This is, as part of the Cloud Foundry bits-service, a spike on a simple Ruby web server that uses SSL certificates to authenticate clients on the TLS layer.
It is based on an earlier article and adds:
- Certificate generation using scripts borrowed from Cloud Foundry, which internally use certstrap
- Client certificate authentication (mainly by adding the
OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
flag, as recommended in this article) - A simple test using curl
Don't run this on OSX due to its old OpenSSL library. It does work on a Linux system, e.g. using the provided Vagrant file:
- Add
cc.service.cf.internal
as an additional alias of localhost to/etc/hosts
- Start the server
cd /vagrant/
ruby ssl-server.rb
- Run tests using curl:
curl https://cc.service.cf.internal:8443/ \
--cacert certificates/ca.crt \
--cert certificates/bits-service.crt \
--key certificates/bits-service.key
This one must fail due to VERIFY_FAIL_IF_NO_PEER_CERT
:
curl https://cc.service.cf.internal:8443/ --cacert certificates/ca.crt
TBD