puma: SSL Error with self-signed certificate in dev when using Chrome 70
Steps to reproduce
- Setup a dev environment on macOS 10.14.1
- Setup and configure a self-signed certificate
- Try to connect with Chrome 70
Expected behavior
It should connect with Chrome 70
Actual behavior
Puma throws the error: SSL error, peer: 127.0.0.1, peer cert: , #<Puma::MiniSSL::SSLError: OpenSSL error: error:141F7065:SSL routines:final_key_share:no suitable key share - 337604709>
When attempting to connect on Chrome 70, Chrome shows the following error
When accessing https://localhost:8080 on FireFox 63.0 (64-bit) I’m prompted to add a one-time security exception in order connect. Safari Version 12.0.1 has no issue connecting.
System configuration
ruby 2.5.3rails 5.1.6puma 3.12.0macOS 10.14.1Chrome Version 70.0.3538.77 (Official Build) (64-bit)- I’ve created a self-signed certificate following the Heroku instructions here
- I have the following in my
hostsfile:
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
127.0.0.1 localhost.ssl
- Added the self-signed certificate to my
systemkeychain and always trusted it - In my
pumaconfig file, i’m starting puma with:ssl_bind '127.0.0.1', '8080', { key: 'localhost_ssl/server.key', cert: 'localhost_ssl/server.crt', verify_mode: 'none' }
I’ve also added an issue in Chrome bug tracker
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 20
- Comments: 29 (12 by maintainers)
Commits related to this issue
- bump puma to make demo work in chrome see https://github.com/puma/puma/issues/1670 — committed to Fivell/webauthn-rails-demo by Fivell 4 years ago
- bump puma to make self-signed certificate work in chrome see https://github.com/puma/puma/issues/1670 — committed to Fivell/webauthn-rails-demo by Fivell 4 years ago
@dachinat if you are developing locally for now, I’ve used this line in my Gemfile and it fixed it until they merge:
gem 'puma', git: 'https://github.com/eric-norcross/puma.git', branch: 'chrome_70_ssl_curve_compatiblity'not working even with the master branch.
Any updates on this? This is a pretty serious issue that’s not only happening on MacOS. I have the same problem on Linux with Chrome 72.
There’s a fix available for merge (https://github.com/puma/puma/pull/1671) that has been written by some pretty smart people here: https://bugs.chromium.org/p/chromium/issues/detail?id=899994#c8
For what it’s worth, the next Rails release will default to
~> 4.1in the generated Gemfile instead of~> 3.11(see https://github.com/rails/rails/commit/2a3f759eef10352bedce5f13b12dbdda30aacab2).How are people creating their self-signed certificate? How does the Puma config look?
I tried myself, using https://github.com/FiloSottile/mkcert, and I get no error from Puma when accessing via Chrome (or any other User-Agent)
Looks like the issue is this line here: https://github.com/puma/puma/blob/72882f2319e65b371e1458069723279b3196a220/ext/puma_http11/mini_ssl.c#L193
P-521 is not a very common curve. It’s not supported by Chrome or Edge. Prior to TLS 1.3, this was non-fatal but resulted in less secure settings. Starting TLS 1.3, enabled by default in OpenSSL 1.1.1, ECDH is mandatory. The immediate fix would be to use NID_X9_62_prime256v1 (P-256) instead, which is where most hardening work is focused.
But OpenSSL also has a fine set of defaults in 1.1.0, and an API to negotiate multiple curves. 1.0.2’s defaults are a little large, but also fine. Thus, something like this may be better:
@biznickman I also ended up having to recreate my self-signed certificate, making sure to add Subject Alternate Name (SAN) support: https://ksearch.wordpress.com/2017/08/22/generate-and-import-a-self-signed-ssl-certificate-on-mac-osx-sierra/
Solved it: Brew uninstall & installed puma, Then double-clicked on
~/Library/Application Support/io.puma.dev/cert.pemand selectedAlways TrustHi, is there a temporary fix until this PR will be merged? Thanks