Maintenance of Ruby 2.0.0 ended on February 24, 2016. Read more

In Files

  • drb/ssl.rb


SSLConfig handles the needed SSL information for establishing a DRbSSLSocket connection, including generating the X509 / RSA pair.

An instance of this config can be passed to, and DRb::DRbSSLSocket.open_server

See ::new for more details



Default values for a SSLConfig instance.

See ::new for more details

Public Class Methods

new(config) click to toggle source

Create a new DRb::DRbSSLSocket::SSLConfig instance

The DRb::DRbSSLSocket will take either a config Hash or an instance of SSLConfg, and will setup the certificate for its session for the configuration. If want it to generate a generic certificate, the bare minimum is to provide the :SSLCertName

Config options

From config Hash:


An instance of OpenSSL::X509::Certificate. If this is not provided, then a generic X509 is generated, with a correspond :SSLPrivateKey


A private key instance, like OpenSSL::PKey::RSA. This key must be the key that signed the :SSLCertificate


An OpenSSL::X509::Certificate, or Array of certificates that will used as ClientCAs in the SSL Context


A path to the directory of CA certificates. The certificates must be in PEM format.


A path to a CA certificate file, in PEM format.


A DH callback. See OpenSSL::SSL::SSLContext.tmp_dh_callback


This is the SSL verification mode. See OpenSSL::SSL::VERIFY_* for available modes. The default is OpenSSL::SSL::VERIFY_NONE


Number of CA certificates to walk, when verifying a certificate chain.


A callback to be used for additional verification. See OpenSSL::SSL::SSLContext.verify_callback


A OpenSSL::X509::Store used for verification of certificates


Issuer name for the certificate. This is required when generating the certificate (if :SSLCertificate and :SSLPrivateKey were not given). The value of this is to be an Array of pairs:

[["C", "Raleigh"], ["ST","North Carolina"],

See also OpenSSL::X509::Name


A comment to be used for generating the certificate. The default is “Generated by Ruby/OpenSSL”


These values can be added after the fact, like a Hash.

require 'drb/ssl'
c = {}
c[:SSLCertificate] ='mycert.crt'))
c[:SSLPrivateKey] ='mycert.key'))
c[:SSLVerifyMode] = OpenSSL::SSL::VERIFY_PEER
c[:SSLCACertificatePath] = "/etc/ssl/certs/"


require 'drb/ssl'
c ={
        :SSLCertName => [["CN" => DRb::DRbSSLSocket.getservername]]
               # File drb/ssl.rb, line 126
def initialize(config)
  @config  = config
  @cert    = config[:SSLCertificate]
  @pkey    = config[:SSLPrivateKey]
  @ssl_ctx = nil

Public Instance Methods

[](key) click to toggle source

A convenience method to access the values like a Hash

               # File drb/ssl.rb, line 134
def [](key);
  @config[key] || DEFAULT[key]
accept(tcp) click to toggle source

Accept connection to IO tcp, with context of the current certificate configuration

               # File drb/ssl.rb, line 149
def accept(tcp)
  ssl =, @ssl_ctx)
  ssl.sync = true
connect(tcp) click to toggle source

Connect to IO tcp, with context of the current certificate configuration

               # File drb/ssl.rb, line 140
def connect(tcp)
  ssl =, @ssl_ctx)
  ssl.sync = true
setup_certificate() click to toggle source

Ensures that :SSLCertificate and :SSLPrivateKey have been provided or that a new certificate is generated with the other parameters provided.

               # File drb/ssl.rb, line 159
def setup_certificate
  if @cert && @pkey

  rsa ={|p, n|
    next unless self[:verbose]
    case p
    when 0; $stderr.putc "."  # BN_generate_prime
    when 1; $stderr.putc "+"  # BN_generate_prime
    when 2; $stderr.putc "*"  # searching good prime,
                              # n = #of try,
                              # but also data from BN_generate_prime
    when 3; $stderr.putc "\n" # found good prime, n==0 - p, n==1 - q,
                              # but also data from BN_generate_prime
    else;   $stderr.putc "*"  # BN_generate_prime

  cert =
  cert.version = 3
  cert.serial = 0
  name =[:SSLCertName])
  cert.subject = name
  cert.issuer = name
  cert.not_before =
  cert.not_after = + (365*24*60*60)
  cert.public_key = rsa.public_key

  ef =,cert)
  cert.extensions = [
    ef.create_extension("subjectKeyIdentifier", "hash") ]
  ef.issuer_certificate = cert
  if comment = self[:SSLCertComment]
    cert.add_extension(ef.create_extension("nsComment", comment))

  @cert = cert
  @pkey = rsa
setup_ssl_context() click to toggle source

Establish the OpenSSL::SSL::SSLContext with the configuration parameters provided.

               # File drb/ssl.rb, line 206
def setup_ssl_context
  ctx =
  ctx.cert            = @cert
  ctx.key             = @pkey
  ctx.client_ca       = self[:SSLClientCA]
  ctx.ca_path         = self[:SSLCACertificatePath]
  ctx.ca_file         = self[:SSLCACertificateFile]
  ctx.tmp_dh_callback = self[:SSLTmpDhCallback]
  ctx.verify_mode     = self[:SSLVerifyMode]
  ctx.verify_depth    = self[:SSLVerifyDepth]
  ctx.verify_callback = self[:SSLVerifyCallback]
  ctx.cert_store      = self[:SSLCertificateStore]
  @ssl_ctx = ctx

Commenting is here to help enhance the documentation. For example, code samples, or clarification of the documentation.

If you have questions about Ruby or the documentation, please post to one of the Ruby mailing lists. You will get better, faster, help that way.

If you wish to post a correction of the docs, please do so, but also file bug report so that it can be corrected for the next release. Thank you.

If you want to help improve the Ruby documentation, please visit