Description
There is a nasty little bug in Java: JDK-8062548 Support duplicate Extended Key Usage certificate extensions
This causes problems on OS X systems such as jruby/jruby#1055 because Apple creates some certificates with multiple "X509v3 Extended Key Usage" sections.
It may cause problems elsewhere as well.
This is not a bug in JRuby, however, I think JRuby should work around it by dropping any of these certificates.
How to recreate:
- Create a file called
openjdk-bug-cert.pemwith the contents of the certificate in JDK-8062548 (copied below for ease of use) - Run
env -u SSL_CERT_DIR SSL_CERT_FILE=$PWD/openjdk-bug-cert.pem jruby -ropenssl -e 'puts "hi"'
Example output:
Using:
- Oracle Java
1.7.0_80,1.8.0_45, and1.8.0_51 - JRuby 1.7.21
$ env -u SSL_CERT_DIR SSL_CERT_FILE=$PWD/openjdk-bug-cert.pem jruby -ropenssl -e 'puts "hi"'
OpenSSL::X509::StoreError: setting default path failed: problem creating X509 Aux certificate: java.io.IOException: problem parsing cert: java.security.cert.CertificateParsingException: java.io.IOException: Duplicate extensions not allowed
set_default_paths at org/jruby/ext/openssl/X509Store.java:185
(root) at /Users/docwhat/.rbenv/versions/jruby-1.7.21/lib/ruby/shared/jopenssl/load.rb:22
require at org/jruby/RubyKernel.java:1040
(root) at /Users/docwhat/.rbenv/versions/jruby-1.7.21/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:1
require at /Users/docwhat/.rbenv/versions/jruby-1.7.21/lib/ruby/shared/rubygems/core_ext/kernel_require.rb:54
require at org/jruby/RubyKernel.java:1040
(root) at /Users/docwhat/.rbenv/versions/jruby-1.7.21/lib/ruby/shared/openssl.rb:1
The above command works fine with ruby instead of jruby.
Workaround
Find the offending certificates and remove them from your SSL_CERT_FILE or SSL_CERT_DIR. I'll see if I can create a script to help with that.
Edits
- Corrected link to jruby bug
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.