Gist fails to verify SSL connection. about gist HOT 27 CLOSED

You appear to be using an out of date version of the gem. Version 2.0.1 was just pushed fixing this very problem. (see #23)

from gist.

The problem still exists for me with 2.0.1 installed.

$ echo "hello" | gist
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Usage: gist [options] [filename or stdin] [filename] ...
Filename '-' forces gist to read from stdin.
    -p, --[no-]private               Make the gist private
    -t, --type [EXTENSION]           Set syntax highlighting of the Gist by file extension
    -o, --[no-]open                  Open gist in browser
    -m, --man                        Print manual
    -v, --version                    Print version
    -h, --help                       Display this screen

$ gist -v
2.0.1

from gist.

Yep, same here. I still have the issue with 2.0.1.

from gist.

+1
$ gist -v
2.0.1

from gist.

Ditto - same issue:

echo ralsh file /etc/hosts | gist -t pp
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Usage: gist [options] [filename or stdin] [filename] ...
Filename '-' forces gist to read from stdin.
    -p, --[no-]private               Make the gist private
    -t, --type [EXTENSION]           Set syntax highlighting of the Gist by file extension
    -o, --[no-]open                  Open gist in browser
    -m, --man                        Print manual
    -v, --version                    Print version
    -h, --help                       Display this screen
$ gist -v
2.0.1

from gist.

Same issue under Ubuntu 10.10 with RVM-installed REE 2011.03. Issue does not occur under 1.9.2-p180, or under OS X. I'm guessing this is a Linux-specific issue with the Ruby OpenSSL library in 1.8.

from gist.

Same issue here under FreeBSD 8.2-R amd64.

from gist.

same here with MacOS X 10.6.7

from gist.

I can confirm that gist works for me on OS X 10.6.7. Can anyone else give me some reproduction steps so I can try to fix this? Thanks.

from gist.

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

same thing with 2.0.2

all I did was to try to upload a file to gist and this happens.

btw, I use the gem from macports to install

from gist.

Works on Debian wheezy/sid with ruby 1.9.2 but not 1.8.7. Presume it's a libopenssl-ruby issue.

from gist.

Just in case the comments here have not yet made it apparent, failing to verify github's SSL certificate is not a problem with Ruby, or a problem with the Gist gem (which does the "correct" SSL thing by requiring a valid certificate). If validation fails, your Ruby installation's OpenSSL library is having trouble finding the correct CA certificates to validate Github's cert.

Sometimes this simply means your CA cert bundle is too old, and is missing some certificates. If that's the case, you should update it, possible to a well-known recent version like curl's cacert.pem extraction of Mozilla's CA bundle.

Other times, this means your Ruby OpenSSL library is completely failing to find the CA certs that are already present on your machine. This seems to be common with Ruby 1.9 installed via RVM onto OS X. The system Ruby has no problem verifying the certificates, but the RVM Ruby 1.9 is unable to verify successfully, presumably because it cannot find any CA certificates at all.

Gist has already been updated to include an up-to-date cacert.pem file, and it instructs Net::HTTP to use that CA cert file to verify github's SSL certificate. If it is still failing for you, you may be hitting a bug I am not yet aware of, or your OpenSSL library may be broken in a way that prevents it from being able to verify SSL certificates even when the correct CA certs are present. Either way, I haven't been able to reproduce that case yet. :|

from gist.

I guess Macport's OpenSSL was corrupted because ever since I removed macports directories and started using homebrew which doesn't install all duplicate packages, gist works fine. Thanks for the help anyway. :)

from gist.

If anyone can provide me with reproduction steps, please do. In the meantime, I'm going to close this issue since there doesn't seem to be anything indicating that the problem is with the gist gem.

from gist.

I agree it's not gist's problem but I would suggest gist tries to monkey patch around it - given it's an issue with Ruby 1.8.7 which is installed heavily on Red Hat/Fedora/CentOS/Ubuntu hosts - and people are much more likely to be able to upgrade gist than Ruby.

Steps for reproduction on Ubuntu 10.10:

$ gem install gist
Successfully installed gist-2.0.2

$ echo ralsh file /etc/hosts | gist -t pp
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Usage: gist [options] [filename or stdin] [filename] ...
Filename '-' forces gist to read from stdin.
-p, --[no-]private               Make the gist private
-t, --type [EXTENSION]           Set syntax highlighting of the Gist by file extension
-o, --[no-]open                  Open gist in browser
-m, --man                        Print manual
-v, --version                    Print version
-h, --help                       Display this screen

$ ruby --version
ruby 1.8.7 (2010-06-23 patchlevel 299) [i686-linux]

Also on Fedora 14:

$ echo ralsh file /etc/hosts | gist -t pp
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Usage: gist [options] [filename or stdin] [filename] ...
Filename '-' forces gist to read from stdin.
-p, --[no-]private               Make the gist private
-t, --type [EXTENSION]           Set syntax highlighting of the Gist by file extension
-o, --[no-]open                  Open gist in browser
-m, --man                        Print manual
-v, --version                    Print version
-h, --help                       Display this screen

$ ruby --version
ruby 1.8.7 (2011-02-18 patchlevel 334) [i386-linux]

I can obviously monkey-patch it to set OpenSSL::SSL::VERIFY_NONE for this Ruby version but I am sure there is a more elegant solution?

from gist.

At the very least, perhaps the Gist gem could give some explanation on what's going wrong?

from gist.

I found nice patch (without warnings about const).

module OpenSSL
  module SSL
    remove_const :VERIFY_PEER
  end
end
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

from gist.

shtirlic: what file does this code snippet go into?

from gist.

shtirlic: got it actually, but is there a reason to not submit this patch as a pull request?

from gist.

I found the problem. Defunkt's patch to add the CA certificates to the standalone gist file removed all the certificates except one, which is what made this problem crop up again. I fixed (and tested it on a RHEL machine that has the verification error) in 170c424. It'll go out as part of the 2.0.3 release.

from gist.

@shtirlic and @derwiki: please, please, please NEVER use that patch. ever. If you do use it, you have just destroyed SSL certificate verification for every connection made by that ruby process. It completely defeats the security that SSL provides. In this case, it means that you could be sending your github credentials to anyone. In other cases, it could mean that you are sending confidential user information to anyone. Hopefully I don't need to elaborate on how dangerous that is. :)

from gist.

@indirect 'every connection made by that ruby process' seems pretty isolated to just this script. I understand the security concerns but am more interested in getting something that works -- I will use this patch in the meantime, but anxiously await 2.0.3.

from gist.

@derwiki, yes, in this case, you are only exposing your github account to attackers. If you use this patch in a Rails application, however, you have broken SSL for any other code that tries to open an HTTP connection, which can potentially be really terrible. The real fix is to update your CA certificates, as I've explained a few times above. If you can't or won't update your CA certificates for some reason, the next version of gist will include some that it uses.

from gist.

I think this is now completely solved, and I have furthermore stripped out 213k of unneeded CA certificates. Could someone who was seeing this error please try the newest standalone gist script? You can get it at https://github.com/defunkt/gist/raw/master/gist Thanks.

from gist.

That script works fine for me. Thanks!

from gist.

@indirect, sure, it's dangerous solution but it's only for "get it work". Dot on the end of the link is preventing it to work ^-^.

from gist.

Thanks for the feedback. I've fixed the link and released and tagged gist 2.0.3, which should now work everywhere. (And the standalone script is now <20k, so this is a big improvement!)

from gist.