Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSL::SSL::SSLError: certificate verify failed with JRuby 1.7.22 #67

Closed
sluukkonen opened this issue Aug 26, 2015 · 12 comments
Closed

OpenSSL::SSL::SSLError: certificate verify failed with JRuby 1.7.22 #67

sluukkonen opened this issue Aug 26, 2015 · 12 comments

Comments

@sluukkonen
Copy link

When using httpclient, some sites are giving me errors like this with JRuby 1.7.22.

1.7.20 or 1.7.21 work without issues.

How to reproduce

λ ~ rbenv shell jruby-1.7.22
λ ~ ruby -rhttpclient -e 'HTTPClient.new.get "https://www.bankofamerica.com"'
OpenSSL::SSL::SSLError: certificate verify failed
                          connect at org/jruby/ext/openssl/SSLSocket.java:210
                      ssl_connect at /Users/sluukkonen/.rbenv/versions/jruby-1.7.22/lib/ruby/gems/shared/gems/httpclient-2.6.0.1/lib/httpclient/session.rb:307
                          connect at /Users/sluukkonen/.rbenv/versions/jruby-1.7.22/lib/ruby/gems/shared/gems/httpclient-2.6.0.1/lib/httpclient/session.rb:755
                          timeout at org/jruby/ext/timeout/Timeout.java:147
                          connect at /Users/sluukkonen/.rbenv/versions/jruby-1.7.22/lib/ruby/gems/shared/gems/httpclient-2.6.0.1/lib/httpclient/session.rb:746
                            query at /Users/sluukkonen/.rbenv/versions/jruby-1.7.22/lib/ruby/gems/shared/gems/httpclient-2.6.0.1/lib/httpclient/session.rb:612
                            query at /Users/sluukkonen/.rbenv/versions/jruby-1.7.22/lib/ruby/gems/shared/gems/httpclient-2.6.0.1/lib/httpclient/session.rb:164
                     do_get_block at /Users/sluukkonen/.rbenv/versions/jruby-1.7.22/lib/ruby/gems/shared/gems/httpclient-2.6.0.1/lib/httpclient.rb:1191
                       do_request at /Users/sluukkonen/.rbenv/versions/jruby-1.7.22/lib/ruby/gems/shared/gems/httpclient-2.6.0.1/lib/httpclient.rb:974
  protect_keep_alive_disconnected at /Users/sluukkonen/.rbenv/versions/jruby-1.7.22/lib/ruby/gems/shared/gems/httpclient-2.6.0.1/lib/httpclient.rb:1082
                       do_request at /Users/sluukkonen/.rbenv/versions/jruby-1.7.22/lib/ruby/gems/shared/gems/httpclient-2.6.0.1/lib/httpclient.rb:969
                          request at /Users/sluukkonen/.rbenv/versions/jruby-1.7.22/lib/ruby/gems/shared/gems/httpclient-2.6.0.1/lib/httpclient.rb:822
                              get at /Users/sluukkonen/.rbenv/versions/jruby-1.7.22/lib/ruby/gems/shared/gems/httpclient-2.6.0.1/lib/httpclient.rb:713
                           (root) at -e:1
λ ~ rbenv shell jruby-1.7.21
λ ~ ruby -rhttpclient -e 'HTTPClient.new.get "https://www.bankofamerica.com"'
λ ~ rbenv shell jruby-9.0.0.0
λ ~ ruby -rhttpclient -e 'HTTPClient.new.get "https://www.bankofamerica.com"'
@sluukkonen
Copy link
Author

MRI 2.2.2 also throws a similar error on my machine.

λ ~ ruby -rhttpclient -e 'HTTPClient.new.get "https://www.bankofamerica.com"'
/Users/sluukkonen/.rbenv/versions/2.2.2/lib/ruby/gems/2.2.0/gems/httpclient-2.3.4.1/lib/httpclient/session.rb:303:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure (OpenSSL::SSL::SSLError)
    from /Users/sluukkonen/.rbenv/versions/2.2.2/lib/ruby/gems/2.2.0/gems/httpclient-2.3.4.1/lib/httpclient/session.rb:303:in `ssl_connect'
    from /Users/sluukkonen/.rbenv/versions/2.2.2/lib/ruby/gems/2.2.0/gems/httpclient-2.3.4.1/lib/httpclient/session.rb:760:in `block in connect'
    from /Users/sluukkonen/.rbenv/versions/2.2.2/lib/ruby/2.2.0/timeout.rb:89:in `block in timeout'
    from /Users/sluukkonen/.rbenv/versions/2.2.2/lib/ruby/2.2.0/timeout.rb:99:in `call'
    from /Users/sluukkonen/.rbenv/versions/2.2.2/lib/ruby/2.2.0/timeout.rb:99:in `timeout'
    from /Users/sluukkonen/.rbenv/versions/2.2.2/lib/ruby/2.2.0/timeout.rb:125:in `timeout'
    from /Users/sluukkonen/.rbenv/versions/2.2.2/lib/ruby/gems/2.2.0/gems/httpclient-2.3.4.1/lib/httpclient/session.rb:751:in `connect'
    from /Users/sluukkonen/.rbenv/versions/2.2.2/lib/ruby/gems/2.2.0/gems/httpclient-2.3.4.1/lib/httpclient/session.rb:609:in `query'
    from /Users/sluukkonen/.rbenv/versions/2.2.2/lib/ruby/gems/2.2.0/gems/httpclient-2.3.4.1/lib/httpclient/session.rb:164:in `query'
    from /Users/sluukkonen/.rbenv/versions/2.2.2/lib/ruby/gems/2.2.0/gems/httpclient-2.3.4.1/lib/httpclient.rb:1083:in `do_get_block'
    from /Users/sluukkonen/.rbenv/versions/2.2.2/lib/ruby/gems/2.2.0/gems/httpclient-2.3.4.1/lib/httpclient.rb:887:in `block in do_request'
    from /Users/sluukkonen/.rbenv/versions/2.2.2/lib/ruby/gems/2.2.0/gems/httpclient-2.3.4.1/lib/httpclient.rb:981:in `protect_keep_alive_disconnected'
    from /Users/sluukkonen/.rbenv/versions/2.2.2/lib/ruby/gems/2.2.0/gems/httpclient-2.3.4.1/lib/httpclient.rb:886:in `do_request'
    from /Users/sluukkonen/.rbenv/versions/2.2.2/lib/ruby/gems/2.2.0/gems/httpclient-2.3.4.1/lib/httpclient.rb:774:in `request'
    from /Users/sluukkonen/.rbenv/versions/2.2.2/lib/ruby/gems/2.2.0/gems/httpclient-2.3.4.1/lib/httpclient.rb:677:in `get'
    from -e:1:in `<main>'

@headius
Copy link
Member

headius commented Aug 26, 2015

So this works with JRuby 9k and 1.7.21 but not with 1.7.22, yes? Seems like it could be a problem with jruby-openssl 0.9.10 then, eh @kares @mkristian?

@headius
Copy link
Member

headius commented Aug 26, 2015

I can confirm I have the same issue on 9k master, which has updated to 0.9.10.

@mkristian
Copy link
Member

I can confirm it is a regression. jruby-1.7.21 with jruby-openssl-0.9.10 installed shows the same error.

@kares
Copy link
Member

kares commented Aug 26, 2015

we've limited some ciphers for SSL handshake - maybe that's the issue, we'll need to investigate further

@kares
Copy link
Member

kares commented Aug 26, 2015

regression caused by e25518f ... know which part just need to do some more testing before a 'good' fix.

@headius
Copy link
Member

headius commented Aug 26, 2015

@kares Nice!

kares added a commit that referenced this issue Aug 27, 2015
@kares
make sure we hold a buffered reader so that the loop continues readin…
fca2e71 
…g PEMs

internally readPEM makes the reader buffered but its not the same!

change introduced in 0.9.8 at e25518f

causing #67
kares added a commit that referenced this issue Aug 27, 2015
@kares
always use buffered-reader esp. when reading in loop (closing #67)
a4cc46d 
fixes incompatibility introduced at e25518f
@kares kares closed this as completed Aug 27, 2015
@kares
Copy link
Member

kares commented Aug 27, 2015

@sluukkonen you can check-out a pre-release gem with this fix, (should work fine on 1.7.22) from: https://oss.sonatype.org/content/repositories/snapshots/rubygems/jruby-openssl/0.9.11.dev-SNAPSHOT/

p.s. the fact that MRI fails is likely due "low" security algorithm: TLS_RSA_WITH_AES_128_CBC_SHA ... on our side this requires some considerable time investment to get aligned/right with recent OpenSSL - until then we're still working with some "older" ciphers (although not the critical ones). will add notes on the relevant issue.

@sluukkonen
Copy link
Author

Thanks, I'll be trying the fix today.

@sluukkonen
Copy link
Author

Can confirm that the new pre-release gem fixes all of my issues with the problematic sites.

@PetrKaleta PetrKaleta mentioned this issue Sep 2, 2015
Closed
@jjb
Copy link

jjb commented Oct 2, 2015

will the fix go out with 1.7.23?

@mkristian
Copy link
Member

it will go out with 1.7.23 - hopefully soon since there is some other fix waiting to be used.

@delwaterman delwaterman mentioned this issue Apr 18, 2016
Open
@chingc chingc mentioned this issue Jun 29, 2016
Closed
@lgavillet lgavillet mentioned this issue Nov 15, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jjb @headius @mkristian @sluukkonen @kares