Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSLSocket can't be created from UNIXSocket #2992

Closed
ojab opened this issue May 26, 2015 · 8 comments
Closed

SSLSocket can't be created from UNIXSocket #2992

ojab opened this issue May 26, 2015 · 8 comments
Labels
openssl
Milestone
Invalid or Duplicate

Comments

@ojab
Copy link

ojab commented May 26, 2015

Testcase:

require 'socket'
require 'openssl'

from, to = UNIXSocket.pair
ssl_to = OpenSSL::SSL::SSLSocket.new(to)
ssl_to.write('foo')

fails with

SSLSocket.java:858:in `getSocketChannel': java.lang.ClassCastException: jnr.unixsocket.UnixSocketChannel cannot be cast to java.nio.channels.SocketChannel
    from SSLSocket.java:726:in `checkClosed'
    from SSLSocket.java:687:in `do_syswrite'
    from SSLSocket.java:711:in `syswrite'
    from SSLSocket$INVOKER$i$1$0$syswrite.gen:-1:in `call'
    from CachingCallSite.java:313:in `cacheAndCall'
    from CachingCallSite.java:163:in `call'
    from InterpreterEngine.java:292:in `processCall'
    from StartupInterpreterEngine.java:78:in `interpret'
    from InterpreterEngine.java:84:in `interpret'
    from MixedModeIRMethod.java:199:in `INTERPRET_METHOD'
    from MixedModeIRMethod.java:185:in `call'
    from DynamicMethod.java:205:in `call'
    from CachingCallSite.java:313:in `cacheAndCall'
    from CachingCallSite.java:163:in `call'
    from InterpreterEngine.java:292:in `processCall'
    from StartupInterpreterEngine.java:78:in `interpret'
    from InterpreterEngine.java:84:in `interpret'
    from MixedModeIRMethod.java:199:in `INTERPRET_METHOD'
    from MixedModeIRMethod.java:185:in `call'
    from DynamicMethod.java:205:in `call'
    from CachingCallSite.java:313:in `cacheAndCall'
    from CachingCallSite.java:163:in `call'
    from /tmp/socket.rb:-1:in `invokeOther9:write'
    from /tmp/socket.rb:6:in `RUBY$script'
    from MethodHandle.java:625:in `invokeWithArguments'
    from Compiler.java:111:in `load'
    from Ruby.java:833:in `runScript'
    from Ruby.java:822:in `runScript'
    from Ruby.java:752:in `runNormally'
    from Ruby.java:574:in `runFromMain'
    from Main.java:401:in `doRunFromMain'
    from Main.java:296:in `internalRun'
    from Main.java:225:in `run'
    from Main.java:197:in `main'

on JRuby jruby 9.0.0.0-SNAPSHOT (2.2.2) 2015-05-26 78b009c Java HotSpot(TM) 64-Bit Server VM 25.45-b02 on 1.8.0_45-b14 +jit [darwin-x86_64], no error on MRI (tested with 1.9 & 2.2).
@headius
Copy link
Member

headius commented May 28, 2015

I guess this should work, but is there a reason you want to do it? I can find no good reason why you'd want to use SSL over a UNIX domain socket.

@ojab
Copy link
Author

ojab commented May 28, 2015

I've run tests of one proprietary product [that runs without failures under MRI] under JRuby and just reporting incompatibilities.
Commit message for that testcase says that UNIX sockets are more reliable than TCP ones and I guess it should be reworked, but that's another story.
I doubt that there is any practical use cases for SSL over UNIX sockets.

@headius
Copy link
Member

headius commented May 29, 2015

Ok thanks. I'm ambivalent about fixing this because it seems like a very unusual and synthetic case unlikely to affect JRuby users. However I will defer to the folks doing the most work on jruby-openssl, @kares and @mkristian.

@kares kares added the openssl label Jun 1, 2015
@headius
Copy link
Member

headius commented Jun 2, 2015

@kares @mkristian Since this is a jruby-openssl issue (it needs to support non-socket selectable streams like UNIXSocketChannel) I'm closing it here.

@headius headius closed this as completed Jun 2, 2015
@headius headius added this to the Invalid or Duplicate milestone Jun 2, 2015
@ojab ojab mentioned this issue Jun 3, 2015
Open
@andrew-aladev
Copy link

andrew-aladev commented Dec 2, 2016
edited

@ojab What is a unix socket? This is the most reliable and fast connection with some application. You can connect to this application and it will create an insecure channel to another application. You want to make this channel secure, you are going to use SSLSocket and you failed with unknow channel impl: jnr.unixsocket.UnixSocketChannel.

@ojab
Copy link
Author

ojab commented Dec 2, 2016

SSL is used for protection against MiTM attacks, if someone has access to intercept your unix-socket -- I doubt that SSL would prevent traffic interception/modification.

@andrew-aladev
Copy link

@ojab, My english is not very good, sorry.

I mean that unix socket could be used instead of tcp socket in order to increase the performance of my connection to local application. The security of my connection to this unix socket is my responsibility.

So I am connecting to local application and I am sure that it is secure. But than my local application creates an insecure channel to another application. What does it mean for me? My local secure connection has changed and now it is a remote insecure connection.

What will be a good example for such usage? Lets imagine that famous http proxy squid supports a binding to unix socket instead of *:3128. I am connecting with jruby to this proxy and I am using http connect method to connect to google.com:443. Now I want to use SSLSocket to establish a secure connection.

@ojab
Copy link
Author

ojab commented Dec 2, 2016

Ah, yes, that makes sense.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
openssl
Projects
None yet
Milestone
Invalid or Duplicate
Development

No branches or pull requests
4 participants
@headius @kares @ojab @andrew-aladev