Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL Certificates Don't Work From Jar #531

Closed
sgonyea opened this issue Feb 11, 2013 · 6 comments
Closed

SSL Certificates Don't Work From Jar #531

sgonyea opened this issue Feb 11, 2013 · 6 comments
Labels
openssl
Milestone
Non-Release

Comments

@sgonyea
Copy link

sgonyea commented Feb 11, 2013

I'm here to keep the JRuby team mired in SSL blerghs. It appears that something broke when the jruby-openssl gem moved into JRuby. This assertion may be untrue, and I'll verify against 1.7.0.

If you warble a Jar with an SSL certificate, and set the ca_file (also, verify peer) to a file that was bundled along with the Jar... You'll get an error that's something like:

#<OpenSSL::SSL::SSLError: jar:file:/Users/sgonyea/tmp/dp/PP.jar!/my_project/lib/ca-certificates.crt> - ["org/jruby/ext/openssl/SSLContext.java:229:insetup'", "org/jruby/ext/openssl/SSLSocket.java:145:in initialize'", "jar:file:/var/folders/bd/qxsdqy3d7_gg31pdjm_00lsr0000gn/T/jruby260755300623026042extract/jruby-stdlib-1.7.2.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:776 [SNIP]

The code I'm using to make HTTP calls looks like:

      Net::HTTP.new(uri.host, uri.port).tap do |http|
        http.use_ssl      = true
        http.read_timeout = PP::HTTP_TIMEOUT
        http.ca_file      = PP.ca_file
        http.verify_mode  = OpenSSL::SSL::VERIFY_PEER
      end

module PP
  # Snipped, for how we get to the ca_file value above:
  def self.ca_file
    Pathname(File.expand_path File.dirname(__FILE__)).join("ca-certificates.crt").to_s
  end
end

Obviously, the above code works if you are not working from a Jar. Warble that code into a jar (or however) and it should fail. Doing a File.read on that will return the contents of the file.

My interim solution is to simply read in the CA cert and write it out to a tmp directory. It seems that there is no obvious way to turn a Cert file (containing multiple certs) into a Cert Store from a String.

If I do a http.cert = OpenSSL::X509::Certificate.new(File.read '...') then the HTTP request times out and fails to connect, it seems. Digging around in the code, it looks like the cert is not used unless a private key is also supplied?
@alenad
Copy link

alenad commented Feb 23, 2013

I can confirm this problem. I get the same error with JRuby 1.7.2 and httpclient 1.3.2 (which tries to load /gems/httpclient-2.3.2/lib/httpclient/cacert.p7s from the warbled jar).

@enwood
Copy link

enwood commented Mar 10, 2013

I can also confirm this as a problem under JRuby 1.7.2 and Torquebox 2.3.0.

  def HttpsPoster.post(mpg_request)
    http = Net::HTTP.new(@@uri.host,@@uri.port)
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
    http.ca_file = "lib/ca-certificate.crt"

    puts "Sending:\n#{mpg_request.to_xml}"

    response = RespMod::Response.new

    http.start {
      http.request_post("/gateway2/servlet/MpgRequest",mpg_request.to_xml, {'User-Agent' => 'RUBY - 2.5.0 - Resolver'}) {|res|
        response.from_xml(res.body)
      }
    }

The call to http.request_post generates "OpenSSL::SSL::SSLError":

  org/jruby/ext/openssl/SSLContext.java:229:in `setup'
  org/jruby/ext/openssl/SSLSocket.java:145:in `initialize'
  /Volumes/HD/Users/tgriffin/.rvm/rubies/jruby-1.7.2/lib/ruby/1.9/net/http.rb:776:in `connect'
  /Volumes/HD/Users/tgriffin/.rvm/rubies/jruby-1.7.2/lib/ruby/1.9/net/http.rb:755:in `do_start'
  /Volumes/HD/Users/tgriffin/.rvm/rubies/jruby-1.7.2/lib/ruby/1.9/net/http.rb:744:in `start'
  lib/mpgapi4r.rb:20:in `post'
  app/models/user.rb:445:in `get_preauthorization'
  app/controllers/companies_controller.rb:28:in `show'
  org/jruby/RubyBasicObject.java:1659:in `__send__'
  org/jruby/RubyKernel.java:2086:in `send'
  actionpack (3.2.12) lib/action_controller/metal/implicit_render.rb:4:in `send_action'
  actionpack (3.2.12) lib/abstract_controller/base.rb:167:in `process_action'
  actionpack (3.2.12) lib/action_controller/metal/rendering.rb:10:in `process_action'
  actionpack (3.2.12) lib/abstract_controller/callbacks.rb:18:in `process_action'
  activesupport (3.2.12) lib/active_support/callbacks.rb:472:in `_run__438798832__process_action__596320002__callbacks'
  org/jruby/RubyBasicObject.java:1659:in `__send__'
  org/jruby/RubyKernel.java:2086:in `send'
  activesupport (3.2.12) lib/active_support/callbacks.rb:405:in `__run_callback'
  activesupport (3.2.12) lib/active_support/callbacks.rb:390:in `_run_process_action_callbacks'
  org/jruby/RubyBasicObject.java:1665:in `__send__'
  org/jruby/RubyKernel.java:2090:in `send'
  activesupport (3.2.12) lib/active_support/callbacks.rb:81:in `run_callbacks'
  actionpack (3.2.12) lib/abstract_controller/callbacks.rb:17:in `process_action'
  actionpack (3.2.12) lib/action_controller/metal/rescue.rb:29:in `process_action'
  actionpack (3.2.12) lib/action_controller/metal/instrumentation.rb:30:in `process_action'
  activesupport (3.2.12) lib/active_support/notifications.rb:123:in `instrument'
  activesupport (3.2.12) lib/active_support/notifications/instrumenter.rb:20:in `instrument'
  activesupport (3.2.12) lib/active_support/notifications/instrumenter.rb:19:in `instrument'
  activesupport (3.2.12) lib/active_support/notifications.rb:123:in `instrument'
  actionpack (3.2.12) lib/action_controller/metal/instrumentation.rb:29:in `process_action'
  actionpack (3.2.12) lib/action_controller/metal/params_wrapper.rb:207:in `process_action'
  activerecord (3.2.12) lib/active_record/railties/controller_runtime.rb:18:in `process_action'
  actionpack (3.2.12) lib/abstract_controller/base.rb:121:in `process'
  actionpack (3.2.12) lib/abstract_controller/rendering.rb:45:in `process'
  actionpack (3.2.12) lib/action_controller/metal.rb:203:in `dispatch'
  actionpack (3.2.12) lib/action_controller/metal/rack_delegation.rb:14:in `dispatch'
  actionpack (3.2.12) lib/action_controller/metal.rb:246:in `action'
  org/jruby/RubyProc.java:249:in `call'
  actionpack (3.2.12) lib/action_dispatch/routing/route_set.rb:73:in `dispatch'
  actionpack (3.2.12) lib/action_dispatch/routing/route_set.rb:36:in `call'
  journey (1.0.4) lib/journey/router.rb:68:in `call'
  org/jruby/RubyArray.java:1613:in `each'
  journey (1.0.4) lib/journey/router.rb:56:in `call'
  actionpack (3.2.12) lib/action_dispatch/routing/route_set.rb:601:in `call'
  exception_notification (3.0.1) lib/exception_notifier.rb:41:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/best_standards_support.rb:17:in `call'
  rack (1.4.5) lib/rack/etag.rb:23:in `call'
  rack (1.4.5) lib/rack/conditionalget.rb:25:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/head.rb:14:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/params_parser.rb:21:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/flash.rb:242:in `call'
  torquebox-web-2.3.0 (java) lib/torquebox/session/servlet_store.rb:31:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/cookies.rb:341:in `call'
  activerecord (3.2.12) lib/active_record/query_cache.rb:64:in `call'
  activerecord (3.2.12) lib/active_record/connection_adapters/abstract/connection_pool.rb:479:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/callbacks.rb:28:in `call'
  activesupport (3.2.12) lib/active_support/callbacks.rb:408:in `_run__50436167__call__10772720__callbacks'
  org/jruby/RubyBasicObject.java:1659:in `__send__'
  org/jruby/RubyKernel.java:2086:in `send'
  activesupport (3.2.12) lib/active_support/callbacks.rb:405:in `__run_callback'
  activesupport (3.2.12) lib/active_support/callbacks.rb:390:in `_run_call_callbacks'
  org/jruby/RubyBasicObject.java:1659:in `__send__'
  org/jruby/RubyKernel.java:2086:in `send'
  activesupport (3.2.12) lib/active_support/callbacks.rb:81:in `run_callbacks'
  actionpack (3.2.12) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
  rails-dev-tweaks (0.6.1) lib/rails_dev_tweaks/granular_autoload/middleware.rb:34:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/remote_ip.rb:31:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/debug_exceptions.rb:16:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/show_exceptions.rb:56:in `call'
  railties (3.2.12) lib/rails/rack/logger.rb:32:in `call_app'
  railties (3.2.12) lib/rails/rack/logger.rb:16:in `call'
  activesupport (3.2.12) lib/active_support/tagged_logging.rb:22:in `tagged'
  railties (3.2.12) lib/rails/rack/logger.rb:16:in `call'
  quiet_assets (1.0.1) lib/quiet_assets.rb:20:in `call_with_quiet_assets'
  actionpack (3.2.12) lib/action_dispatch/middleware/request_id.rb:22:in `call'
  rack (1.4.5) lib/rack/methodoverride.rb:21:in `call'
  rack (1.4.5) lib/rack/runtime.rb:17:in `call'
  rack (1.4.5) lib/rack/lock.rb:15:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/static.rb:62:in `call'
  railties (3.2.12) lib/rails/engine.rb:479:in `call'
  railties (3.2.12) lib/rails/application.rb:223:in `call'
  org/jruby/RubyBasicObject.java:1665:in `__send__'
  org/jruby/RubyKernel.java:2090:in `send'
  railties (3.2.12) lib/rails/railtie/configurable.rb:30:in `method_missing'

@rtyler
Copy link

rtyler commented Aug 5, 2013

@sgonyea I'm curious what your workaround for the jarfile looks like in code terms, I'm also hitting this issue when using the New Relic gem from within a warbled jar file. :/

@sgonyea
Copy link
Author

sgonyea commented Aug 5, 2013

Read the SSL cert in from a file and then write it out somewhere. So, a tempfile or into a folder, relative to the warbled jar (which is what I am doing).

If it's a private SSL key/cert then you can touch the file, set permissions, and then write to it (or something).

@rtyler
Copy link

rtyler commented Aug 5, 2013

It looks like all-around-nice-guy @jordansissel has created a work around for this, as was documented for JRUBY-6970 which can be found here

I'm going to give it a try and see what happens.

@carlossg carlossg mentioned this issue Aug 29, 2013
Merged
@kares
Copy link
Member

kares commented Feb 27, 2015

this has been fixed by Kristian's commits (it's in jruby-openssl 0.9.6) ... starting at jruby/jruby-openssl@aa51d9b#diff-67972a6a9364f41a90295ceabf0e9180R298 sponsored by @lookout :) !

@kares kares closed this as completed Feb 27, 2015
@enebo enebo added this to the Non-Release milestone Apr 28, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
openssl
Projects
None yet
Milestone
Non-Release
Development

No branches or pull requests
6 participants
@enebo @rtyler @kares @sgonyea @enwood @alenad