OpenSSL::SSL::SSLError: Received fatal alert: bad_record_mac #4

Open
charl opened this Issue Jan 20, 2011 · 4 comments

Comments

Projects
None yet
2 participants

charl commented Jan 20, 2011

When trying to retrieve a page from a SSL resource, the exception above is thrown, even though OpenSSL::SSL::VERIFY_NONE is set.

Environment:
OS X 10.6.6

$ jruby -v
jruby 1.5.5 (ruby 1.8.7 patchlevel 249) (2010-11-10 4bd4200) (Java HotSpot(TM) 64-Bit Server VM 1.6.0_22) [x86_64-java]

$ jirb -v
irb 0.9.5(05/04/13)

 $ jruby -S gem list jruby-openssl

*** LOCAL GEMS ***

jruby-openssl (0.7.2)

$ jirb
~> Console extensions: wirble hirb ap rails2 rails3
jruby-1.5.5 :001 > require 'openssl'
 => true 
jruby-1.5.5 :002 > require 'net/https'
 => true 
jruby-1.5.5 :003 > 
jruby-1.5.5 :004 >   http = Net::HTTP.new 'msp.ibm.com', 443
 => # 
jruby-1.5.5 :005 > http.use_ssl = true
 => true 
jruby-1.5.5 :006 > http.verify_mode = OpenSSL::SSL::VERIFY_NONE
 => 0 
jruby-1.5.5 :007 > req = Net::HTTP::Get.new '/'
 => # 
jruby-1.5.5 :008 > http.request(req).body
OpenSSL::SSL::SSLError: Received fatal alert: bad_record_mac
    from /Users/charl/.rvm/rubies/jruby-1.5.5/lib/ruby/1.8/net/http.rb:586:in `connect'
    from /Users/charl/.rvm/rubies/jruby-1.5.5/lib/ruby/1.8/net/http.rb:553:in `do_start'
    from /Users/charl/.rvm/rubies/jruby-1.5.5/lib/ruby/1.8/net/http.rb:542:in `start'
    from /Users/charl/.rvm/rubies/jruby-1.5.5/lib/ruby/1.8/net/http.rb:1035:in `request'
    from (irb):8

charl commented Jan 20, 2011

I have just tried it with jruby-openssl-0.7.3 and the results are the same.

charl commented Jan 21, 2011

I see the issue I am experiencing is related to the fact that the web server on the end of the request only support SSLv3 connections.

The workaround is to run your script with:

ruby -J-Dhttps.protocols=SSLv3 SCRIPT_NAME

Member

nahi commented Jan 21, 2011

Hmm. Interesting. Java's JSSE cannnot connect to https://msp.ibm.com...

net/https does not have ssl version parameter ATM. The following might work. (ugly monkey patching only works for 1.8)

http.instance_eval("@ssl_context").ssl_version = "SSLv3"

With httpclient gem, this script works for me.

c = HTTPClient.new
c.ssl_config.options = OpenSSL::SSL::OP_NO_TLSv1
c.get("https://msp.ibm.com")

It seems that it's from Java's JSSE restriction, your solution is the best I think...

Member

nahi commented Jan 21, 2011

Additional information:

  • JDK7 beta fails to connect the server as same as JDK6
  • J9 IBMJSSE successfully connects the server.

It seems to be related to TLS extension...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment