The Ruby default parameters on top of OpenSSL seem designed for client usage. For server usage, requiring client-side certificate verification is uncommon for HTTPS sites.
So follow what WEBrick does for HTTPS and use SSL_VERIFY_NONE in our documentation. Thanks-to: Shota Fukumori (sora_h) <[email protected]> on the unicorn list: <CA+wiQwuE=ya6f4s4k3gctuppk7mbboyovwvxhtsx2sp8mgd...@mail.gmail.com> --- (dropping unicorn-public from Cc: since this patch is for yahns) Documentation/yahns_config.pod | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Documentation/yahns_config.pod b/Documentation/yahns_config.pod index 1b2595b..d8c6801 100644 --- a/Documentation/yahns_config.pod +++ b/Documentation/yahns_config.pod @@ -446,7 +446,10 @@ An example which seems to work is: ssl_ctx.key = OpenSSL::PKey::RSA.new( IO.read('/etc/ssl/private/example.key') ) - ssl_ctx.set_params # use defaults provided by Ruby on top of OpenSSL + + # use defaults provided by Ruby on top of OpenSSL, + # but disable client certificate verification as it is rare: + ssl_ctx.set_params(verify_mode: OpenSSL::SSL::VERIFY_NONE) app(:rack, "/path/to/my/app/config.ru") do listen 443, ssl_ctx: ssl_ctx -- EW -- unsubscribe: [email protected] archive: http://yhbt.net/yahns-public/
