Net::HTTP doesn't call verify_callback #597

jcoyne · 2013-03-21T04:06:41Z

Test case:

require 'net/https'
uri = URI.parse('https://www.amazon.com/')
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.verify_callback = lambda do |preverify_ok, ssl_context|
  puts "***THIS SHOULD PRINT***"
end
http.ca_file = 'test/fixture/verisign_c3.pem'
response = http.start do |s|
  s.get(uri.request_uri)
end

# => OpenSSL::SSL::SSLError: certificate verify failed

In MRI, "_THIS SHOULD PRINT_", is printed. But not so for jruby.

The text was updated successfully, but these errors were encountered:

ghost · 2013-10-24T13:13:12Z

Same issue here. Has someone this on the list? Fails w/ jruby 1.7.4 as well as 1.7.5.

alksl · 2014-01-27T21:44:56Z

Same issue here as well.

I believe that https://github.com/jruby/jruby/blob/eb7e0628c5a7b7cdf9eac2d634a54d27e06d2105/ext/openssl/src/main/java/org/jruby/ext/openssl/SSLContext.java#L242-247

should use setVerifyCallbackFunction
https://github.com/jruby/jruby/blob/eb7e0628c5a7b7cdf9eac2d634a54d27e06d2105/ext/openssl/src/main/java/org/jruby/ext/openssl/x509store/Store.java#L164-166

ab · 2014-04-02T08:14:02Z

👍

The OpenSSL verify_callback isn't supported on jruby [1], and behaves in somewhat surprising ways on OS X due to Apple monkey patching OpenSSL. We probably want to move in the direction of just passing through the OpenSSL exceptions anyway. [1] jruby/jruby#597

The OpenSSL verify_callback isn't supported on jruby [1], and behaves in somewhat surprising ways on OS X due to Apple monkey patching OpenSSL. We probably want to move in the direction of just passing through the OpenSSL exceptions anyway. [1] jruby/jruby#597 Fixes: rest-client#165 See also: rest-client#168, e03e5e6

ab · 2014-04-10T04:30:39Z

Fun fact: if you set a cert_store (even an empty one), the verify_callback will be called.

Tested on jruby 1.7.9 (1.9.3p392) 2013-12-06 87b108a on OpenJDK 64-Bit Server VM 1.6.0_30-b30 [linux-amd64] and jruby 1.7.5 (1.9.3p392) 2013-10-07 74e9291 on OpenJDK 64-Bit Server VM 1.6.0_30-b30 [linux-amd64].

#!/usr/bin/env ruby

if ARGV.include?('--fail')
  always_fail = true
else
  always_fail = false
end

require 'net/https'
uri = URI.parse('https://www.amazon.com/')
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.verify_callback = lambda do |preverify_ok, ssl_context|
  puts "***THIS SHOULD PRINT***"
  puts "#{preverify_ok.inspect}, #{ssl_context.current_cert.subject}"
  if always_fail
    false
  else
    preverify_ok
  end
end
http.ca_file = '/etc/ssl/certs/ca-certificates.crt'
http.cert_store = OpenSSL::X509::Store.new
response = http.start do |s|
  s.get(uri.request_uri)
end

$ ruby test.rb
***THIS SHOULD PRINT***
true, /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
***THIS SHOULD PRINT***
true, /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
***THIS SHOULD PRINT***
true, /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
***THIS SHOULD PRINT***
true, /C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=www.amazon.com

$ ruby test.rb --fail
***THIS SHOULD PRINT***
true, /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
OpenSSL::SSL::SSLError: certificate verify failed
   connect at org/jruby/ext/openssl/SSLSocket.java:170
   connect at /home/andy/.rbenv/versions/jruby-1.7.9/lib/ruby/1.9/net/http.rb:799
   timeout at org/jruby/ext/timeout/Timeout.java:105
   connect at /home/andy/.rbenv/versions/jruby-1.7.9/lib/ruby/1.9/net/http.rb:799
  do_start at /home/andy/.rbenv/versions/jruby-1.7.9/lib/ruby/1.9/net/http.rb:755
     start at /home/andy/.rbenv/versions/jruby-1.7.9/lib/ruby/1.9/net/http.rb:744
    (root) at test.rb:25

kares · 2017-01-18T17:24:12Z

this is expected to be fixed (along the way of jruby-openssl) released, latest JRubies :

***THIS SHOULD PRINT***
OpenSSL::SSL::SSLError: certificate verify failed
   connect at org/jruby/ext/openssl/SSLSocket.java:217
   connect at /opt/local/rvm/rubies/jruby-1.7.25/lib/ruby/1.9/net/http.rb:800
   timeout at org/jruby/ext/timeout/Timeout.java:98
   connect at /opt/local/rvm/rubies/jruby-1.7.25/lib/ruby/1.9/net/http.rb:800
  do_start at /opt/local/rvm/rubies/jruby-1.7.25/lib/ruby/1.9/net/http.rb:756
     start at /opt/local/rvm/rubies/jruby-1.7.25/lib/ruby/1.9/net/http.rb:745
    (root) at verify_cb.rb:10

***THIS SHOULD PRINT***
OpenSSL::SSL::SSLError: certificate verify failed
  connect_nonblock at org/jruby/ext/openssl/SSLSocket.java:227
           connect at /opt/local/rvm/rubies/jruby-9.1.7.0/lib/ruby/stdlib/net/http.rb:938
          do_start at /opt/local/rvm/rubies/jruby-9.1.7.0/lib/ruby/stdlib/net/http.rb:868
             start at /opt/local/rvm/rubies/jruby-9.1.7.0/lib/ruby/stdlib/net/http.rb:857
            <main> at verify_cb.rb:10

jcoyne mentioned this issue Mar 21, 2013

JRuby: OpenSSL::SSL::SSLError fails to be rescued and replaced with RestClient::SSLCertificateNotVerified rest-client/rest-client#165

Closed

kares closed this as completed Jan 18, 2017

kares added this to the Invalid or Duplicate milestone Jan 18, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Net::HTTP doesn't call verify_callback #597

Net::HTTP doesn't call verify_callback #597

jcoyne commented Mar 21, 2013

ghost commented Oct 24, 2013

alksl commented Jan 27, 2014

ab commented Apr 2, 2014

ab commented Apr 10, 2014

kares commented Jan 18, 2017

Net::HTTP doesn't call verify_callback #597

Net::HTTP doesn't call verify_callback #597

Comments

jcoyne commented Mar 21, 2013

ghost commented Oct 24, 2013

alksl commented Jan 27, 2014

ab commented Apr 2, 2014

ab commented Apr 10, 2014

kares commented Jan 18, 2017