfer-Encoding' => ''}, - :ssl_capath => EnviromentConfiguration.ca_cert_file_location, - :params => {:xml => CGI.escape(xml)} - }) - @wrapper.insert_job(url, xml, stub) - end - end - describe '#redirecting_to_https?!' do it 'does not execute unless response has a 3xx code' do resp = stub(:code => 200)