Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

openssl ignores OpenSSL::X509::DEFAULT_CERT_FILE #1953

Closed
phuesler opened this Issue Sep 5, 2014 · 2 comments

Comments

Projects
None yet
3 participants
@phuesler
Copy link

phuesler commented Sep 5, 2014

Even though OpenSSL::X509::DEFAULT_CERT_FILE is set to a path, JRuby does not seem use the ca file stored there. Of course exporting SSL_CERT_FILE works, therefore I consider this a minor issue. I could replicate this behavior both locally on OSX 10.9.4 and on a server running FreeBSD 9.3.

I used the following test script. It is important to note that certificate for openexchangerates.org is not in the installed JVMs trust store, this is how we stumbled over this problem.

require 'openssl'
require "net/https"
require "uri"

uri = URI.parse("https://openexchangerates.org?missing_app_id=true")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true

request = Net::HTTP::Get.new(uri.request_uri)

response = http.request(request)
puts response.body

I downloaded the latest cacert.pem from curl

curl -O http://curl.haxx.se/ca/cacert.pem

This is how MRI Ruby 2.1.2p95 behaves:

$: ruby -v
ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-darwin13.0]
$: ruby -ropenssl -e "p OpenSSL::X509::DEFAULT_CERT_FILE"
"/etc/openssl/cert.pem"
$: sudo cp -f cacert.pem /etc/openssl/cert.pem
$: ruby test_ssl.rb | head -n 1
<!DOCTYPE html>
$: sudo mv /etc/openssl/cert.pem /etc/openssl/cert.pem.bak
$: ruby test_ssl.rb | head -n 1
/Users/phuesler/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/net/http.rb:920:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from /Users/phuesler/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/net/http.rb:920:in `block in connect'
    from /Users/phuesler/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/timeout.rb:76:in `timeout'
    from /Users/phuesler/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/net/http.rb:920:in `connect'
    from /Users/phuesler/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/net/http.rb:863:in `do_start'
    from /Users/phuesler/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/net/http.rb:852:in `start'
    from /Users/phuesler/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/net/http.rb:1369:in `request'
    from test_ssl.rb:12:in `<main>'

And now JRuby

$: ruby -v
jruby 1.7.15 (1.9.3p392) 2014-09-03 82b5cc3 on Java HotSpot(TM) 64-Bit Server VM 1.7.0_10-ea-b14 +jit [darwin-x86_64]
$:  ruby -ropenssl -e "p OpenSSL::X509::DEFAULT_CERT_FILE"
"/usr/lib/ssl/cert.pem"
$: sudo cp -f cacert.pem /usr/lib/ssl/cert.pem
$: ruby test_ssl.rb | head -n 1
OpenSSL::SSL::SSLError: certificate verify failed
   connect at org/jruby/ext/openssl/SSLSocket.java:180
   connect at /Users/phuesler/.rvm/rubies/jruby-1.7.15/lib/ruby/1.9/net/http.rb:799
   timeout at org/jruby/ext/timeout/Timeout.java:104
   connect at /Users/phuesler/.rvm/rubies/jruby-1.7.15/lib/ruby/1.9/net/http.rb:799
  do_start at /Users/phuesler/.rvm/rubies/jruby-1.7.15/lib/ruby/1.9/net/http.rb:755
     start at /Users/phuesler/.rvm/rubies/jruby-1.7.15/lib/ruby/1.9/net/http.rb:744
   request at /Users/phuesler/.rvm/rubies/jruby-1.7.15/lib/ruby/1.9/net/http.rb:1292
    (root) at test_ssl.rb:12
$: SSL_CERT_FILE=/usr/lib/ssl/cert.pem ruby test_ssl.rb | head -n 1
$: <!DOCTYPE html>
@headius

This comment has been minimized.

Copy link
Member

headius commented Sep 5, 2014

Yup, confirmed...it looks like we just set this constant to a hardcoded value but don't actually use that value as the cert file.

@headius

This comment has been minimized.

Copy link
Member

headius commented Sep 5, 2014

Ok, so I have a fix, but all it really does is set up those constants to point to where we actually load the CA certs from. I am proceeding under the assumption that this is ok :-)

Note, however, that the CA cert file Java installs is not a text-based .pem file...it is a keystore file that holds all the CA certs. You can add certs to it, but using the keytool command that comes with JDK.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.