OpenSSL::SSL::SSLError: Received fatal alert: bad_record_mac #4

charl opened this Issue Jan 20, 2011 · 4 comments


None yet
2 participants

charl commented Jan 20, 2011

When trying to retrieve a page from a SSL resource, the exception above is thrown, even though OpenSSL::SSL::VERIFY_NONE is set.

OS X 10.6.6

$ jruby -v
jruby 1.5.5 (ruby 1.8.7 patchlevel 249) (2010-11-10 4bd4200) (Java HotSpot(TM) 64-Bit Server VM 1.6.0_22) [x86_64-java]

$ jirb -v
irb 0.9.5(05/04/13)

 $ jruby -S gem list jruby-openssl

*** LOCAL GEMS ***

jruby-openssl (0.7.2)

$ jirb
~> Console extensions: wirble hirb ap rails2 rails3
jruby-1.5.5 :001 > require 'openssl'
 => true 
jruby-1.5.5 :002 > require 'net/https'
 => true 
jruby-1.5.5 :003 > 
jruby-1.5.5 :004 >   http = '', 443
 => # 
jruby-1.5.5 :005 > http.use_ssl = true
 => true 
jruby-1.5.5 :006 > http.verify_mode = OpenSSL::SSL::VERIFY_NONE
 => 0 
jruby-1.5.5 :007 > req = '/'
 => # 
jruby-1.5.5 :008 > http.request(req).body
OpenSSL::SSL::SSLError: Received fatal alert: bad_record_mac
    from /Users/charl/.rvm/rubies/jruby-1.5.5/lib/ruby/1.8/net/http.rb:586:in `connect'
    from /Users/charl/.rvm/rubies/jruby-1.5.5/lib/ruby/1.8/net/http.rb:553:in `do_start'
    from /Users/charl/.rvm/rubies/jruby-1.5.5/lib/ruby/1.8/net/http.rb:542:in `start'
    from /Users/charl/.rvm/rubies/jruby-1.5.5/lib/ruby/1.8/net/http.rb:1035:in `request'
    from (irb):8

charl commented Jan 20, 2011

I have just tried it with jruby-openssl-0.7.3 and the results are the same.

charl commented Jan 21, 2011

I see the issue I am experiencing is related to the fact that the web server on the end of the request only support SSLv3 connections.

The workaround is to run your script with:

ruby -J-Dhttps.protocols=SSLv3 SCRIPT_NAME


nahi commented Jan 21, 2011

Hmm. Interesting. Java's JSSE cannnot connect to

net/https does not have ssl version parameter ATM. The following might work. (ugly monkey patching only works for 1.8)

http.instance_eval("@ssl_context").ssl_version = "SSLv3"

With httpclient gem, this script works for me.

c =
c.ssl_config.options = OpenSSL::SSL::OP_NO_TLSv1

It seems that it's from Java's JSSE restriction, your solution is the best I think...


nahi commented Jan 21, 2011

Additional information:

  • JDK7 beta fails to connect the server as same as JDK6
  • J9 IBMJSSE successfully connects the server.

It seems to be related to TLS extension...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment