-
-
Notifications
You must be signed in to change notification settings - Fork 922
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
jgem doesn't work - handshake_failure talking to rubygems.org #2220
Comments
Sample Java program which works:
...so it's something to do with JRuby or the Ruby stdlib. |
Seems to be specific to the IBM JRE. On Oracle JVM 1.8.0_25 it works, same JRuby (latest). Anything I can do to help track down the cause? |
OK, I think I've found a fix. I tried a quick minimal HTTPS fetch script. Turns out, you need to set the OpenSSL ssl_version variable to :TLSv1 and then it'll connect. Without that, it tries to connect using SSLv3, and fails. Since RubyGems.org is now TLS only, this should probably be incorporated into the jgem command.
Without the ssl_version set, you get the following error:
|
Interesting. If this isn't a configuration difference within openssl (that we should make to jruby-openssl) then I guess it would make sense to set this explicitly. I will investigate. |
It looks to be something within Ruby's net/http which in turn causes OpenSSL options to be set. Also, the flag isn't a complete fix -- even with that flag, JRuby wouldn't connect to an Apache server I needed to connect to. Unfortunately it's an internal Intranet site, so I can't easily come up with a demonstration right now, but it's Apache on CentOS 6 with a 2048 bit RSA key and SHA2-256 certificate and SSLv3 disabled, I guess when I get some time I could try setting up a VM with similar config and pointing JRuby at that and seeing if it fails. |
If you are able to set up a VM we can use to reproduce, that would be an enormous help. |
thanks @lpar , I had the exact same issue and http.ssl_version = :TLSv1 helps. 👍 |
@headius To reproduce (reasonably reliably for us) just grab "ibm-sdk-7.0.5" and JRuby 1.7.18 on RHEL 6.6 and try If you really need a VM image (like a virtualbox image or something) I think we can probably make one for you. Otherwise I'm not sure what you mean by "set up a VM we can use to reproduce". |
The latest IBM Java fixes avoid this issue. For more info, see: http://www-01.ibm.com/support/docview.wss?uid=swg21688165 |
To be unambiguous, here is the failure:
And here, my same Ubuntu 14.04 laptop, is success:
|
Thanks for figuring that out @bruceadams; Only applies to not-most-recent IBM Javas. On the one hand, I think it's great all these sites are upgrading their encryption to require TLS (hopefully v1.2+). On the other hand, we keep having to deal with this. @headius -- I think it is safe to say that rubygems.org will require TLS for the foreseeable future. I'd suggest just make |
@bruceadams pointed me at this article on IBM's site: http://www-01.ibm.com/support/docview.wss?uid=swg21688165 which probably explains what is going on here. |
Our jgem command is basically vanilla RubyGems "gem" command and downstream...so there's a missing detail here. If MRI is defaulting to TLSv1 that's cool, we can do the same. If they're not...we need to figure out why we see issues defaulting to SSLv3. This is very likely related to the "bad_record_mac" errors people used to see...I'm guessing TLSv1 deals with renegotiation better, or something? Can one of you investigate what the default ssl_version is on MRI...and why? |
They changed the behavior for MRI + OpenSSL recently: It would probably be a good idea to make JRuby enable TLS 1.1 and 1.2 and disable SSLv3 and TLS 1.0 by default via:
for people still running Oracle Java 7. And for IBM JDK/JRE,
should do the trick. (Edit: I think that should be disableSSLv3 = true, not false, because the sense of the option is reversed.) |
Copying @kares, @mkristian since they have been maintaining jruby-openssl recently. |
Note that you can also make the property changes via Java code if it's more convenient, so long as you do so before opening the first https connection. (That's how I ended up fixing my applications which are plain runnable .jar files.) |
As near as I can tell, IBMs Java doesn't support renegotiation by default at all. OpenSSL by default supports renegotiation upwards (e.g. SSLv3 to TLS). I think Oracle Java is doing the same. One of the post POODLE bugs was downwards renegotiation, which can allow SSLv3 attacks when initially requesting TLS. There was something similar with 3 -> 2. So maybe IBM was being overly cautious and disabled all renegotiation as default. I like being explicit. It's too bad we'll have keep adjusting as new TLS versions come out; 1.3 is due soon. |
I stood up a little VM on DigitalOcean with the IP address 104.236.104.183. It has four IBM Java versions installed:
and JRuby itself installed:
There is a user login for @headius with his github public ssh keys. I'm happy to setup a user login for anyone else who wants a test machine with IBM Java already installed. On that machine, as a non-privileged user:
|
I also seem to be having this issue as well on RHEL 5.8 using IBM JVM9 1.6 SR2 My IBM JVM information
The script I'm using to run JRuby-Complete JAR
The JRuby Version Information
The RHEL OS Information
and the error output from trying to download the Bundler RubyGem
Hopefully this helps a bit. My other issues with JRuby not running Rake was just on Windows so far. |
That is a very old Java release, from June 2012. Any chance you can upgrade Java to a recent release? There have been several SSL/TLS related problems and fixes over the past year, starting with POODLE. |
@bruceadams unfortunately no, due to lack of budget from my place of business (grumble grumble). |
turns out there's been SSL cert matching issues in jruby-openssl, also tracked at #4679 |
JRE is IBM Java(TM) SE Runtime Environment (build pxa6470_27sr1fp1-20140708_01(SR1 FP1))
IBM J9 VM (build 2.7, JRE 1.7.0 Linux amd64-64 Compressed References 20140707_205525 (JIT enabled, AOT enabled)
The text was updated successfully, but these errors were encountered: