Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JRuby openssl doesn't support name constraints #3502

Open
duritong opened this issue Nov 28, 2015 · 3 comments
Open

JRuby openssl doesn't support name constraints #3502

duritong opened this issue Nov 28, 2015 · 3 comments
Labels
openssl

Comments

@duritong
Copy link
Contributor

duritong commented Nov 28, 2015
edited by headius
Loading

Trying to generate a CA with nameConstraints extensions and then using it fails horrible. It seems that jRuby is not supporting nameConstraints at all. Neither by adding it as an extension nor during verification.

To summarize:

jRuby is:

  • unable to generate a CA with nameConstraints
  • unable to properly verify a certificate that is validating the nameConstraints from the CA

Below you should be able to have code to verify that.

With adding nameConstraint the main difference that I see, is that jruby doesn't seem to add the extension properly:

            nameConstraints: critical
                permitted;DNS:.example.com

Supporting nameConstraints should really work, at least for verfication, as at the moment jRuby might accept invalid certificates. => This should actually be seen as a security issue.

I'm adding 2 scripts to the report, as well as the output of them using once MRI and then jRuby:

  1. is generating a CA with a nameConstraint & 2 certs. One being within the constraint, the other one violating it.
  2. is using the CA generated with MRI and just validating it.

Using MRI the certifcates are validated properly (one is accepted, the other fails). While jRuby accepts both certificates.

Everything running on a

$ jruby -v
jruby 1.7.19 (1.9.3p551) 2015-01-29 20786bd on OpenJDK 64-Bit Server VM 1.8.0_65-b17 +jit [linux-amd64]
$ openssl version
OpenSSL 1.0.2d-fips 9 Jul 2015
$ cat /etc/os-release 
NAME=Fedora
VERSION="23 (Workstation Edition)"
ID=fedora
VERSION_ID=23
PRETTY_NAME="Fedora 23 (Workstation Edition)"
ANSI_COLOR="0;34"
CPE_NAME="cpe:/o:fedoraproject:fedora:23"
HOME_URL="https://fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=23
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=23
PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
VARIANT="Workstation Edition"
VARIANT_ID=workstation
$ java -version
openjdk version "1.8.0_65"
OpenJDK Runtime Environment (build 1.8.0_65-b17)
OpenJDK 64-Bit Server VM (build 25.65-b01, mixed mode)

Script and output: https://gist.github.com/headius/e66ac70e2559827a940bf1419a91c847
@kares kares added the openssl label Dec 15, 2015
@kares
Copy link
Member

kares commented Dec 15, 2015

tldr ... its not clear whether you tried out the latest jruby-openssl gem or the one that comes with 1.7.19
believe there was some work related to names so it might work and if not patches are always welcome :)
also, there's a separate tracker for jruby-openssl for your next report.

@duritong duritong mentioned this issue Sep 21, 2016
Open
@duritong
Copy link
Contributor Author

Might be related to jruby/jruby-openssl#102

@headius
Copy link
Member

headius commented Oct 30, 2016

Moved long sample script and output to a separate gist: https://gist.github.com/headius/e66ac70e2559827a940bf1419a91c847

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
openssl
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@duritong @headius @kares