Charles Rajesh wrote:
Thanx Brian for your points..
1) I checked whether the certificate is signed using the following cmd:
openssl x509 -text -in sdk-cert.pem
You need to look at the certificate of the *other side* that you are
connecting to (openssl s_client -connect whatever.com:443)
2) Here am not sure whether the certificate is signed or not..
-- Also i tried the following cmd as you mentioned:
openssl s_client -connect www.paypal.com:443
Loading 'screen' into random state - done
depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
nc. - For authorized use only/CN=VeriSign Class 3 Public Primary
uthority - G5
verify error:num=20:unable to get local issuer certificate
OK that's good. So this means:
(1) you're trying to connect to www.paypal.com
(2) www.paypal.com presents a certificate signed by VeriSign
(3) openssl doesn't have a copy of VeriSign's root certificate, so
cannot verify PayPal's certificate.
You need a copy of Verisign's certificate stored on your machine.
Normally your machine would come with it pre-installed.
What platform are you running this under? For example, Ubuntu has a
package called "ca-certificates", which installs links in
/etc/ssl/certs. You can make a fully verified SSL connection like this:
openssl s_client -CApath /etc/ssl/certs -connect www.paypal.com:443
Verify return code: 0 (ok)
Once you've got that working, then you can do the equivalent in Ruby,
e.g. using http.ca_path = "/etc/ssl/certs"
NB: The PEM certificate file has both the private key & the certificate.
That's *your* private key and certificate, which you're presenting to
Paypal to prove your identity.
The problem is in the other direction, with Paypal presenting *their*
certificate to you to prove their identity. (Which of course they have
to do: you wouldn't want someone impersonating Paypal to intercept the
connection and collect all these credit card details you're sending
Posted via http://www.ruby-forum.com/.