Using openssl with self signed certifications

Help & Support
#1

Hello, i am trying to connect a client and server with custom ssl signed certificates, example:

server.cr

# server.cr
require "http/server"

server = HTTP::Server.new do |context|
  context.response.content_type = "text/plain"
  context.response.print "Hello world!"
end

tls = OpenSSL::SSL::Context::Server.new
tls.certificate_chain = "server.pem"
tls.private_key = "server.key"
tls.verify_mode = LibSSL::VerifyMode::PEER | LibSSL::VerifyMode::FAIL_IF_NO_PEER_CERT

server.bind_tls "127.0.0.1", 6443, tls
server.listen

client.cr

# client.cr
require "http/client"

tls = OpenSSL::SSL::Context::Client.new
tls.ca_certificates = "cacert.pem"

response = HTTP::Client.get("https://localhost:6443/", tls: tls)
puts response.body

generate_ssl.sh

# TOMADO DE: https://www.golinuxcloud.com/golang-http/
# TOMADO DE: https://arminreiter.com/2022/01/create-your-own-certificate-authority-ca-using-openssl/
openssl genrsa -out ca.key 4096
openssl req -new -nodes -x509 -days 365 -key ca.key -out cacert.pem -subj "/C=IN/ST=NSW/L=Bobo/O=BoboCloud/OU=Org/CN=RootCA"

openssl req -new -nodes -newkey rsa:4096 -keyout server.key -out server.csr -subj "/C=IN/ST=NSW/L=Bobo/O=BoboCloud/OU=Org/CN=bobo"

openssl x509 -req -in server.csr  -CA cacert.pem -CAkey ca.key -out server.crt -CAcreateserial -days 365 -sha256 -extfile server_cert_ext.cnf

cp server.crt certbundle.pem
cat cacert.pem >> certbundle.pem 

cp certbundle.pem server.pem

server_cert_ext.cnf

basicConstraints = CA:FALSE
nsCertType = server
nsComment = "BOBO Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier=keyid,issuer
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = 127.0.0.1
DNS.1 = localhost

but when i do execute client.cr throws:

Unhandled exception: SSL_shutdown: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init (OpenSSL::SSL::Error)
  from /usr/share/crystal/src/openssl/ssl/socket.cr:179:11 in 'unbuffered_close'
  from /usr/share/crystal/src/io/buffered.cr:249:5 in 'close'
  from /usr/share/crystal/src/http/client.cr:776:15 in 'close'
  from /usr/share/crystal/src/http/client.cr:258:7 in 'exec'
  from /usr/share/crystal/src/http/client.cr:408:3 in 'get:tls'
  from client.cr:6:1 in '__crystal_main'
  from /usr/share/crystal/src/crystal/main.cr:115:5 in 'main_user_code'
  from /usr/share/crystal/src/crystal/main.cr:101:7 in 'main'
  from /usr/share/crystal/src/crystal/main.cr:127:3 in 'main'
  from /lib/x86_64-linux-gnu/libc.so.6 in '__libc_start_main'
  from ???

thanks any help

current crystal

Crystal 1.7.0 [016578f85] (2023-01-09)

LLVM: 13.0.1
Default target: x86_64-unknown-linux-gnu
1 Like