Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSSL::SSL::SSLError: certificate verify failed with JRuby 1.7.25 and 9.1.2.0 #98

Closed
chingc opened this issue Jun 29, 2016 · 7 comments

Comments

@chingc
Copy link

chingc commented Jun 29, 2016

I'm getting a SSLError when working with open-uri.
It appears to be identical, or very similar, to issue #67.

Steps to reproduce
jruby -ropen-uri -e 'open("https://answers.chartboost.com/")'

Result in JRuby 1.7.25

OpenSSL::SSL::SSLError: certificate verify failed
      connect at org/jruby/ext/openssl/SSLSocket.java:215
      connect at /Users/cchow/Applications/jruby-1.7.25/lib/ruby/1.9/net/http.rb:800
      timeout at org/jruby/ext/timeout/Timeout.java:98
      connect at /Users/cchow/Applications/jruby-1.7.25/lib/ruby/1.9/net/http.rb:800
     do_start at /Users/cchow/Applications/jruby-1.7.25/lib/ruby/1.9/net/http.rb:756
        start at /Users/cchow/Applications/jruby-1.7.25/lib/ruby/1.9/net/http.rb:745
    open_http at /Users/cchow/Applications/jruby-1.7.25/lib/ruby/1.9/open-uri.rb:306
  buffer_open at /Users/cchow/Applications/jruby-1.7.25/lib/ruby/1.9/open-uri.rb:776
    open_loop at /Users/cchow/Applications/jruby-1.7.25/lib/ruby/1.9/open-uri.rb:203
        catch at org/jruby/RubyKernel.java:1242
    open_loop at /Users/cchow/Applications/jruby-1.7.25/lib/ruby/1.9/open-uri.rb:201
     open_uri at /Users/cchow/Applications/jruby-1.7.25/lib/ruby/1.9/open-uri.rb:146
         open at /Users/cchow/Applications/jruby-1.7.25/lib/ruby/1.9/open-uri.rb:678
         open at /Users/cchow/Applications/jruby-1.7.25/lib/ruby/1.9/open-uri.rb:33
       (root) at -e:1

Result in JRuby 9.1.20

OpenSSL::SSL::SSLError: certificate verify failed
    connect_nonblock at org/jruby/ext/openssl/SSLSocket.java:227
             connect at /Users/cchow/Applications/jruby-9.1.2.0/lib/ruby/stdlib/net/http.rb:938
            do_start at /Users/cchow/Applications/jruby-9.1.2.0/lib/ruby/stdlib/net/http.rb:868
               start at /Users/cchow/Applications/jruby-9.1.2.0/lib/ruby/stdlib/net/http.rb:857
           open_http at /Users/cchow/Applications/jruby-9.1.2.0/lib/ruby/stdlib/open-uri.rb:319
         buffer_open at /Users/cchow/Applications/jruby-9.1.2.0/lib/ruby/stdlib/open-uri.rb:737
  block in open_loop at /Users/cchow/Applications/jruby-9.1.2.0/lib/ruby/stdlib/open-uri.rb:212
               catch at org/jruby/RubyKernel.java:1103
           open_loop at /Users/cchow/Applications/jruby-9.1.2.0/lib/ruby/stdlib/open-uri.rb:210
            open_uri at /Users/cchow/Applications/jruby-9.1.2.0/lib/ruby/stdlib/open-uri.rb:151
                open at /Users/cchow/Applications/jruby-9.1.2.0/lib/ruby/stdlib/open-uri.rb:717
                open at /Users/cchow/Applications/jruby-9.1.2.0/lib/ruby/stdlib/open-uri.rb:35
               <top> at -e:1

@synth
Copy link

synth commented Jan 19, 2017

experiencing same on jruby -v9.1.7.0

$ jruby -v
jruby 9.1.7.0 (2.3.1) 2017-01-11 68056ae Java HotSpot(TM) 64-Bit Server VM 25.25-b02 on 1.8.0_25-b17 +jit [darwin-x86_64]
$ jruby -ropen-uri -e 'open("https://answers.chartboost.com/")'
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=128m; support was removed in 8.0
OpenSSL::SSL::SSLError: certificate verify failed
    connect_nonblock at org/jruby/ext/openssl/SSLSocket.java:227
             connect at /Users/xxx/.rvm/rubies/jruby-9.1.7.0/lib/ruby/stdlib/net/http.rb:938

@andrew-aladev
Copy link

rvm install jruby-9.1.7.0

require "socket"
require "openssl"

socket = TCPSocket.new "www.google.com", 443

begin
  context = OpenSSL::SSL::SSLContext.new
  context.ssl_version = :SSLv23
  context.verify_mode = OpenSSL::SSL::VERIFY_PEER

  socket = OpenSSL::SSL::SSLSocket.new socket, context
  socket.sync_close = true
  socket.connect

ensure
  socket.close
end
OpenSSL::SSL::SSLError: certificate verify failed
  connect at org/jruby/ext/openssl/SSLSocket.java:217

JRuby couldn't connect to google.

@andrew-aladev
Copy link

wget "https://curl.haxx.se/ca/cacert.pem"

require "socket"
require "openssl"

["google.com", "yahoo.com", "tut.by", "yandex.ru"].each do |domain|
  socket = TCPSocket.new domain, 443

  begin
    context = OpenSSL::SSL::SSLContext.new
    context.ssl_version = :SSLv23
    context.verify_mode = OpenSSL::SSL::VERIFY_PEER

    cert_store = OpenSSL::X509::Store.new
    cert_store.add_file "cacert.pem"
    context.cert_store = cert_store

    socket = OpenSSL::SSL::SSLSocket.new socket, context
    socket.sync_close = true
    socket.connect

  rescue StandardError
    puts "domain #{domain} verification failed"
  else
    puts "domain #{domain} verified"
  ensure
    socket.close
  end
end
domain google.com verification failed
domain yahoo.com verification failed
domain tut.by verified
domain yandex.ru verified

@andrew-aladev
Copy link

andrew-aladev commented Feb 16, 2017

ruby-2.3.3, ruby-2.4.0-rc1, rbx-3.71 works fine, jruby-1.7.26 and jruby-9.1.7.0 failed in the same way.

@andrew-aladev
Copy link

andrew-aladev commented Feb 16, 2017

We can use hostname and post_connection_check with the same result.

require "socket"
require "openssl"

["google.com", "yahoo.com", "tut.by", "yandex.ru"].each do |domain|
  socket = TCPSocket.new domain, 443

  begin
    context = OpenSSL::SSL::SSLContext.new
    context.ssl_version = :SSLv23
    context.verify_mode = OpenSSL::SSL::VERIFY_PEER

    cert_store = OpenSSL::X509::Store.new
    cert_store.add_file "cacert.pem"
    context.cert_store = cert_store

    socket = OpenSSL::SSL::SSLSocket.new socket, context
    socket.sync_close = true
    socket.hostname = domain

    socket.connect
    socket.post_connection_check domain

  rescue StandardError
    puts "domain #{domain} verification failed"
  else
    puts "domain #{domain} verified"
  ensure
    socket.close
  end
end

This is definitely the jruby openssl issue.

@chingc
Copy link
Author

chingc commented Jul 5, 2017

I can no longer reproduce this error with JRuby 9.1.7.0. I don't know if this should be kept open for the older versions, but I have no objections if someone closes the ticket.

@chingc chingc closed this as completed Jul 20, 2017
@erickj
Copy link

erickj commented Dec 17, 2017

I'm experiencing this in 9.1.13 fetching https://www.google.com. :

$ irb
jruby-9.1.13.0 :001 > require "mechanize"
 => true 
jruby-9.1.13.0 :002 > a = Mechanize.new;
jruby-9.1.13.0 :003 >   a.get "https://www.google.com"
OpenSSL::SSL::SSLError: certificate verify failed
	from org/jruby/ext/openssl/SSLSocket.java:228:in `connect_nonblock'
	from /home/erick/.rvm/rubies/jruby-9.1.13.0/lib/ruby/stdlib/net/http.rb:938:in `connect'
	from /home/erick/.rvm/rubies/jruby-9.1.13.0/lib/ruby/stdlib/net/http.rb:868:in `do_start'
	from /home/erick/.rvm/rubies/jruby-9.1.13.0/lib/ruby/stdlib/net/http.rb:863:in `start'
	from /home/erick/.rvm/gems/jruby-9.1.13.0/gems/net-http-persistent-2.9.4/lib/net/http/persistent.rb:700:in `start'
	from /home/erick/.rvm/gems/jruby-9.1.13.0/gems/net-http-persistent-2.9.4/lib/net/http/persistent.rb:631:in `connection_for'
	from /home/erick/.rvm/gems/jruby-9.1.13.0/gems/net-http-persistent-2.9.4/lib/net/http/persistent.rb:994:in `request'
	from /home/erick/.rvm/gems/jruby-9.1.13.0/gems/mechanize-2.7.5/lib/mechanize/http/agent.rb:274:in `fetch'
	from /home/erick/.rvm/gems/jruby-9.1.13.0/gems/mechanize-2.7.5/lib/mechanize.rb:464:in `get'
	from (irb):3:in `<eval>'
	from org/jruby/RubyKernel.java:994:in `eval'
	from org/jruby/RubyKernel.java:1292:in `loop'
	from org/jruby/RubyKernel.java:1114:in `catch'
	from org/jruby/RubyKernel.java:1114:in `catch'
	from /home/erick/.rvm/rubies/jruby-9.1.13.0/bin/irb:13:in `<main>'

this same request works as expected from MRI 2.4.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants