Certificate verification failure has an unhelpful message

[bkerley]

Spec from my project: https://github.com/basho/riak-ruby-client/blob/0e162cecbbb0ee550080de56abbb30032c59ac5f/spec/integration/riak/security_spec.rb#L45-L57

    it "refuses to connect if the server cert isn't recognized" do
      broken_auth_config = config.dup
      broken_auth_config[:authentication] = broken_auth_config[:authentication].dup
      # this CA has never ever been used to sign a key
      broken_auth_config[:authentication][:ca_file] =
        File.join('support', 'certs', 'empty_ca.crt')

      bugged_crypto_client = Riak::Client.new broken_auth_config

      expect{ bugged_crypto_client.ping }.
        to(raise_error(OpenSSL::SSL::SSLError,
                       /certificate verify failed/i))
    end

This raises an OpenSSL::SSL::SSLError with an unhelpful message: #<OpenSSL::SSL::SSLError: No message available> instead of one describing the problem or matching one I've seen from C-Ruby OpenSSL.

The TLS connection is established at:
https://github.com/basho/riak-ruby-client/blob/0e162cecbbb0ee550080de56abbb30032c59ac5f/lib/riak/client/beefcake/socket.rb#L162

I suspect the error is one of these: https://github.com/jruby/jruby-openssl/blob/master/src/main/java/org/jruby/ext/openssl/SSLSocket.java#L202

[md5]

I'm curious if you guys have any advice on how to debug a certificate verification error in JRuby. I was looking at the verification code and it doesn't look like there is any debug logging or particularly useful error reporting going on.

I ended up here as a result of looking into why gem install bundler is failing in docker-library/official-images#391

[kares]

@md5 we do have -Djruby.openssl.debug=true but there might be little debug statements around this

UPDATE: also please try getting the latest jruby-openssl (0.9.6) than install it (e.g. a local gem install) if that changes anything ... otherwise we always need at least the JRuby version mentioned ...

[md5]

No dice on that:

# gem install jruby-openssl -v 0.9.6
ERROR:  Could not find a valid gem 'jruby-openssl' (= 0.9.6), here is why:
          Unable to download data from https://rubygems.org/ - certificate verify failed (https://rubygems.global.ssl.fastly.net/quick/Marshal.4.8/jruby-openssl-0.9.6-java.gemspec.rz)
ERROR:  Possible alternatives: JRuby-OpenSSL

The reason I'm not able to do that is that I'm looking into docker-library/official-images#391 and the SSL support in the Docker java:8 image is broken.

As for the debug flag, I was running a command like this: JRUBY_OPTS=-J-Djruby.openssl.debug=true gem install bundler --debug -V

It wasn't until I noticed it wasn't giving any useful debug output that I dug into the StoreContext code and saw that there actually wasn't any debugging messages to be had. I did end up getting some useful debug output out of this script, however: https://github.com/mislav/ssl-tools/blob/8b3dec4/doctor.rb

Update: The JRuby version in question is 1.7.18 on OpenJDK 8. You can see how it's being installed here: https://github.com/cpuguy83/docker-jruby/blob/master/1.7/Dockerfile

The line that's failing is line 13 (gem install bundler). That isn't a JRuby or jruby-openssl problem per se (it's actually a problem with the Debian OpenJDK 8 package), but debugging it could have been easier with some good error messages.

[kares]

@md5 I meant updating jruby-openssl (manually downloading and installing the gem) BEFORE trying a gem install ... maybe with the jruby.openssl.debug=true as well

[kares]

should be irrelevant since the jruby-openssl 0.9.7 release (JRuby >= 1.7.20)