-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL::X509::Store doesn't support an intermediate CA like in MRI. #84
Comments
I also tried to split the CA file into 2 certificates and add them to the store. It worked on MRI but not on JRuby, So i think the chain isn't correctly verified. |
+1 |
3 similar comments
+1 |
+1 |
+1 |
Unfortunately, this is a major blocker to being able to do any sort of public key cryptography on jruby |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am currently implementing a client side verification and I have encountered a bug when working with certificate signed with an intermediate CA. And I am not able to make it work under JRuby but it works with MRI.
System information:
OS: MacOS X Yosemite
JRuby: 1.7.24
Ruby: 2.3.0
My certificate chain is setup like this:
I have created a small script to reproduce the problem in this gist, including the generated certificates:
https://gist.github.com/ph/fe7aa913f389699611ed
For this test both the client and the server is using the same certificate/key and use the same CA.
If you try to connect to the server with
openssl
using this command:On MRI you will see "new connection" but under jruby you will get "certificate verify failed", if you inspect the verification
--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/32479674-openssl-x509-store-doesn-t-support-an-intermediate-ca-like-in-mri?utm_campaign=plugin&utm_content=tracker%2F136995&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F136995&utm_medium=issues&utm_source=github).context#error_string
it will return "unable to get local issuer certificate".The text was updated successfully, but these errors were encountered: