Clobber Windows Ruby HTTPS connectivity issues with the new Net::HTTP SSL Fix gem

April 12, 2016 · Chris Peters

My new little Ruby gem with a fix for HTTP connectivity via the Net::HTTP library.

From the Net::HTTP SSL Fix Ruby gem’s README:

No more / (╯°□°)╯︵ ┻━┻!

But you probably want a more detailed description of the gem’s purpose, so here it is:

A Community-updated Net::HTTP certificate authority file hack. Very useful for authoring Ruby-based HTTP clients that must run on Windows.

Ruby development on Windows is not so peachy

While writing a Ruby-based CLI that needed to install and run properly on Windows, so I started the process of actually building it on a Windows 7 VM.

I’ve been calling this process “developing for the lowest common denominator” because Ruby isn’t traditionally a very Windows-friendly scripting environment.

All was well in this new Windowsy adventure until I tried to start making calls to Amazon S3’s API over the HTTPS protocol. That yields this awesome error:

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

As it turns out, the installers for Ruby on Windows are missing a CA file, thus breaking Net::HTTP calls over HTTPS.

Google searches return a couple common (and awful) solutions to this problem:

The 2nd solution listed above is better than the first and a good one in many scenarios, but I don’t want for users of the CLI to need to go through that extra step. Also, I don’t have the time right now to build an installer that does it for them. I just want for the gem to work after running gem install my_cli, no matter what OS you’re on.

The solution: a new Ruby gem called net_http_ssl_fix

After looking at some other Ruby-based CLIs built to run on Windows, like Heroku’s CLI, I noticed a trend where the Ruby gems needed to include a certificate authority file if they needed to make any HTTP calls over HTTPS.

I initially started including a CA file with the liveeditor_cli gem, along with a clever monkey patch for Net::HTTP. The hack also forces SSL calls via Net::HTTP to verify the peer. Those seeking security shall find it.

I felt that this hack was so useful that it would serve well as a separate gem, hence a new net_http_ssl_fix Ruby gem. Use it if you want for SSL to just work in your Ruby-based HTTP clients, and especially use it if your client must run reliably on Windows.

The main trade-off (and isn’t there always a trade-off?) is that after you install this gem, you are relying on it to provide an up-to-date certificate authority file. Because of this, I will be monitoring the cURL certificate authority file and will update the gem each time the CA file is updated. Because the gem is open source, the community can continue to maintain it if at some point I am no longer able.

Go ahead and checkout the net_http_ssl_fix repo on GitHub for source code, installation instructions, and more. I hope that it helps you out in your projects.

About Chris Peters

With over 20 years of experience, I help plan, execute, and optimize digital experiences.

Leave a comment