Net::HTTP doesn't call verify_callback #597

Closed
jcoyne opened this Issue Mar 21, 2013 · 5 comments

Comments

Projects
None yet
5 participants

jcoyne commented Mar 21, 2013

Test case:

require 'net/https'
uri = URI.parse('https://www.amazon.com/')
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.verify_callback = lambda do |preverify_ok, ssl_context|
  puts "***THIS SHOULD PRINT***"
end
http.ca_file = 'test/fixture/verisign_c3.pem'
response = http.start do |s|
  s.get(uri.request_uri)
end

# => OpenSSL::SSL::SSLError: certificate verify failed

In MRI, "_THIS SHOULD PRINT_", is printed. But not so for jruby.

Same issue here. Has someone this on the list? Fails w/ jruby 1.7.4 as well as 1.7.5.

ab commented Apr 2, 2014

👍

@ab ab added a commit to ab/rest-client that referenced this issue Apr 2, 2014

@ab ab Don't use verify_callback.
The OpenSSL verify_callback isn't supported on jruby [1], and behaves in
somewhat surprising ways on OS X due to Apple monkey patching OpenSSL.

We probably want to move in the direction of just passing through the
OpenSSL exceptions anyway.

[1] jruby/jruby#597
55e852c

@ab ab added a commit to ab/rest-client that referenced this issue Apr 2, 2014

@ab ab Don't use verify_callback.
The OpenSSL verify_callback isn't supported on jruby [1], and behaves in
somewhat surprising ways on OS X due to Apple monkey patching OpenSSL.

We probably want to move in the direction of just passing through the
OpenSSL exceptions anyway.

[1] jruby/jruby#597

Fixes: #165
See also: #168, e03e5e6
b59e2e5

ab commented Apr 10, 2014

Fun fact: if you set a cert_store (even an empty one), the verify_callback will be called.

Tested on jruby 1.7.9 (1.9.3p392) 2013-12-06 87b108a on OpenJDK 64-Bit Server VM 1.6.0_30-b30 [linux-amd64] and jruby 1.7.5 (1.9.3p392) 2013-10-07 74e9291 on OpenJDK 64-Bit Server VM 1.6.0_30-b30 [linux-amd64].

#!/usr/bin/env ruby

if ARGV.include?('--fail')
  always_fail = true
else
  always_fail = false
end

require 'net/https'
uri = URI.parse('https://www.amazon.com/')
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.verify_callback = lambda do |preverify_ok, ssl_context|
  puts "***THIS SHOULD PRINT***"
  puts "#{preverify_ok.inspect}, #{ssl_context.current_cert.subject}"
  if always_fail
    false
  else
    preverify_ok
  end
end
http.ca_file = '/etc/ssl/certs/ca-certificates.crt'
http.cert_store = OpenSSL::X509::Store.new
response = http.start do |s|
  s.get(uri.request_uri)
end
$ ruby test.rb
***THIS SHOULD PRINT***
true, /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
***THIS SHOULD PRINT***
true, /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
***THIS SHOULD PRINT***
true, /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
***THIS SHOULD PRINT***
true, /C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=www.amazon.com
$ ruby test.rb --fail
***THIS SHOULD PRINT***
true, /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
OpenSSL::SSL::SSLError: certificate verify failed
   connect at org/jruby/ext/openssl/SSLSocket.java:170
   connect at /home/andy/.rbenv/versions/jruby-1.7.9/lib/ruby/1.9/net/http.rb:799
   timeout at org/jruby/ext/timeout/Timeout.java:105
   connect at /home/andy/.rbenv/versions/jruby-1.7.9/lib/ruby/1.9/net/http.rb:799
  do_start at /home/andy/.rbenv/versions/jruby-1.7.9/lib/ruby/1.9/net/http.rb:755
     start at /home/andy/.rbenv/versions/jruby-1.7.9/lib/ruby/1.9/net/http.rb:744
    (root) at test.rb:25
Owner

kares commented Jan 18, 2017

this is expected to be fixed (along the way of jruby-openssl) released, latest JRubies :

***THIS SHOULD PRINT***
OpenSSL::SSL::SSLError: certificate verify failed
   connect at org/jruby/ext/openssl/SSLSocket.java:217
   connect at /opt/local/rvm/rubies/jruby-1.7.25/lib/ruby/1.9/net/http.rb:800
   timeout at org/jruby/ext/timeout/Timeout.java:98
   connect at /opt/local/rvm/rubies/jruby-1.7.25/lib/ruby/1.9/net/http.rb:800
  do_start at /opt/local/rvm/rubies/jruby-1.7.25/lib/ruby/1.9/net/http.rb:756
     start at /opt/local/rvm/rubies/jruby-1.7.25/lib/ruby/1.9/net/http.rb:745
    (root) at verify_cb.rb:10
***THIS SHOULD PRINT***
OpenSSL::SSL::SSLError: certificate verify failed
  connect_nonblock at org/jruby/ext/openssl/SSLSocket.java:227
           connect at /opt/local/rvm/rubies/jruby-9.1.7.0/lib/ruby/stdlib/net/http.rb:938
          do_start at /opt/local/rvm/rubies/jruby-9.1.7.0/lib/ruby/stdlib/net/http.rb:868
             start at /opt/local/rvm/rubies/jruby-9.1.7.0/lib/ruby/stdlib/net/http.rb:857
            <main> at verify_cb.rb:10

kares closed this Jan 18, 2017

kares added this to the Invalid or Duplicate milestone Jan 18, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment