OpenSSL::X509::Store doesn't support an intermediate CA like in MRI. #84
Comments
|
I also tried to split the CA file into 2 certificates and add them to the store. It worked on MRI but not on JRuby, So i think the chain isn't correctly verified. |
|
+1 |
3 similar comments
|
+1 |
|
+1 |
|
+1 |
|
Unfortunately, this is a major blocker to being able to do any sort of public key cryptography on jruby |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
and others
I am currently implementing a client side verification and I have encountered a bug when working with certificate signed with an intermediate CA. And I am not able to make it work under JRuby but it works with MRI.
System information:
OS: MacOS X Yosemite
JRuby: 1.7.24
Ruby: 2.3.0
My certificate chain is setup like this:
I have created a small script to reproduce the problem in this gist, including the generated certificates:
https://gist.github.com/ph/fe7aa913f389699611ed
For this test both the client and the server is using the same certificate/key and use the same CA.
If you try to connect to the server with
opensslusing this command:On MRI you will see "new connection" but under jruby you will get "certificate verify failed", if you inspect the verification
--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/32479674-openssl-x509-store-doesn-t-support-an-intermediate-ca-like-in-mri?utm_campaign=plugin&utm_content=tracker%2F136995&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F136995&utm_medium=issues&utm_source=github).context#error_stringit will return "unable to get local issuer certificate".The text was updated successfully, but these errors were encountered: