You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To reproduce, I installed the mechanize gem, then hacked Net::HTTP to use :TLSv1, and then visited the site https://www.howsmyssl.com/, and then copy and pasted the body into a file and viewed it with my browser. On MRI 2.3.0, the site reports that the 1/n-1 record splitting BEAST mitigation is implemented, on JRuby it says its not. (It also reports unsafe cipher suites for both MRI and JRuby, but perhaps those needed for backwards compatibility?)
Oh and I'm using JRuby 9.1.2.0 with Java 7 on a Mac.
Here's the code to paste into irb to reproduce:
require'mechanize'moduleNetclassHTTPdefconnectifproxy?thenconn_address=proxy_addressconn_port=proxy_portelseconn_address=addressconn_port=portendD"opening connection to #{conn_address}:#{conn_port}..."s=Timeout.timeout(@open_timeout,Net::OpenTimeout){beginTCPSocket.open(conn_address,conn_port,@local_host,@local_port)rescue=>eraisee,"Failed to open TCP connection to " +
"#{conn_address}:#{conn_port} (#{e.message})"end}s.setsockopt(Socket::IPPROTO_TCP,Socket::TCP_NODELAY,1)D"opened"ifuse_ssl?ssl_parameters=Hash.newiv_list=instance_variablesSSL_IVNAMES.each_with_indexdo |ivname,i|
ifiv_list.include?(ivname)andvalue=instance_variable_get(ivname)ssl_parameters[SSL_ATTRIBUTES[i]]=valueifvalueendend@ssl_context=OpenSSL::SSL::SSLContext.new@ssl_context.set_params(ssl_parameters)############################# hack to force :TLSv1 ################@ssl_context.ssl_version=:TLSv1####################################################################D"starting SSL for #{conn_address}:#{conn_port}..."s=OpenSSL::SSL::SSLSocket.new(s,@ssl_context)s.sync_close=trueD"SSL established"end@socket=BufferedIO.new(s)@socket.read_timeout=@read_timeout@socket.continue_timeout=@continue_timeout@socket.debug_output=@debug_outputifuse_ssl?beginifproxy?buf="CONNECT #{@address}:#{@port} HTTP/#{HTTPVersion}\r\n"buf << "Host: #{@address}:#{@port}\r\n"ifproxy_usercredential=["#{proxy_user}:#{proxy_pass}"].pack('m')credential.delete!("\r\n")buf << "Proxy-Authorization: Basic #{credential}\r\n"endbuf << "\r\n"@socket.write(buf)HTTPResponse.read_new(@socket).valueend# Server Name Indication (SNI) RFC 3546s.hostname=@addressifs.respond_to?:hostname=if@ssl_sessionandProcess.clock_gettime(Process::CLOCK_REALTIME) < @ssl_session.time.to_f + @ssl_session.timeouts.session=@ssl_sessionif@ssl_sessionendiftimeout=@open_timeoutwhiletrueraiseNet::OpenTimeoutiftimeout <= 0start=Process.clock_gettimeProcess::CLOCK_MONOTONIC# to_io is required because SSLSocket doesn't have wait_readable yetcases.connect_nonblock(exception: false)when:wait_readable;s.to_io.wait_readable(timeout)when:wait_writable;s.to_io.wait_writable(timeout)else;breakendtimeout -= Process.clock_gettime(Process::CLOCK_MONOTONIC) - startendelses.connectendif@ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONEs.post_connection_check(@address)end# OpenSSL::SSL::Session somehow works but SSLSocket#session= does nothing with JRuby-OpenSSL#@ssl_session = s.sessionrescue=>exceptionD"Conn close because of connect error #{exception}"@socket.closeif@socketand not @socket.closed?raiseexceptionendendon_connectendendendputsMechanize.new.get("https://www.howsmyssl.com/").body
---
Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/34648390-1-n-1-record-splitting-beast-mitigation-not-implemented-in-jruby-is-in-mri?utm_campaign=plugin&utm_content=tracker%2F136995&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F136995&utm_medium=issues&utm_source=github).
The text was updated successfully, but these errors were encountered:
To reproduce, I installed the
mechanize
gem, then hackedNet::HTTP
to use:TLSv1
, and then visited the site https://www.howsmyssl.com/, and then copy and pasted the body into a file and viewed it with my browser. On MRI 2.3.0, the site reports that the 1/n-1 record splitting BEAST mitigation is implemented, on JRuby it says its not. (It also reports unsafe cipher suites for both MRI and JRuby, but perhaps those needed for backwards compatibility?)Oh and I'm using JRuby 9.1.2.0 with Java 7 on a Mac.
Here's the code to paste into irb to reproduce:
The text was updated successfully, but these errors were encountered: