-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Duplicate extensions not allowed" should not raise errors despite bug in Java #56
Comments
Interesting note: If you put the offending certificate as a However, there are two mechanisms for generate the So the single file mechanism is still the best for compatibility. sigh |
I have a working "workaround" in a gist: https://gist.github.com/docwhat/24f0add92c2f43d8ec9e This script filters out the offending certificates and dumps them to a single |
@docwhat How can I modify your ruby script to give/show me the offending cert instead? |
Instead of reject use |
There is a nasty little bug in Java: JDK-8062548 Support duplicate Extended Key Usage certificate extensions
This causes problems on OS X systems such as jruby/jruby#1055 because Apple creates some certificates with multiple "X509v3 Extended Key Usage" sections.
It may cause problems elsewhere as well.
This is not a bug in JRuby, however, I think JRuby should work around it by dropping any of these certificates.
How to recreate:
openjdk-bug-cert.pem
with the contents of the certificate in JDK-8062548 (copied below for ease of use)env -u SSL_CERT_DIR SSL_CERT_FILE=$PWD/openjdk-bug-cert.pem jruby -ropenssl -e 'puts "hi"'
Example output:
Using:
1.7.0_80
,1.8.0_45
, and1.8.0_51
The above command works fine with
ruby
instead ofjruby
.Workaround
Find the offending certificates and remove them from your
SSL_CERT_FILE
orSSL_CERT_DIR
. I'll see if I can create a script to help with that.Edits
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
The text was updated successfully, but these errors were encountered: