right_http_connection 1.3.0 → 1.4.0

data/History.txt

@@ -57,6 +57,30 @@ Initial public release
   * fixed a bug: <NoMethodError: You have a nil object when you didn't expect it!
                   The error occurred while evaluating nil.body_stream>
 
-== 1.2.5 (not released yet)
+== 1.2.5
 
 - ActiveSupport dependency removal 
+
+
+== 1.3.0
+ - Added:
+   - support for using through proxies
+   - functional tests
+
+== 1.3.1
+ - Added:
+   - SSL certificate handshake support
+   - more specs
+   - ability to give client side key and certificate inline
+ - Fixed: some minor glitches
+
+== 1.4.0
+  - Added
+    - license
+    - HTTP_PROXY env variable support
+  - Fixed
+    - context-length issue (thx kristianm)
+    - exception handling
+    - connection is now closed on any exception
+    - connection is reestablished when credentials change
+    - some other minor bugs

data/lib/{net_fix.rb → base/net_fix.rb}

@@ -91,18 +91,30 @@ module Net
     private
 
     def send_request_with_body(sock, ver, path, body, send_only=nil)
-      self.content_length = body.length
+      self.content_length = body.respond_to?(:bytesize) ? body.bytesize : body.length
       delete 'Transfer-Encoding'
       supply_default_content_type
       write_header(sock, ver, path) unless send_only == :body
-      sock.write(body)              unless send_only == :header
+      sock.write(body && body.to_s) unless send_only == :header
     end
 
     def send_request_with_body_stream(sock, ver, path, f, send_only=nil)
+      # KD: Fix 'content-length': it must not be greater than a piece of file left to be read.
+      # Otherwise the connection may behave like crazy causing 4xx or 5xx responses
+      #
+      # Only do this helpful thing if the stream responds to :pos (it may be something
+      # that responds to :read and :size but not :pos).
+      if f.respond_to?(:pos)
+        file_size           = f.respond_to?(:lstat) ? f.lstat.size : f.size
+        bytes_to_read       = [ file_size - f.pos, self.content_length.to_i ].sort.first
+        self.content_length = bytes_to_read
+      end
+
       unless content_length() or chunked?
         raise ArgumentError,
             "Content-Length not given and Transfer-Encoding is not `chunked'"
       end
+      bytes_to_read ||= content_length()
       supply_default_content_type
       write_header(sock, ver, path) unless send_only == :body
       unless send_only == :header
@@ -112,8 +124,14 @@ module Net
           end
           sock.write "0\r\n\r\n"
         else
-          while s = f.read(@@local_read_size)
+          # KD: When we read/write over file EOF it sometimes make the connection unstable
+          read_size = [ @@local_read_size, bytes_to_read ].sort.first
+          while s = f.read(read_size)
             sock.write s
+            # Make sure we do not read over EOF or more than expected content-length
+            bytes_to_read -= read_size
+            break if bytes_to_read <= 0
+            read_size = bytes_to_read if bytes_to_read < read_size
           end
         end
       end

data/lib/{version.rb → base/version.rb}

@@ -24,7 +24,7 @@
 module RightHttpConnection #:nodoc:
   module VERSION #:nodoc:
     MAJOR = 1  unless defined?(MAJOR)
-    MINOR = 3  unless defined?(MINOR)
+    MINOR = 4  unless defined?(MINOR)
     TINY  = 0  unless defined?(TINY)
 
     STRING = [MAJOR, MINOR, TINY].join('.') unless defined?(STRING)

data/lib/right_http_connection.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2007-2008 RightScale Inc
+# Copyright (c) 2007-2011 RightScale Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
@@ -27,9 +27,9 @@ require "time"
 require "logger"
 
 $:.unshift(File.dirname(__FILE__))
-require 'version'
-require 'support'
-require "net_fix"
+require 'base/version'
+require 'base/support'
+require 'base/net_fix'
 
 module Rightscale
 
@@ -137,26 +137,47 @@ them.
      #  :raise_on_timeout                    # do not perform a retry if timeout is received (false by default)
     def initialize(params={})
       @params = params
+
+      #set up logging first
+      @logger = get_param(:logger) ||
+                (RAILS_DEFAULT_LOGGER if defined?(RAILS_DEFAULT_LOGGER)) ||
+                Logger.new(STDOUT)
+
+      env_proxy_host, env_proxy_port, env_proxy_username, env_proxy_password = get_proxy_info_for_env if ENV['HTTP_PROXY']
+
       @params[:http_connection_retry_count]  ||= @@params[:http_connection_retry_count]
       @params[:http_connection_open_timeout] ||= @@params[:http_connection_open_timeout]
       @params[:http_connection_read_timeout] ||= @@params[:http_connection_read_timeout]
       @params[:http_connection_retry_delay]  ||= @@params[:http_connection_retry_delay]
-      @params[:proxy_host] ||= @@params[:proxy_host]
-      @params[:proxy_port] ||= @@params[:proxy_port]
-      @params[:proxy_username] ||= @@params[:proxy_username]
-      @params[:proxy_password] ||= @@params[:proxy_password]
+      @params[:proxy_host] ||= @@params[:proxy_host] || env_proxy_host
+      @params[:proxy_port] ||= @@params[:proxy_port] || env_proxy_port
+      @params[:proxy_username] ||= @@params[:proxy_username] || env_proxy_username
+      @params[:proxy_password] ||= @@params[:proxy_password] || env_proxy_password
+
       @http   = nil
       @server = nil
-      @logger = get_param(:logger) ||
-                (RAILS_DEFAULT_LOGGER if defined?(RAILS_DEFAULT_LOGGER)) ||
-                Logger.new(STDOUT)
       #--------------
       # Retry state - Keep track of errors on a per-server basis
       #--------------
       @state = {}  # retry state indexed by server: consecutive error count, error time, and error
+                                                                                                                                                                                                          
       @eof   = {}
     end
 
+    def get_proxy_info_for_env
+      parsed_uri = URI.parse(ENV['HTTP_PROXY'])
+      if parsed_uri.scheme.to_s.downcase == 'http'
+        return parsed_uri.host, parsed_uri.port, parsed_uri.user, parsed_uri.password
+      else
+        @logger.warn "Invalid protocol in ENV['HTTP_PROXY'] URI = #{ENV['HTTP_PROXY'].inspect} expecting 'http' got #{parsed_uri.scheme.inspect}"
+        return
+      end
+    rescue Exception => e
+      @logger.warn "Error parsing ENV['HTTP_PROXY'] with exception: #{e.message}"
+      return
+    end
+    private :get_proxy_info_for_env
+
     def get_param(name, custom_options={})
       custom_options [name] || @params[name] || @@params[name]
     end
@@ -207,7 +228,9 @@ them.
     end
 
     # add an error for a server
-    def error_add(message)
+    def error_add(error)
+      message = error
+      message = "#{error.class.name}: #{error.message}" if error.is_a?(Exception)
       @state[@server] = { :count => error_count+1, :time => Time.now, :message => message }
     end
 
@@ -218,7 +241,7 @@ them.
 
     # Error message stuff...
     def banana_message
-      return "#{@server} temporarily unavailable: (#{error_message})"
+      return "#{@protocol}://#{@server}:#{@port} temporarily unavailable: (#{error_message})"
     end
 
     def err_header
@@ -280,6 +303,8 @@ them.
       end
     end
 
+    SECURITY_PARAMS = [:cert, :key, :cert_file, :key_file, :ca_file]
+
     # Start a fresh connection. The object closes any existing connection and
     # opens a new one.
     def start(request_params)
@@ -293,10 +318,15 @@ them.
       @proxy_port     = request_params[:proxy_port]
       @proxy_username = request_params[:proxy_username]
       @proxy_password = request_params[:proxy_password]
+      
+      SECURITY_PARAMS.each do |param_name|
+        @params[param_name] = request_params[param_name]
+      end
 
       @logger.info("Opening new #{@protocol.upcase} connection to #@server:#@port")
+
       @logger.info("Connecting to proxy #{@proxy_host}:#{@proxy_port} with username" +
-                   " #{@proxy_username}") unless @proxy_host.nil?
+                   " #{@proxy_username.inspect}") unless @proxy_host.nil?
 
       @http = Net::HTTP.new(@server, @port, @proxy_host, @proxy_port, @proxy_username,
                             @proxy_password)
@@ -305,10 +335,9 @@ them.
 
       if @protocol == 'https'
         verifyCallbackProc = Proc.new{ |ok, x509_store_ctx|
+          # List of error codes: http://www.openssl.org/docs/apps/verify.html
           code = x509_store_ctx.error
           msg = x509_store_ctx.error_string
-            #debugger
-          @logger.warn("##### #{@server} certificate verify failed: #{msg}") unless code == 0
           if request_params[:fail_if_ca_mismatch] && code != 0
             false
           else
@@ -316,14 +345,44 @@ them.
           end
         }
         @http.use_ssl = true
+
         ca_file = get_param(:ca_file)
-        if ca_file
-          @http.verify_mode     = OpenSSL::SSL::VERIFY_PEER
+        if ca_file && File.exists?(ca_file)
+          # Documentation for 'http.rb':
+          # : verify_mode, verify_mode=((|mode|))
+          #    Sets the flags for server the certification verification at
+          #    beginning of SSL/TLS session.
+          #    OpenSSL::SSL::VERIFY_NONE or OpenSSL::SSL::VERIFY_PEER is acceptable.
+          #
+          # KHRVI: looks like the constant VERIFY_FAIL_IF_NO_PEER_CERT is not acceptable
           @http.verify_callback = verifyCallbackProc
-          @http.ca_file         = ca_file
+          @http.ca_file= ca_file
+          @http.verify_mode = get_param(:use_server_auth) ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE
+          # The depth count is 'level 0:peer certificate', 'level 1: CA certificate', 'level 2: higher level CA certificate', and so on.
+          # Setting the maximum depth to 2 allows the levels 0, 1, and 2. The default depth limit is 9, allowing for the peer certificate and additional 9 CA certificates.
+          @http.verify_depth    = 9
         else
           @http.verify_mode = OpenSSL::SSL::VERIFY_NONE
         end
+        
+        # CERT
+        cert_file = get_param(:cert_file, request_params)
+        cert      = File.read(cert_file) if cert_file && File.exists?(cert_file)
+        cert    ||= get_param(:cert, request_params)
+        # KEY
+        key_file  = get_param(:key_file,  request_params)
+        key       = File.read(key_file) if key_file && File.exists?(key_file)
+        key     ||= get_param(:key,  request_params)
+        if cert && key
+          begin
+            @http.verify_callback = verifyCallbackProc
+            @http.cert = OpenSSL::X509::Certificate.new(cert)
+            @http.key  = OpenSSL::PKey::RSA.new(key)
+          rescue OpenSSL::PKey::RSAError, OpenSSL::X509::CertificateError => e
+            @logger.error "##### Error loading SSL client cert or key: #{e.message} :: backtrace #{e.backtrace}"
+            raise e
+          end
+        end
       end
       # open connection
       @http.start
@@ -359,14 +418,21 @@ them.
       current_params = @params.merge(request_params)
       exception = get_param(:exception, current_params) || RuntimeError
 
+      # Re-establish the connection if any of auth params has changed
+      same_auth_params_as_before = SECURITY_PARAMS.select do |param|
+        request_params[param] != get_param(param)
+      end.empty?
+
       # We save the offset here so that if we need to retry, we can return the file pointer to its initial position
       mypos = get_fileptr_offset(current_params)
       loop do
+
         current_params[:protocol] ||= (current_params[:port] == 443 ? 'https' : 'http')
         # (re)open connection to server if none exists or params has changed
-        same_server_as_before = @server   == current_params[:server] &&
-                                @port     == current_params[:port]   &&
-                                @protocol == current_params[:protocol]
+        same_server_as_before = @server   == current_params[:server]   &&
+                                @port     == current_params[:port]     &&
+                                @protocol == current_params[:protocol] &&
+                                same_auth_params_as_before
 
         # if we are inside a delay between retries: no requests this time!
         # (skip this step if the endpoint has changed)
@@ -389,6 +455,7 @@ them.
           unless @http          &&
                  @http.started? &&
                  same_server_as_before
+            same_auth_params_as_before = true
             start(current_params)
           end
 
@@ -414,8 +481,9 @@ them.
 
         # EOFError means the server closed the connection on us.
         rescue EOFError => e
+          finish(e.message)
+          
           @logger.debug("#{err_header} server #{@server} closed connection")
-          @http = nil
 
             # if we have waited long enough - raise an exception...
           if raise_on_eof_exception?
@@ -427,31 +495,35 @@ them.
             # We will be retrying the request, so reset the file pointer
             reset_fileptr_offset(request, mypos)
           end
-        rescue Exception => e  # See comment at bottom for the list of errors seen...
-          @http = nil
-          timeout_exception = e.is_a?(Errno::ETIMEDOUT) || e.is_a?(Timeout::Error)
-          # Omit retries if it was explicitly requested
-          if current_params[:raise_on_timeout] && timeout_exception
+        rescue ArgumentError => e
+          finish(e.message)
+          
+          if e.message.include?('wrong number of arguments (5 for 4)')
+            # seems our net_fix patch was overriden...
+            raise exception.new('incompatible Net::HTTP monkey-patch')
+          else
+            raise e
+          end
+
+        rescue Timeout::Error, SocketError, SystemCallError, Interrupt => e  # See comment at bottom for the list of errors seen...
+          finish(e.message)
+          if e.is_a?(Errno::ETIMEDOUT) || e.is_a?(Timeout::Error)
+            # Omit retries if it was explicitly requested
             # #6481:
             # ... When creating a resource in EC2 (instance, volume, snapshot, etc) it is undetermined what happened if the call times out.
             # The resource may or may not have been created in EC2. Retrying the call may cause multiple resources to be created...
-            raise e
-          end
-          # if ctrl+c is pressed - we have to reraise exception to terminate proggy
-          if e.is_a?(Interrupt) && !timeout_exception
+            raise exception.new("#{e.class.name}: #{e.message}") if current_params[:raise_on_timeout]
+          elsif e.is_a?(Interrupt)
+            # if ctrl+c is pressed - we have to reraise exception to terminate proggy
             @logger.debug( "#{err_header} request to server #{@server} interrupted by ctrl-c")
-            raise
-          elsif e.is_a?(ArgumentError) && e.message.include?('wrong number of arguments (5 for 4)')
-            # seems our net_fix patch was overriden...
-            raise exception.new('incompatible Net::HTTP monkey-patch')
+            raise e
           end
           # oops - we got a banana: log it
-          error_add(e.message)
+          error_add(e)
           @logger.warn("#{err_header} request failure count: #{error_count}, exception: #{e.inspect}")
 
           # We will be retrying the request, so reset the file pointer
           reset_fileptr_offset(request, mypos)
-
         end
       end
     end
@@ -462,6 +534,8 @@ them.
         @logger.info("Closing #{@http.use_ssl? ? 'HTTPS' : 'HTTP'} connection to #{@http.address}:#{@http.port}#{reason}")
         @http.finish
       end
+    ensure
+      @http = nil
     end
 
   # Errors received during testing:

data/right_http_connection.gemspec

@@ -22,7 +22,7 @@
 #++
 
 require 'rubygems'
-require File.expand_path(File.join(File.dirname(__FILE__), 'lib', 'version'))
+require File.expand_path(File.join(File.dirname(__FILE__), 'lib', 'base', 'version'))
 
 Gem::Specification.new do |spec|
   spec.name = 'right_http_connection'

data/spec/client/cacert.pem

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAgIJAJYV+DprCQ1CMA0GCSqGSIb3DQEBBQUAMBMxETAPBgNV
+BAMTCE15VGVzdENBMB4XDTExMDkxMzIyNTMxMVoXDTEyMDkxMjIyNTMxMVowEzER
+MA8GA1UEAxMITXlUZXN0Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCwmvBNrd7t/Z7ZVo1YfimpGgerOn1vXZY+OGJtqo+pN11Ei7dhVQfWBd2dAkYH
+B8NlPr5QyxmIT88JIRKEzk7ZZ+nRdfyoocg63FeLn+b6OeR5hwyK38aMRbhqY1Gq
+aIKMYyEpv0YNbuwoomv5Atl8mwvuUFr2XKndyzsrP1TrTCHH4lA5P0UUzIjVyyz9
+F4YAjGLjjoVO5R02LmZ/h/LqT6bJQ+cu/2JeIWGVnjKoFvyWHd0TOaOGDHlQc5h8
+RxgdOFrjsZGpQ5sKlhcI+9p0LOXqVfoC2J2ZWtAjFo0d54E/OarnBPFB6VNtoSmj
+l0z+OLGMKuDGaLflXNE0STVdAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0P
+BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQAAbVkvPzS59uhX6Ox1ZT92cJXW8yjP
+IyXrZjcWlaKQSKcn8v5RpebtVA+pL6mCActBE8fMac5ixlwTTnF5LHb9v80XuXMe
+MXooQZBliyim5lVCp9gjKZYXEeVDphsuwDr5M4qO7tdZTB1ezCULObVF1N7qMwpO
+yWI6zifRtLsgWmnRyaeVyv2uNRYoAEsAd2Dj4oJjvuyc9U5QUhtsXwD3jvSPsdi6
+Mbr5tVIcZSpT4W9PSiZw2ZUZXIEbxX+w+FsuehhvoFJCi05R1ashCPxQA13bOJK0
+BmbHqeLDzJCK0+kQs8CRIGWGTGng84AyJ5MygGzd0WN9jtZslWTPDtbz
+-----END CERTIFICATE-----

data/spec/client/cert.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9TCCAd2gAwIBAgIBAjANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDEwhNeVRl
+c3RDQTAeFw0xMTA5MTMyMzAxMDVaFw0xMjA5MTIyMzAxMDVaMDgxJTAjBgNVBAMM
+HE1haGVuZHJhLUt1dGFyZXMtTWFjQm9vay1Qcm8xDzANBgNVBAoMBmNsaWVudDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcEhrVTKKgWVqTUBCGBWJlD
+u7RIk7kPcGAARy7Ctx+4VReEYlgVRqECzt4itglNdrQkUVCHXE0rwJMOozE8Hsgh
+rAOQvxzPJhG3hPUJf/VkfB+Dn0xRsPvrE90HpRlSqdT8X6iuryPEmp5RyMaY122P
+r/+Xs+lHhRlKQPdRpYXHlOwWX/U56Wy7jjGU9lONBEIEV8tD5ExzkCG23nbCvrFr
+/2c4VjrAwXR2RyYfSDRyc/obky49ydKZ8/HKbS3VdJYAWBI4Wnj2hayCcZggEFB0
+zg/IDXpOjnr6zV5UEfdaMIH4/K44ISX7xmZWGmQ3464NTmykj5xUMmfy3rVNREsC
+AwEAAaMvMC0wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB
+BQUHAwIwDQYJKoZIhvcNAQEFBQADggEBACmNyOoCvNsz8N3LN47VZK7aev54tjtd
+zJilLgAxEGBeaIvHX9LDkgi3sQAvHMHc3VIq4BoEd9TNtyxIrUdc2EG1TCJvHINP
+7YoHtbajvT3bhVLlnWjB7jHp9jNfZtHL7aEDp+5eqPT6wzaVeiu1nABs7gudCQq1
+CJw0Mfz1U3mG0sTb5JlRt7toce9dW0R6jfYTmTj6Yzu3kcgYjQKy2k2BCInLOIhz
+6tyOH51mCGAy1zgcWMvuyKYCeJQxRd46GrR2peyE2wYY6SfSlrK16pjaz48S3uhI
+01jd+HA1LARcImMhkMa/QFTo4uI7lx9Q+Y06Ny+rMuTNSnBSIgCUPQk=
+-----END CERTIFICATE-----

data/spec/client/key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAxwSGtVMoqBZWpNQEIYFYmUO7tEiTuQ9wYABHLsK3H7hVF4Ri
+WBVGoQLO3iK2CU12tCRRUIdcTSvAkw6jMTweyCGsA5C/HM8mEbeE9Ql/9WR8H4Of
+TFGw++sT3QelGVKp1PxfqK6vI8SanlHIxpjXbY+v/5ez6UeFGUpA91GlhceU7BZf
+9TnpbLuOMZT2U40EQgRXy0PkTHOQIbbedsK+sWv/ZzhWOsDBdHZHJh9INHJz+huT
+Lj3J0pnz8cptLdV0lgBYEjhaePaFrIJxmCAQUHTOD8gNek6OevrNXlQR91owgfj8
+rjghJfvGZlYaZDfjrg1ObKSPnFQyZ/LetU1ESwIDAQABAoIBAB23pU3KHxYKT+HI
+7tz57XrlTE/9TmGh1ovfPsHSvXl1Eu+yCuVQN/2u56jv0fLNqF351lKKA9RaJiVP
+WDrv2UDVFlRp9r+chvi6SJY2Vu8TlB04kD7bK+xSC+NDUvnXCBkPnlEX1HsozlW5
+rJtLE0/+1q75vhmlXlCKb+z+OhMhmFnaWTf/xLNbkItO5tOf+mv/CoqBUSEk+i9t
+O6Zjzh02jbpW7xH3jJ/UexKMYOuqxoOMfC/MI6q3Qcu2OeZgl8cEIi94sjafq9ob
+WcFTrZY+YG5b1SE8ILg69Fkqve5d2Mn1sN8mYZxLeM0C/ATNghM5uSWhdze06bNu
+fpcgvOECgYEA/L+J/xVgUySUByELEBosY8q0HYG5Msq+GT7L5GMIoEmEp4j6MPRu
+kF/DihxefcvDyVRLhJh7o/kwR7Vwe4wP9145e3MOe9b7IH6pEwV0nAsBO6ldVToX
+gvrHOIoySNt/XtRurrbtZ08OtUDCLIRQATTnY9ieh8sxTyl1G9GehoMCgYEAyZQE
+r4ByBzXjTiuaODH6tPndbKFxRo2iis9CyxqYXAMDkjvF4NEpQyW5ucRxpRqTt51P
+kR13jdadnOF4t82M0qqEH3G6H4biKisY1jXRNH7mPSbyPbC4vxrQhnAEF3RiqbXz
+f2LUC4uOtLzW7HeyjEiZy2mg7UKdOfsmmJ//oJkCgYEAxZF/8GqoQjW8lJoKyMp8
+2oDQLKSDvSVoVdmVjfCwBIOTc1aKpAveBXMmKealIlZOtCj1Yy/CrlmSmOtGgvzo
+WihIbKxyrPFOmocH6PuBvJyJmTZ5464mRNd9NUApsHQL63fJET+i8feFer+lSSEg
+XOEa4xyoR2PZJpU0mstPzLsCgYBvcS3F+TURV3F7Xg+80aTROPJ5hCej4dni9ALx
+Vpq1A9WNmw4i5H/zZ3/ue/R4WuEfuhCrIade+y/X869RrooUTcENwUos891Fgt4Q
+T2CBrUaMuGNkR7dbr+9o47TfYrDJMpaT7odceqNCuMP5p5NGizy7gII/qXxS+c60
+woAIwQKBgQCiIfXZtAgYTPL23CQrxIMFwnlO0TiOe0ha0et7hjCh/CStG7NET7KK
+U1L1kfyl1YDgoJbLXTsG2WwGZRnK1oyEEFj2iY5EvwoMPr0Sv8/CiOIyEfC62s3V
+MoHemunnFhAj+JAy2HTKV0VYiNNNAxz3CBG8yMLK7YAMgPw1/HQQLQ==
+-----END RSA PRIVATE KEY-----

data/spec/really_dumb_webserver.rb

@@ -23,7 +23,7 @@
 
 require 'webrick'
 
-ssl_cert, ssl_key = ARGV[0], ARGV[1]
+ssl_cert, ssl_key, ca_cert = ARGV[0], ARGV[1], ARGV[2]
 
 # Monkey patch bad User-Agent parsing
 module WEBrick::AccessLog
@@ -52,7 +52,7 @@ module WEBrick::AccessLog
   end
 end
 
-logger = WEBrick::Log.new($stderr, WEBrick::Log::WARN)
+logger = WEBrick::Log.new($stderr, WEBrick::Log::WARN)#WEBrick::Log::DEBUG
 config = {}
 config[:Port] = 7890
 config[:Logger] = logger
@@ -60,10 +60,19 @@ config[:AccessLog] = [[$stdout, WEBrick::AccessLog::COMBINED_LOG_FORMAT]]
 unless ssl_cert.nil? || ssl_key.nil?
   require 'webrick/https'
   config[:SSLEnable] = true
-  config[:SSLVerifyClient] = OpenSSL::SSL::VERIFY_NONE
+  # http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html#
+  # SSL_VERIFY_FAIL_IF_NO_PEER_CERT
+  # => Server mode: if the client did not return a certificate, the TLS/SSL handshake is immediately terminated with a 'handshake failure' alert.
+  # => This flag must be used together with SSL_VERIFY_PEER.
+  config[:SSLVerifyClient] = OpenSSL::SSL::VERIFY_PEER
+  config[:SSLVerifyClient] |= OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT if ca_cert
   config[:SSLPrivateKey] = OpenSSL::PKey::RSA.new(File.open(ssl_key).read)
   config[:SSLCertificate] = OpenSSL::X509::Certificate.new(File.open(ssl_cert).read)
-  config[:SSLCertName] = [["CN", "Graham Hughes"]]
+  # KHRVI: option config[:SSLCertName] does make sense only when config[:SSLCertificate] isn't specified
+  # see: webrick/ssl.rb method :setup_ssl_context
+  # config[:SSLCertName] = [["CN", "Graham Hughes"]]
+  config[:SSLVerifyDepth] = 9
+  config[:SSLCACertificateFile] = ca_cert if ca_cert
 end
 $stdout.sync = true
 server = WEBrick::HTTPServer.new(config)

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: right_http_connection
 version: !ruby/object:Gem::Version 
-  hash: 27
-  prerelease: false
+  hash: 7
+  prerelease: 
   segments: 
   - 1
-  - 3
+  - 4
   - 0
-  version: 1.3.0
+  version: 1.4.0
 platform: ruby
 authors: 
 - RightScale, Inc.
@@ -15,8 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-03-25 00:00:00 -07:00
-default_executable: 
+date: 2013-06-13 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: rake
@@ -115,10 +114,10 @@ files:
 - Manifest.txt
 - README.txt
 - Rakefile
-- lib/net_fix.rb
+- lib/base/net_fix.rb
+- lib/base/support.rb
+- lib/base/version.rb
 - lib/right_http_connection.rb
-- lib/support.rb
-- lib/version.rb
 - right_http_connection.gemspec
 - spec/bad.ca
 - spec/ca/Rakefile
@@ -128,12 +127,15 @@ files:
 - spec/ca/demoCA/serial
 - spec/ca/passphrase.txt
 - spec/ca/server.csr
+- spec/client/cacert.cer
+- spec/client/cacert.pem
+- spec/client/cert.pem
+- spec/client/key.pem
 - spec/good.ca
 - spec/proxy_server.rb
 - spec/really_dumb_webserver.rb
 - spec/server.crt
 - spec/server.key
-has_rdoc: true
 homepage: http://rightscale.rubyforge.org/
 licenses: []
 
@@ -173,7 +175,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: rightscale
-rubygems_version: 1.3.7
+rubygems_version: 1.8.5
 signing_key: 
 specification_version: 3
 summary: RightScale's robust HTTP/S connection module