IOError with OpenSSL #connect_nonblock: Writing not possible during handshake

[Zapotek]

Hey guys,

I've got another socket/SSL inconsistency between MRI and JRuby.
I'm not 100% sure but its root cause may be the same as #1694.

Code:

require 'socket'
require 'openssl'

def start_server( host, port )
    s = TCPServer.new( host, port )

    context                 = OpenSSL::SSL::SSLContext.new
    context.key             = OpenSSL::PKey::RSA.new( 2048 )
    context.cert            = OpenSSL::X509::Certificate.new
    context.cert.subject    = OpenSSL::X509::Name.new( [['CN', 'localhost']] )
    context.cert.issuer     = context.cert.subject
    context.cert.public_key = context.key
    context.cert.not_before = Time.now
    context.cert.not_after  = Time.now + 60 * 60 * 24
    context.verify_mode     = OpenSSL::SSL::VERIFY_NONE
    context.cert.version    = 2
    context.cert.serial     = 1
    context.cert.sign(context.key, OpenSSL::Digest::SHA1.new)

    OpenSSL::SSL::SSLServer.new( s, context )
end

def connect( host, port )
    context = OpenSSL::SSL::SSLContext.new
    context.verify_mode = OpenSSL::SSL::VERIFY_NONE

    s = OpenSSL::SSL::SSLSocket.new( TCPSocket.new( host, port ), context )
    s.sync_close = true

    begin
        s.connect_nonblock
        # Works with #connect
    rescue IO::WaitReadable, IO::WaitWritable
    end

    s
end

address = ['127.0.0.1', 7331]

server = start_server( *address )

t = Thread.new do
    puts "Got: #{server.accept.readpartial(1024).inspect}"
end

c = connect( *address )

p IO.select( nil, [c] )
# => [[], [#<OpenSSL::SSL::SSLSocket:0x7a21bdb8 @context=#<OpenSSL::SSL::SSLContext:0x469fea95 @verify_mode=0>, @eof=false, @sync_close=true, @rbuffer="", @hostname="", @io=#<TCPSocket:fd 17>, @sync=true>], []]

begin
    c.write 'stuff'
rescue => e
    p e
    # #<IOError: Writing not possible during handshake>
    puts e.backtrace.join( "\n" )
    # org/jruby/ext/openssl/SSLSocket.java:673:in `syswrite'
    # /home/zapotek/.rvm/rubies/jruby-1.7.12/lib/ruby/shared/jopenssl19/openssl/buffering.rb:318:in `do_write'
    # /home/zapotek/.rvm/rubies/jruby-1.7.12/lib/ruby/shared/jopenssl19/openssl/buffering.rb:336:in `write'
    # tmp/jruby_openssl.rb:51:in `(root)'

    t.kill
end

t.join

MRI 2.1.2:

Got: "stuff"

JRuby (jruby 1.7.12 (2.0.0p195) 2014-04-15 643e292 on Java HotSpot(TM) 64-Bit Server VM 1.7.0_55-b13 [linux-amd64]):

#<IOError: Writing not possible during handshake>
org/jruby/ext/openssl/SSLSocket.java:673:in `syswrite'
/home/zapotek/.rvm/rubies/jruby-1.7.12/lib/ruby/shared/jopenssl19/openssl/buffering.rb:318:in `do_write'
/home/zapotek/.rvm/rubies/jruby-1.7.12/lib/ruby/shared/jopenssl19/openssl/buffering.rb:336:in `write'
tmp/jruby_openssl.rb:52:in `(root)'

Cheers

[donv]

Have you tried jruby-1_7 branch or master lately? I think maybe 2b172a7 may have fixed this. It addresses the same symptom at least.

[Zapotek]

Certainly looked like it was related but I just tried with master (rvm install jruby-head) and got the same error.

jruby 9000.dev-SNAPSHOT (2.1.2) 2014-05-26 7bf6b39 on Java HotSpot(TM) 64-Bit Server VM 1.7.0_55-b13 [linux-amd64]

[donv]

That might be a delayed effect since the change is in ext/openssl which is a part of the jruby-openssl gem which may not be updated using RVM.

@mkristian might shed some light on this.

[Zapotek]

Ah, that makes sense. Not sure how to test it though.

[mkristian]

yes possible that I need to push a new jruby-openssl gem for the build.
just do so now . . .

[mkristian]

@Zapotek now the build on both master and jruby-1_7 will pick the latest jruby-openssl code. as far I understand RVM it will do the same.

[Zapotek]

I issued rvm reinstall jruby-head but got the same error when I ran the code.
I could be going something wrong, never tried to work with the repo jruby code before.

Not sure if it's helpful but the jruby-openssl gem on my system is called: jruby-openssl-0.9.5.dev-SNAPSHOT.gem [1]
Also, /home/zapotek/.rvm/repos/jruby/ext/openssl/src/main/java/org/jruby/ext/openssl/SSLSocket.java contains the 2b172a7 commit.

[1] Located at: /home/zapotek/.rvm/rubies/jruby-head/lib/target/jruby-openssl-0.9.5.dev-SNAPSHOT.gem

[mkristian]

well, that is tricky - if you have the logs on jruby install then you need
to see something like

Downloaded:
https://oss.sonatype.org/content/repositories/snapshots/org/jruby/gems/jruby-openssl/0.9.5.dev-SNAPSHOT/jruby-openssl-0.9.5.dev-20140526.094409-6.gem(2649
KB at 872.1 KB/sec)

or the installed jar file must show the following length
$ ll /home/zapotek/.rvm/repos/jruby/lib/ruby/shared/jopenssl.jar
563245 lib/ruby/shared/jopenssl.jar

anyways since you had such nice test-case I tried it on the master branch
(with all the openssl patches in place) and got the same error as you
mentioned in the very beginning :(

[Zapotek]

Has there been any progress on this?

[Zapotek]

Closing, root cause and workaround can be found at: #1694