'bad_record_mac' when uploading things through SSL under particular conditions #1331
Comments
|
This seems related to #1080. Feel free to mark either as a duplicate if it turns out to be the same issue. |
|
@aarti Correct me if I'm wrong, but it seems to me that you're getting a different error? "Broken pipe (IOError)" is not the same thing as "bad_record_mac (SSLError)" — the first indicates a transport layer error, while the latter indicates a protocol error (supposedly). The "bad_record_mac" error is never supposed to happen for correct implementations of the SSL protocol, which is why I'm suspecting a bug in something deeper than a high-level gem like |
|
Another easy test-case. jruby -ropen-uri -e "Thread.abort_on_exception = true ; 10.times { Thread.new { loop { open('https://rubygems.org/gems/berkshelf-3.1.1.gem').read; p :ok } } }; sleep" Eventually fails on linux or ruby with jruby 1.7.11 and 1.7.12 This feels like it might be something related to jruby's re-implementation of openssl? I'm not sure how that works. I'm not sure why it is named "openssl.". |
|
I was able to reproduce the fail cases using nginx-1.0.15-5.el6.x86_64 ssl server on an old centos 6.2 image with openssl-1.0.0-20.el6_2.5.x86_64 |
|
@gmanfunky It appears that this issue is tied to the Oracle JDK. If you have the option to use OpenJDK in your production environment I would recommend that. |
|
Yes, i agree that it does appear to be an issue when using Oracle JDK. But it is gnarly enough of an intermittent bug that I think JRuby might want to help identify a better test case and possible workaround and ultimately push for a fix upstream. While I can set our JRuby to use OpenJDK in some cases, this bug will still manifest in an unrelated OracleJava-SSL-Client->nginx process as well. |
|
Yea, this is definitely a big problem. I still have intermittent failures on my Mac clients as there is not a suitable OpenJDK build yet for Mac OS. |
|
I wanted to see if this got fixed with the current jruby-openssl if someone is willing to checkout the new jruby-openssl gem then I could |
|
@mkristian @gmanfunky @headius Hooray! I can no longer recreate this problem using jruby-openssl-0.9.5.dev from latest jruby/jruby commit on master. I am running jruby-1.7.12 on Oracle JDK 7u55 on OS X, after upgrading everything to latest. It is worth mentioning that I was still experiencing intermittent SSL failures with latest jruby-openssl until I upgraded both JRuby (from 1.7.8) and the JDK (from 1.7u45), so something must have also changed elsewhere. |
|
@kares FYI your refactoring did already some good ;) @gmanfunky since you were seeing this error as well, could you give the jruby-openssl from ext/openssl from the jruby master also a trial. |
|
@mkristian oh yeah ... the "big OpenSSL" cleanup was definitely worth it :) ... thanks! |
|
I'm still experiencing this on JRuby 1.7.13 and Oracle 7u65 64bit on Mavericks. I've tried pushing the version of JRuby OpenSSL to 0.9.6.dev, but this still errors on all uploads over 128KB. Has anyone else continued to experience this, or is this something environmental (in a more specific way than 'OS X')? |
|
We're seeing what may be the same issue in JRuby 1.7.18 running on JDK 7u40. @mkristian I've created an internal ticket with some production stack traces and links if you'd like to take a look at that. |
|
@rtyler I'm disappointed to hear you might have the same issue. Please confirm that it's literally the same "bad_record_mac" bug. We have not had other reports on recent JDKs, so I start to twitch when I hear this might still be a bug. Note also jruby/jruby-openssl#12, #1874, and other issues that involve updating our list of ciphers and default protocols. |
|
it is seen with jdk-1.7u40 and not with jdk-1.7u72: the tests showed it is the same "bad_record_mac" and CAN be fixed by updating the jdk to the latest version. the state of jossl is something which does not look nice IMO: in comparison to MRI produced by https://gist.github.com/cscotta/8302049 |
|
@mkristian Definitely needs some love to bring it up to date :-( |
|
@mkristian Is this an issue in 9.x? |
1 similar comment
|
@mkristian Is this an issue in 9.x? |
|
@enebo first it is more an issue with jruby-openssl the script from above https://gist.github.com/cscotta/8302049 on current jruby master still produce a rather small list of ciphers. the original error with |
JRuby version:
jruby 1.7.9 (1.9.3p392) 2013-12-06 87b108a on Java HotSpot(TM) 64-Bit Server VM 1.7.0_45-b18 [darwin-x86_64]
I'm occasionally getting an SSLError with the message "bad_record_mac" when trying to upload files to S3 through Fog. Since the error seems to happen for other people using other libraries (see rubygems/rubygems.org#615, for instance), it seems likely to be a bug in JRuby or even the JRE.
The issue seems to crop up when the data size goes beyond a certain limit — in my case, I could make it "work" by restricting file size to <100K, which obviously isn't a very good long-term solution. There is more info in the comment thread pertaining to the issue in RubyGems I referenced above.
Running JRuby with
JRUBY_OPTS="-J-Djavax.net.debug=ssl"yielded a lot of output. I have tried to limit it to the lines leading up to the failure. Note that handshake seems to go fine, but the error happens during the transmission itself:Please let me know if there is anything I can do to provide more information. Unfortunately it is difficult to provide the best reproduction circumstances, because access to our S3 bucket is restricted, and there may even be network errors in play, although notably, I cannot reproduce this with MRI 1.9.3 or 2.0.0, while it does happen very consistently (at least every time the file is larger than the threshold) with JRuby.
The text was updated successfully, but these errors were encountered: