SSL Certificates Don't Work From Jar

[sgonyea]

I'm here to keep the JRuby team mired in SSL blerghs. It appears that something broke when the jruby-openssl gem moved into JRuby. This assertion may be untrue, and I'll verify against 1.7.0.

If you warble a Jar with an SSL certificate, and set the ca_file (also, verify peer) to a file that was bundled along with the Jar... You'll get an error that's something like:

#<OpenSSL::SSL::SSLError: jar:file:/Users/sgonyea/tmp/dp/PP.jar!/my_project/lib/ca-certificates.crt> - ["org/jruby/ext/openssl/SSLContext.java:229:insetup'", "org/jruby/ext/openssl/SSLSocket.java:145:in initialize'", "jar:file:/var/folders/bd/qxsdqy3d7_gg31pdjm_00lsr0000gn/T/jruby260755300623026042extract/jruby-stdlib-1.7.2.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:776 [SNIP]

The code I'm using to make HTTP calls looks like:

      Net::HTTP.new(uri.host, uri.port).tap do |http|
        http.use_ssl      = true
        http.read_timeout = PP::HTTP_TIMEOUT
        http.ca_file      = PP.ca_file
        http.verify_mode  = OpenSSL::SSL::VERIFY_PEER
      end

module PP
  # Snipped, for how we get to the ca_file value above:
  def self.ca_file
    Pathname(File.expand_path File.dirname(__FILE__)).join("ca-certificates.crt").to_s
  end
end

Obviously, the above code works if you are not working from a Jar. Warble that code into a jar (or however) and it should fail. Doing a File.read on that will return the contents of the file.

My interim solution is to simply read in the CA cert and write it out to a tmp directory. It seems that there is no obvious way to turn a Cert file (containing multiple certs) into a Cert Store from a String.

If I do a http.cert = OpenSSL::X509::Certificate.new(File.read '...') then the HTTP request times out and fails to connect, it seems. Digging around in the code, it looks like the cert is not used unless a private key is also supplied?

[alenad]

I can confirm this problem. I get the same error with JRuby 1.7.2 and httpclient 1.3.2 (which tries to load /gems/httpclient-2.3.2/lib/httpclient/cacert.p7s from the warbled jar).

[enwood]

I can also confirm this as a problem under JRuby 1.7.2 and Torquebox 2.3.0.

  def HttpsPoster.post(mpg_request)
    http = Net::HTTP.new(@@uri.host,@@uri.port)
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
    http.ca_file = "lib/ca-certificate.crt"

    puts "Sending:\n#{mpg_request.to_xml}"

    response = RespMod::Response.new

    http.start {
      http.request_post("/gateway2/servlet/MpgRequest",mpg_request.to_xml, {'User-Agent' => 'RUBY - 2.5.0 - Resolver'}) {|res|
        response.from_xml(res.body)
      }
    }

The call to http.request_post generates "OpenSSL::SSL::SSLError":

  org/jruby/ext/openssl/SSLContext.java:229:in `setup'
  org/jruby/ext/openssl/SSLSocket.java:145:in `initialize'
  /Volumes/HD/Users/tgriffin/.rvm/rubies/jruby-1.7.2/lib/ruby/1.9/net/http.rb:776:in `connect'
  /Volumes/HD/Users/tgriffin/.rvm/rubies/jruby-1.7.2/lib/ruby/1.9/net/http.rb:755:in `do_start'
  /Volumes/HD/Users/tgriffin/.rvm/rubies/jruby-1.7.2/lib/ruby/1.9/net/http.rb:744:in `start'
  lib/mpgapi4r.rb:20:in `post'
  app/models/user.rb:445:in `get_preauthorization'
  app/controllers/companies_controller.rb:28:in `show'
  org/jruby/RubyBasicObject.java:1659:in `__send__'
  org/jruby/RubyKernel.java:2086:in `send'
  actionpack (3.2.12) lib/action_controller/metal/implicit_render.rb:4:in `send_action'
  actionpack (3.2.12) lib/abstract_controller/base.rb:167:in `process_action'
  actionpack (3.2.12) lib/action_controller/metal/rendering.rb:10:in `process_action'
  actionpack (3.2.12) lib/abstract_controller/callbacks.rb:18:in `process_action'
  activesupport (3.2.12) lib/active_support/callbacks.rb:472:in `_run__438798832__process_action__596320002__callbacks'
  org/jruby/RubyBasicObject.java:1659:in `__send__'
  org/jruby/RubyKernel.java:2086:in `send'
  activesupport (3.2.12) lib/active_support/callbacks.rb:405:in `__run_callback'
  activesupport (3.2.12) lib/active_support/callbacks.rb:390:in `_run_process_action_callbacks'
  org/jruby/RubyBasicObject.java:1665:in `__send__'
  org/jruby/RubyKernel.java:2090:in `send'
  activesupport (3.2.12) lib/active_support/callbacks.rb:81:in `run_callbacks'
  actionpack (3.2.12) lib/abstract_controller/callbacks.rb:17:in `process_action'
  actionpack (3.2.12) lib/action_controller/metal/rescue.rb:29:in `process_action'
  actionpack (3.2.12) lib/action_controller/metal/instrumentation.rb:30:in `process_action'
  activesupport (3.2.12) lib/active_support/notifications.rb:123:in `instrument'
  activesupport (3.2.12) lib/active_support/notifications/instrumenter.rb:20:in `instrument'
  activesupport (3.2.12) lib/active_support/notifications/instrumenter.rb:19:in `instrument'
  activesupport (3.2.12) lib/active_support/notifications.rb:123:in `instrument'
  actionpack (3.2.12) lib/action_controller/metal/instrumentation.rb:29:in `process_action'
  actionpack (3.2.12) lib/action_controller/metal/params_wrapper.rb:207:in `process_action'
  activerecord (3.2.12) lib/active_record/railties/controller_runtime.rb:18:in `process_action'
  actionpack (3.2.12) lib/abstract_controller/base.rb:121:in `process'
  actionpack (3.2.12) lib/abstract_controller/rendering.rb:45:in `process'
  actionpack (3.2.12) lib/action_controller/metal.rb:203:in `dispatch'
  actionpack (3.2.12) lib/action_controller/metal/rack_delegation.rb:14:in `dispatch'
  actionpack (3.2.12) lib/action_controller/metal.rb:246:in `action'
  org/jruby/RubyProc.java:249:in `call'
  actionpack (3.2.12) lib/action_dispatch/routing/route_set.rb:73:in `dispatch'
  actionpack (3.2.12) lib/action_dispatch/routing/route_set.rb:36:in `call'
  journey (1.0.4) lib/journey/router.rb:68:in `call'
  org/jruby/RubyArray.java:1613:in `each'
  journey (1.0.4) lib/journey/router.rb:56:in `call'
  actionpack (3.2.12) lib/action_dispatch/routing/route_set.rb:601:in `call'
  exception_notification (3.0.1) lib/exception_notifier.rb:41:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/best_standards_support.rb:17:in `call'
  rack (1.4.5) lib/rack/etag.rb:23:in `call'
  rack (1.4.5) lib/rack/conditionalget.rb:25:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/head.rb:14:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/params_parser.rb:21:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/flash.rb:242:in `call'
  torquebox-web-2.3.0 (java) lib/torquebox/session/servlet_store.rb:31:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/cookies.rb:341:in `call'
  activerecord (3.2.12) lib/active_record/query_cache.rb:64:in `call'
  activerecord (3.2.12) lib/active_record/connection_adapters/abstract/connection_pool.rb:479:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/callbacks.rb:28:in `call'
  activesupport (3.2.12) lib/active_support/callbacks.rb:408:in `_run__50436167__call__10772720__callbacks'
  org/jruby/RubyBasicObject.java:1659:in `__send__'
  org/jruby/RubyKernel.java:2086:in `send'
  activesupport (3.2.12) lib/active_support/callbacks.rb:405:in `__run_callback'
  activesupport (3.2.12) lib/active_support/callbacks.rb:390:in `_run_call_callbacks'
  org/jruby/RubyBasicObject.java:1659:in `__send__'
  org/jruby/RubyKernel.java:2086:in `send'
  activesupport (3.2.12) lib/active_support/callbacks.rb:81:in `run_callbacks'
  actionpack (3.2.12) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
  rails-dev-tweaks (0.6.1) lib/rails_dev_tweaks/granular_autoload/middleware.rb:34:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/remote_ip.rb:31:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/debug_exceptions.rb:16:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/show_exceptions.rb:56:in `call'
  railties (3.2.12) lib/rails/rack/logger.rb:32:in `call_app'
  railties (3.2.12) lib/rails/rack/logger.rb:16:in `call'
  activesupport (3.2.12) lib/active_support/tagged_logging.rb:22:in `tagged'
  railties (3.2.12) lib/rails/rack/logger.rb:16:in `call'
  quiet_assets (1.0.1) lib/quiet_assets.rb:20:in `call_with_quiet_assets'
  actionpack (3.2.12) lib/action_dispatch/middleware/request_id.rb:22:in `call'
  rack (1.4.5) lib/rack/methodoverride.rb:21:in `call'
  rack (1.4.5) lib/rack/runtime.rb:17:in `call'
  rack (1.4.5) lib/rack/lock.rb:15:in `call'
  actionpack (3.2.12) lib/action_dispatch/middleware/static.rb:62:in `call'
  railties (3.2.12) lib/rails/engine.rb:479:in `call'
  railties (3.2.12) lib/rails/application.rb:223:in `call'
  org/jruby/RubyBasicObject.java:1665:in `__send__'
  org/jruby/RubyKernel.java:2090:in `send'
  railties (3.2.12) lib/rails/railtie/configurable.rb:30:in `method_missing'

[rtyler]

@sgonyea I'm curious what your workaround for the jarfile looks like in code terms, I'm also hitting this issue when using the New Relic gem from within a warbled jar file. :/

[sgonyea]

Read the SSL cert in from a file and then write it out somewhere. So, a tempfile or into a folder, relative to the warbled jar (which is what I am doing).

If it's a private SSL key/cert then you can touch the file, set permissions, and then write to it (or something).

[rtyler]

It looks like all-around-nice-guy @jordansissel has created a work around for this, as was documented for JRUBY-6970 which can be found here

I'm going to give it a try and see what happens.

[kares]

this has been fixed by Kristian's commits (it's in jruby-openssl 0.9.6) ... starting at jruby/jruby-openssl@aa51d9b#diff-67972a6a9364f41a90295ceabf0e9180R298 sponsored by @lookout :) !