SSL Certificates Don't Work From Jar #531

sgonyea · 2013-02-11T22:45:56Z

I'm here to keep the JRuby team mired in SSL blerghs. It appears that something broke when the jruby-openssl gem moved into JRuby. This assertion may be untrue, and I'll verify against 1.7.0.

If you warble a Jar with an SSL certificate, and set the ca_file (also, verify peer) to a file that was bundled along with the Jar... You'll get an error that's something like:

#<OpenSSL::SSL::SSLError: jar:file:/Users/sgonyea/tmp/dp/PP.jar!/my_project/lib/ca-certificates.crt> - ["org/jruby/ext/openssl/SSLContext.java:229:insetup'", "org/jruby/ext/openssl/SSLSocket.java:145:in initialize'", "jar:file:/var/folders/bd/qxsdqy3d7_gg31pdjm_00lsr0000gn/T/jruby260755300623026042extract/jruby-stdlib-1.7.2.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:776 [SNIP]

The code I'm using to make HTTP calls looks like:

      Net::HTTP.new(uri.host, uri.port).tap do |http|
        http.use_ssl      = true
        http.read_timeout = PP::HTTP_TIMEOUT
        http.ca_file      = PP.ca_file
        http.verify_mode  = OpenSSL::SSL::VERIFY_PEER
      end

module PP
  # Snipped, for how we get to the ca_file value above:
  def self.ca_file
    Pathname(File.expand_path File.dirname(__FILE__)).join("ca-certificates.crt").to_s
  end
end

Obviously, the above code works if you are not working from a Jar. Warble that code into a jar (or however) and it should fail. Doing a File.read on that will return the contents of the file.

My interim solution is to simply read in the CA cert and write it out to a tmp directory. It seems that there is no obvious way to turn a Cert file (containing multiple certs) into a Cert Store from a String.

If I do a http.cert = OpenSSL::X509::Certificate.new(File.read '...') then the HTTP request times out and fails to connect, it seems. Digging around in the code, it looks like the cert is not used unless a private key is also supplied?

The text was updated successfully, but these errors were encountered:

alenad · 2013-02-23T06:29:39Z

I can confirm this problem. I get the same error with JRuby 1.7.2 and httpclient 1.3.2 (which tries to load /gems/httpclient-2.3.2/lib/httpclient/cacert.p7s from the warbled jar).

enwood · 2013-03-10T03:32:53Z

I can also confirm this as a problem under JRuby 1.7.2 and Torquebox 2.3.0.

  def HttpsPoster.post(mpg_request)
    http = Net::HTTP.new(@@uri.host,@@uri.port)
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
    http.ca_file = "lib/ca-certificate.crt"

    puts "Sending:\n#{mpg_request.to_xml}"

    response = RespMod::Response.new

    http.start {
      http.request_post("/gateway2/servlet/MpgRequest",mpg_request.to_xml, {'User-Agent' => 'RUBY - 2.5.0 - Resolver'}) {|res|
        response.from_xml(res.body)
      }
    }

The call to http.request_post generates "OpenSSL::SSL::SSLError":

  org/jruby/ext/openssl/SSLContext.java:229:in `setup'
  org/jruby/ext/openssl/SSLSocket.java:145:in `initialize'
  /Volumes/HD/Users/tgriffin/.rvm/rubies/jruby-1.7.2/lib/ruby/1.9/net/http.rb:776:in `connect'
  /Volumes/HD/Users/tgriffin/.rvm/rubies/jruby-1.7.2/lib/ruby/1.9/net/http.rb:755:in `do_start'
  /Volumes/HD/Users/tgriffin/.rvm/rubies/jruby-1.7.2/lib/ruby/1.9/net/http.rb:744:in `start'
  lib/mpgapi4r.rb:20:in `post'
  app/models/user.rb:445:in `get_preauthorization'
  app/controllers/companies_controller.rb:28:in `show'
  org/jruby/RubyBasicObject.java:1659:in `__send__'
  org/jruby/RubyKernel.java:2086:in `send'
  actionpack (3.2.12) lib/action_controller/metal/implicit_render.rb:4:in `send_action'
  actionpack (3.2.12) lib/abstract_controller/base.rb:167:in `process_action'
  actionpack (3.2.12) lib/action_controller/metal/rendering.rb:10:in `process_action'
  actionpack (3.2.12) lib/abstract_controller/callbacks.rb:18:in `process_action'
  activesupport (3.2.12) lib/active_support/callbacks.rb:472:in `_run__438798832__process_action__596320002__callbacks'
  org/jruby/RubyBasicObject.java:1659:in `__send__'
  org/jruby/RubyKernel.java:2086:in `send'
  activesupport (3.2.12) lib/active_support/callbacks.rb:405:in `__run_callback'
  activesupport (3.2.12) lib/active_support/callbacks.rb:390:in `_run_process_action_callbacks'
  org/jruby/RubyBasicObject.java:1665:in `__send__'
  org/jruby/RubyKernel.java:2090:in `send'
  activesupport (3.2.12) lib/active_support/callbacks.rb:81:in `run_callbacks'
  actionpack (3.2.12) lib/abstract_controller/callbacks.rb:17:in `process_action'
  actionpack (3.2.12) lib/action_controller/metal/rescue.rb:29:in `process_action'
  actionpack (3.2.12) lib/action_controller/metal/instrumentation.rb:30:in `process_action'
  activesupport (3.2.12) lib/active_support/notifications.rb:123:in `instrument'
  activesupport (3.2.12) lib/active_support/notifications/instrumenter.rb:20:in `instrument'
  activesupport (3.2.12) lib/active_support/notifications/instrumenter.rb:19:in `instrument'
  activesupport (3.2.12) lib/active_support/notifications.rb:123:in `instrument'
  actionpack (3.2.12) lib/action_controller/metal/instrumentation.rb:29:in `process_action'
  actionpack (3.2.12) lib/action_controller/metal/params_wrapper.rb:207:in `process_action'
  activerecord (3.2.12) lib/active_record/railties/controller_runtime.rb:18:in `process_action'
  actionpack (3.2.12) lib/abstract_controller/base.rb:121:in `process'
  actionpack (3.2.12) lib/abstract_controller/rendering.rb:45:in `process'
  actionpack (3.2.12) lib/action_controller/metal.rb:203:in `dispatch'
  actionpack (3.2.12) lib/action_controller/metal/rack_delegation.rb:14:in `dispatch'
  actionpack (3.2.12) lib/action_controller/metal.rb:246:in `action'
  org/jruby/RubyProc.java:249:in `call'
  actionpack (3.2.12) lib/action_dispatch/routing/route_set.rb:73:in `dispatch'
  actionpack (3.2.12) lib/action_dispatch/routing/route_set.rb:36:in `call'
  journey (1.0.4) lib/journey/router.rb:68:in `call'
  org/jruby/RubyArray.java:1613:in `each'
  journey (1.0.4) lib/journey/router.rb:56:in `call'
  actionpack (3.2.12) lib/action_dispatch/routing/route_set.rb:601:in `call'
  exception_notification (3.0.1) lib/exception_notifier.rb:41:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/best_standards_support.rb:17:in `call'
  rack (1.4.5) lib/rack/etag.rb:23:in `call'
  rack (1.4.5) lib/rack/conditionalget.rb:25:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/head.rb:14:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/params_parser.rb:21:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/flash.rb:242:in `call'
  torquebox-web-2.3.0 (java) lib/torquebox/session/servlet_store.rb:31:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/cookies.rb:341:in `call'
  activerecord (3.2.12) lib/active_record/query_cache.rb:64:in `call'
  activerecord (3.2.12) lib/active_record/connection_adapters/abstract/connection_pool.rb:479:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/callbacks.rb:28:in `call'
  activesupport (3.2.12) lib/active_support/callbacks.rb:408:in `_run__50436167__call__10772720__callbacks'
  org/jruby/RubyBasicObject.java:1659:in `__send__'
  org/jruby/RubyKernel.java:2086:in `send'
  activesupport (3.2.12) lib/active_support/callbacks.rb:405:in `__run_callback'
  activesupport (3.2.12) lib/active_support/callbacks.rb:390:in `_run_call_callbacks'
  org/jruby/RubyBasicObject.java:1659:in `__send__'
  org/jruby/RubyKernel.java:2086:in `send'
  activesupport (3.2.12) lib/active_support/callbacks.rb:81:in `run_callbacks'
  actionpack (3.2.12) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
  rails-dev-tweaks (0.6.1) lib/rails_dev_tweaks/granular_autoload/middleware.rb:34:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/remote_ip.rb:31:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/debug_exceptions.rb:16:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/show_exceptions.rb:56:in `call'
  railties (3.2.12) lib/rails/rack/logger.rb:32:in `call_app'
  railties (3.2.12) lib/rails/rack/logger.rb:16:in `call'
  activesupport (3.2.12) lib/active_support/tagged_logging.rb:22:in `tagged'
  railties (3.2.12) lib/rails/rack/logger.rb:16:in `call'
  quiet_assets (1.0.1) lib/quiet_assets.rb:20:in `call_with_quiet_assets'
  actionpack (3.2.12) lib/action_dispatch/middleware/request_id.rb:22:in `call'
  rack (1.4.5) lib/rack/methodoverride.rb:21:in `call'
  rack (1.4.5) lib/rack/runtime.rb:17:in `call'
  rack (1.4.5) lib/rack/lock.rb:15:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/static.rb:62:in `call'
  railties (3.2.12) lib/rails/engine.rb:479:in `call'
  railties (3.2.12) lib/rails/application.rb:223:in `call'
  org/jruby/RubyBasicObject.java:1665:in `__send__'
  org/jruby/RubyKernel.java:2090:in `send'
  railties (3.2.12) lib/rails/railtie/configurable.rb:30:in `method_missing'

rtyler · 2013-08-05T21:48:21Z

@sgonyea I'm curious what your workaround for the jarfile looks like in code terms, I'm also hitting this issue when using the New Relic gem from within a warbled jar file. :/

sgonyea · 2013-08-05T21:54:05Z

Read the SSL cert in from a file and then write it out somewhere. So, a tempfile or into a folder, relative to the warbled jar (which is what I am doing).

If it's a private SSL key/cert then you can touch the file, set permissions, and then write to it (or something).

rtyler · 2013-08-05T21:57:39Z

It looks like all-around-nice-guy @jordansissel has created a work around for this, as was documented for JRUBY-6970 which can be found here

I'm going to give it a try and see what happens.

kares · 2015-02-27T09:24:42Z

this has been fixed by Kristian's commits (it's in jruby-openssl 0.9.6) ... starting at jruby/jruby-openssl@aa51d9b#diff-67972a6a9364f41a90295ceabf0e9180R298 sponsored by @lookout :) !

carlossg mentioned this issue Aug 29, 2013

0.25.3 breaks JRuby jar packaged gems excon/excon#257

Merged

kares closed this as completed Feb 27, 2015

enebo added this to the Non-Release milestone Apr 28, 2015

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SSL Certificates Don't Work From Jar #531

SSL Certificates Don't Work From Jar #531

sgonyea commented Feb 11, 2013

alenad commented Feb 23, 2013

enwood commented Mar 10, 2013

rtyler commented Aug 5, 2013

sgonyea commented Aug 5, 2013

rtyler commented Aug 5, 2013

kares commented Feb 27, 2015

SSL Certificates Don't Work From Jar #531

SSL Certificates Don't Work From Jar #531

Comments

sgonyea commented Feb 11, 2013

alenad commented Feb 23, 2013

enwood commented Mar 10, 2013

rtyler commented Aug 5, 2013

sgonyea commented Aug 5, 2013

rtyler commented Aug 5, 2013

kares commented Feb 27, 2015