From 4ae0de4f4cc06f09c9c269f42070b7a88beec4dc Mon Sep 17 00:00:00 2001
From: joe miller <joeym@joeym.net>
Date: Sat, 28 Nov 2015 18:17:01 -0800
Subject: [PATCH] support TLS client auth (verify_mode) in jruby

Adds support for `verify_mode` to configure client authentication when running under JRuby.

Things to note:

- Assumes the CA used to verify client certs is in the same java
  keystore file that is used when setting up the HTTPS TLS listener. We
could split this out, but not sure if it's necessary.
- Friendly/helpful error messages explaining why the verification failed
  are not present in the same way they are in the CRuby/OpenSSL code
path. I'm not sure how to make them available.
- I did not include any code to create the `keystore.jks` file in the
  `examples/puma/client-certs` directory because I didn't see any
existing code to create the `examples/puma/keystore.jks` file. The
commands to create this keystore would be:

```
cd examples/puma/client-certs
  openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12
  keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah
  keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah
```
---
 examples/puma/client-certs/keystore.jks     | Bin 0 -> 3743 bytes
 examples/puma/client-certs/server.p12       | Bin 0 -> 3274 bytes
 ext/puma_http11/org/jruby/puma/MiniSSL.java |  20 ++-
 test/test_puma_server_ssl.rb                | 129 +++++++++++---------
 4 files changed, 85 insertions(+), 64 deletions(-)
 create mode 100644 examples/puma/client-certs/keystore.jks
 create mode 100644 examples/puma/client-certs/server.p12

diff --git a/examples/puma/client-certs/keystore.jks b/examples/puma/client-certs/keystore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..6d734fadce1949b3b47e36b62749ca612fbaddf6
GIT binary patch
literal 3743
zcmeH}XHXN^8ivydy@gN&q?brdLRX4{AP9sW0Yi{}K}C8~KtMwYZ9$sS6A)C2F@gw4
zmL^4zqJly|qzD4)D!txpnVsF8x%bYU{kwDK%$fOqob#Rcop-+HVD(@X004k~-yjb+
z003xXg(5-#OpYoVNF4wG3`fR;d64nItx_-u2m%3tNKPoL0>PB9$q589F#(X;C_W@F
zl#Mk@E;;*~k|*$p0NCFv1O-RJ{#1kngkE+-u_IZbU<U}8gYgzpLXZ=sjzlBTXe3e_
zt>rAljYgp~kSL_iZ-u{ccRWz)kBtJE0N{8aH-PaGHc&he2%xKc-@+ehLcozL&+nIq
zU=k3!vl82Hb#cQiy=o7}S)%G@u7Q*#GPy>s2ze{c+4$U;T8>Dj61V2<TBul#w*D_M
zM2W|!2YMyx@rk0;97*Gf$!Pwx>z!|T%CY7@84v-aheDCv_=hLXuljd{usk0ec9L?f
zxBBz}jWaUwMzwcj7>=wRf}8{gR4|zh>-ZBI8K#!gv|XHqza6a!ls>gnFq1<4?9qlG
z--)`d{`p`Q&4)1!-?QiSveNCI11@ys2#i#<XJ$HlrCTH$;H0cHyyx!e+-U?aB!KMl
zb@LjWoJ}YvE3XdE$(D^q9G-a0q@+T=q{7w)jEFo_0s;d8K$0|463NXl<R~8ycnD!a
zf*A*r>*oUZ&jkp>a_AprWcbaH5eTRv_!KXjvYK!7S`RtNVvpmuQ>MMQZ@Z{l<$ZA^
z97EV=gf=@LR&iU^1l<jIR=Z5T^~o?my7=n5xphod`e$`^T&}~=qsOZkZ%!V3o4p~g
z@hlv6nc%Jp=H60pHPLA9RFf9gewv({gxQP<s~XS1!zgLQJ;PqPynU&m!wDRW2_4a7
zN6ih7o;O~pk<Ae=Giw#--_0#N_+(Jx_(&o-&t_vvzlYa48{LulVKPY(|E!uv-`94P
zZ*04~Sy9J}AoKBLiBr2gbILv5$F1~kgeR6Rc$l&X^50_ZH!@aUTZ$+amm`8Ex%(FD
zs;`b)Qk2P%J<u{$468FyJ;jI&5C9GK3JUWI`ZY3qGys4RhIq&xLq9e}C=dcv0P!*s
z0)WIr7G<v6bW1Qdq}lNWd1|~Xz8_lSrUmcKhb8t{#mvwjdPl&=c~T;7kn1Xn!Esb!
zYAB%0SM)2^j*c);ySF?FyPM0sU3S*|3gv}Qu$znN(Z0aQ{J}fa)blRR4ZCl$=Qj7k
zp}2kOcMFHRhh?oH4OE4|9E&p>CIap^Gifr(88fy%L3T#QoF7=lG^-H@b+-AY-UL-V
z&d;<9D=csutNf~y+VmiDqm&|ivL;s4MeFtk>ZaDp?9&tV?uvtvYj@!YA@EF@MEAHI
zm)Q&5o26f?wYcc%I}ll7L_{e0<9)Y%BH1YTduNe}^h-%hk%W<fHreWYnW);PN}9=S
zX^_47hb43gr$Hw(p@rQ}<Xipm7zwemN-iB*DMHk4F(NOu*6hl-4GrB%p7b52d~Q0;
z0~XN}J~#03<9%Oy^)bmw*lEMof0fId$e;S8*mmX=K+_~vpIIixGYeb42dbo9G_AV=
zbIgK~CJZke+7;l8uS?W>@lU>)#!trQbauQ-2qbI4d4a|bnVv(hbu%!7kT|$ALgt=D
z;2t&v&p)Ci<fGrosm#CYd44#Q4?$-;5=M9bf=}t`GWiMKgD#0F{!-Y#I~jZR?l6{0
z>My5Ylu5qTnL#b5Lhtd+*I1t1PEiT6tbMZ@>=8_Z@EJMn@vE9ykv8`ry1mY3nu$-{
zd}KzM4X5VZdzGfNEwf51d_MWH>#@PEzqT{9=s?DdHoj|Q?&%yyzjlmYapOr-@tz^y
zV(D9K_)g#^h}a}5t*)*rHpuK-+SlaUtUG;F9`>k_A;GwU{YAZ5wAx7D;YCEg>$R6-
z%;>lG6B0COy(!PfLiEX(v@kqP!g|)b3bV(EXY!cWLcug6?;5j9$}gjx;|*f1r;UP^
zoA6xbz-t0TX{kFFvYHE+L#U%eF4VLrmpx1~J8raEJU!AiCwQJrLsoM5hstts7G@Y{
zWpn6Ehgg4<4b2E(R-ADSlYqFk1bm<VGR?1QBJv_AeDb1?QiA6KbHMhai$B&__#aKU
z!+~^(vVR#qIODtXKB}XF9!_k-9zSwg@<CB4;cam`lLh~q+2rc_fH;9mpDq*A9|7)P
ziRk{Q?M}6Py@;`Hy_hfFOSEm3<O^`)!SY6lXQbg}he>e`+9jf;Tn_ARt+D%(4{IM5
zEYNywp7ipz@-NqWN;*)Msv06{!(K}9D8tJ<M^P4}&6S1C;EEXb{E0Q?zz+9<Fu6uS
za!uvt`iWzj%|SIa)%97FXo!uE{=C_q!jy6MJ&v!lg5;u$%?~Qr=f-v2QpVuC9{CHL
z)<XpjUab}46}Z^bVo=kV)FNm7g|Ez;TDzX3OX?Pz)@<wBPYPh1V;{DMB(0WHdA3Fx
z^^9)pF`pP1|Cju*k@~p%hf~gZv=&5vQqkVH+KA7m{K0c!4aa&d%X}&(bkeT2FB*x&
zQaGGuSlZRDux9aJ*c!CLaz#9;bM3NgpMLJ5PQ43V9!p9({wTYJ<~C<p+hP{EHD~sD
zlR~qh#pKtn>Uol6Ia0^^9;CuQ9E~w8F3?LY-(opN+KCI;d!=K2NiOtT;>a!6=9W&J
zq}Zl3r{<Q;$<ffO6<i>tZ9Kg}%8-iyO6j1jrRfC;yzuI%ggt9lxr%umTh=gFF>!Gq
zKHX2tZ@!(MUzf1q&i>#Rl=vMT*cj*lWlY@9zo7%@FQepdjQ9VI4hH`ZmcWoazhVh1
z3azDrWGob;@BdB^eeV>+(&hbh3ulC(l51lIECv!KyIs{i_A1+iFH=8^+6N9t>a;y7
zbsmJGMS8!bE0rqQ<pU^siY`$X=F6T3d+itX?ymbeI9%fis8*DUGL2hF%6e8<x<H@#
zDJoaCy~e;&S=U4kWbBW6Y}*B1t~YI(Z9+A-d`ouW_1h@8^!|OfdG%S8;t=ZH8?mJ<
zg-H66+CkG|;5@GNSbNAqnT_L)4_HQr-MN2b=SzCc<Hn&xT&X{K;@mdw+}Qn`w?<jz
zgb~Q`1cA6fid6Y!-<>3X);>NCZ~xiovpSf9K4^DWIm9c&=?X%RtE6hFkP`lw&tso8
zK=#)CM{O>o$X^M9q1>N=0aE`Lmwy2U$?pn&L1w<zJNUUqKRuRd+bt96k!w|+`ikj0
z&T%4|Zq|nNg=cddpDMv!Y!%z({a0~sRx$<z)~I6grmGsN9fb?0r=LuF)kO~YURV+~
z7v5LFulv#sts-$QT`E&ua)_26eP3+y=1w&E*Y=83F5q4b_GIc~H!T{jxkOiqi+j+*
zPW!3q{-DG`F8EvsBWaV4i1ECW5_;dHcd&utP2eT+YHqJMCXolCNvm53lsNw!C7Qjp
zLFkmOeZID;IX}HNpzwX=I#UZKUtCZS|4wes#k$a_+i6HKYpKkb5bZw;-<Wny3@<qz
zn7Z-sS?f|HoS$RDrqsY&U`O=wKRo>pPyfTy|B<IJWiMmCifS#?*ExHPu1F)%#xHFD
E4T{|^s{jB1

literal 0
HcmV?d00001

diff --git a/examples/puma/client-certs/server.p12 b/examples/puma/client-certs/server.p12
new file mode 100644
index 0000000000000000000000000000000000000000..6fb6ba6046db3096a51886b7d7c8d68c4367d0eb
GIT binary patch
literal 3274
zcmY+FWmFT4+r|fs4aSffA>jzAQJaD^GP*;`BAtYUFkpa$I6zubLTV~Z>5frKC<9cO
zfWQE01W6GADc{F)-uHd}{}1<lpL6}rxj$Y%Bp&*nmWB?AhbDm-5swWXA28E^X$W{|
zI1mpF`6muU;=wHcA`k%&1|adE6Iz<T=hwf42FVYC{O<=S4G4J-$PfWCs5RjoD5a%k
z07T+JWM!p|K=obWKDUhBWRDVH{ZL3&VT*)}Im1bv*Ay{)8P9xb1<y6s+PLX`5@(N#
zv#n>`dc$$vnL2%MSK!)mflEQPC<3P1UE(uxPWJNy!RyF|t!qbQ;+rBiohQjv$}J1M
zS9O*j!zD=D-`Y20tOHG2R$c~~g_dpSbm=Hg3hMj0=MsquLazXvHM#!p)juYH(Y^I~
zQ)<2&F&|ZHSW83^(40n&8kJCzr^m%=W&c0BI|#11@WcU)zCp>GHz;4LQR?c(`wsrd
zPJ(Nd4JQbk#Kx;-onIpI$a3QCmc$m2ciHd$hl95-prT(l7v&p6k{6=)QUc@B{M8IS
z*Nj9^>SAG-t|V>c^vj1O{F-9nv-0ParE5HZH{p>N-532CJN%#ZI-SbGTkR6fq-5fC
ztW$N#aZ75iVoBaNaS7Fx$K>1(&c<EAd-+*!{RK;3M!Cca)RdcGtkb16z4sO$5W7nb
z1Xg2OzB+QX&(@RX%(bJVPu5KI<NEGBj0pMggK*RA5~@b^_ocg9`vi+I!1#QExw%`w
zEg0t{9Y|v)1Wd?FeZI$GEvdjBKB;n$4N!Xx@kfwpg{5^ASG9G~-S_IIwWaY`qpN0o
zaD^_BRG-XH1=962zYZ-`?jKA2P1~7=2``6Qi}I9@#b|K$bQU`?XFygg6L38Uue^Eq
zltLqRQx&3c+SE{!`=uf7rFKP@ARYF1`fT#&TKzB2Mh#!)i?q|*oM&<D`u?X9+cp=&
z%lq&s)zh3uQ=G+So)7G(%YK};EFn0yteG_OaAOG~E79((L(`zaS4VN|h)Jwid2mTT
z=DL6@cDyRm=|`|_3X^JFURBz*{|2Fv>U=xT{4`>Dk=`=MJk$*-95{Tro&iBlnDH1D
zUM!1~Kmy7+HS~K1Ui{{si{1i_9rf6)LB*UeKcRB4C;u!h?dW`~TQb8b3;9q!R(I8E
zxNy6JsdazoSw~b}wt`n7Bt(tLrxy1?9mt}m;y}B+8zE$q0ewNIt2AsnV=2t>%?^i(
zf&l8p1K3JQ%kK0^?F|!t%;MdhZDIMNFggYEmK6ebWNA~NeDg)oMvPxBl>ZmUh~ofX
z>W^Fe0@5n=74q6i%1sv*hI%}<c8-GaRY5*e0YYW{_s6o|6a*HpDOz2|Eu;2qAlM5F
zgtMUZN%xdR;q8V=(%A%W(_q;N5azdXRmynZ&)i8UPPtw(Be!cI&@K@5TU=&6AKQRG
z46`bax-f~DkzI)k>`E4(JM%8EXX)6B%){y4**I&+nLlkMl=C!H+^8K!PncD|^=1zF
zmf4V8e?}z_v1zlmQg(<A@m?(*u~dx#=OvH;&X9)dg(8H<BU?ux6<S$LD`p#0a~|6!
zxSM44vbQW85WoJ^_0w%<Rv-AOJ$PP47M%HX$t^&cIO;oCJ9F%v<~Af<MNrHa2kH5i
zZO%W+dcR&C9tY)&#aoZU#Igi&HM)({EIaY;buM#xgw*Td>W5L83GXURnD4+{7yAz!
z;ICb-8XWsYYpy0={yOS?*i;m`bF#Q*+&qjgR}7L*e*tdT?YwhrTh$!T#Y9axZgn!W
z9LR|Q>4(w3*?KZiX-uPL<l+(h=ktqW?v5+(IZa2<WEN(5`_u&O*akiY@Fd>-P4I97
zCVnzFbU=H_vmP^kEX`1qp%8eI;M?y3+h)o8QqKJ7eF?r#F=fcuVEd8-%FG!j7=YPW
zXzQWShWv0vf6XebM0L2h=fwJWy_jdZGFiAp;90fS=2>w(>a?xc5KB9BzAX{;g>Hdq
z=%=iHo+<u^66Kyt0`+tR(<V(;JO40nW=KS)bsNCRn%q=d*4ufjZowuED)UsyP)_~W
z#m*kFTfmPAXnI)w-YMG$;Y(g>Q~12%d@LVP%lSz=HSVRQH^Ii54Kx1~wG=fx%-!Z`
zuN8%Tgr%1e7EofYqdez_GlOZVrh403m7EqAd)KQj{c!|{>wi>|<b{1mR68cbj0{-v
z53>m0YG0J^45261R`|2h0d_73s>Xb{3Pn@PgL{!vqa^v(!9A)B42be22S^+lLMGt0
z8~eCdzFKTnj~%SQa}7%o4%JdZAJ#*Ukd^CRtxpeE&0FYxmW4lNZJyh#;EG{T#@vjY
zy3FM(kq@|xITFpt=vMRUrd?EVOLy_^JEV>>{M>lGW@&tj2YUydOZsT9vhihLphbie
ztYcnueWQ#6wrohs0B<n$9~O4n?I;@jEFU2|iB_^Bn|NmyHG|J&gG7uM5~er<YxWE8
zK(lVF{5%29V)zi45Gmc`Ni2Bn_8%mk-r+yQN5IpY1M&36|HS(Lj5dhr|1=1pp(Wsf
zTSz?c`+wPy?ynuu{_6CH{3GbUb_C*qWU<U9lN|=M;5sG#lgEXo=?RQFPdwStG$}FQ
zegnd|cvfTc8`-$)%J~vWQOGZQNoY7{m%HU%U9`&UPbu#qKSl=GjC=<sU3{2IbtMrw
zV58S%AlqCYE^>EK>We3Wn&VNfjnd(mZw|D6!ImO$M!4MKU{14`8s0o?pU(M@FcBC`
zYVRdB?n3;+nb2D36TSWtSgk5RjdlBq#2jB5$(roci@QB--yfW+?)una>Gi_39qxl3
z;Gsgk5^5z9p0R{|c1?^3M`{{y#q)_K)49>vq?XSq+u#pt$V_WU;IyH|I8U_dXV2!a
z`_Rh@+n!Sb&&MgX<W>#W1h>-^Mt7M|wO`LtccYR&HXt3WGk>Zx2y{<48#+C-_%c4J
z0gI?gSr=CP^eNAT(e5@oRH0z6(WqMHBG-EUV@01yGpuM<+n9wp#b{YhygVF}nc3ea
zssTZIGNQa24^L%J_{QYKBPXCr+;*M|kL9y}I~)l|ja#Snd9g~F*tUP^l@IR^zhX74
z5TD*5hJ%!Rw>eqW)pM*_3RP@|NMZ-8+0^9_Dr?6a&vQ8go4yhGc?f={ZkY>0CtFVC
zUGULHv(v@FerjYwm}I@3*YZ7ISP46TV!Adw;b;NS6S#pTccdV=KRqqw>7c>cxSqkL
za**hEltF%+D23Fo9z}V=6+Eq}Xd9S=Ua`KvBII>I`!(V7x~{inghU-=#Z@wRLogt(
zih|o?tu5B|e^$gSrL@Zr>rN={72<wI(;gbS)~yTEv5Jm2m-t<h(gG|WG>Fc!ggvT2
zzcCK&F=)vaCmQeld43*%byMr_zFR8*5+9bllR$^4x@w+!L%n_)vFg8aH@pokC)v|O
zTpAw+tqnSvHwtI|`5v#<SAd?stvA=ebF1Uk;QsfY-KP@!V#0mRrdG`k8LIh1J(N|?
zcRoRhD_rrPzp|h4#9c<%u7<%szuyeo%|k`|ljN`^ZkNue2VD*d;+s}kJohfR{<&C1
zn)9=<-~SrZ7_=98gt0e(-jnI2R4yeK7uNj}RjMi{y)g$;-=;G^7#|QXGGy5qdmZZ^
zi>cX7_b3wn-I0@e?HYYb2AP1BeqOhE(~3K2^k7zQ%Z=;Zl%pfF?A>#E?yf|*ZkI-W
zcI;&OoYB}$G2G<M9`rS1)G$q&{jG$8RxWw!4*SK@tmtQ@@+PZK)*f}Li1{r%3eWB(
z<*pLX1Q+xQa$;Zh$&GK6=DC)9a$6r_(}<vE<j9LY>Y8_94Bht`i5VU!fKWzO#+7Ji
z(RvNVw^9B9V@drQ+M9#%vH8ZJZ!yGkbzq?h{!(!CLzZq)A-GGynwm<j{VedT{m1w7
z!WLnkHUZz0LBlBz14$^-olURj`I>D)((!6b6c|X9Vp0EmpoQ(4?};iS--@Z(H0y&z
zZp8t}U?N@4%=H_n8Yyir*NGU74_98*sA(nL9mqC{k}52*MrexXY-#fqiqRtbyGt%o
z-zxjR!@N7kLkoN$g)0G;@{cXeio`5`vHV7~WC7BI%66JKxa?2-x;pBBD#~z}y7kVz
z5Z)eF2%4(k0pbIyWAZt2j@d^L#hI1(k1akH96%S0M?Y@)1Rhsjzp!I0w04E4)g*+{
zLh}88J2Jvh=Pp12{(!pxECBa+BSrp&oG30JjOuch0PG2T2;vo>P6?mW)VQR1j6@-Y
ykc=RDsdIF+yz~Gdj6S99&;<kAO<P)D4#*XdOT^0w0vSRTli+pxLRNn(^nU;)XAemL

literal 0
HcmV?d00001

diff --git a/ext/puma_http11/org/jruby/puma/MiniSSL.java b/ext/puma_http11/org/jruby/puma/MiniSSL.java
index b284ed5dd8..3655df78fb 100644
--- a/ext/puma_http11/org/jruby/puma/MiniSSL.java
+++ b/ext/puma_http11/org/jruby/puma/MiniSSL.java
@@ -13,6 +13,7 @@
 import org.jruby.util.ByteList;
 
 import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLEngineResult;
@@ -136,23 +137,36 @@ public static IRubyObject server(ThreadContext context, IRubyObject recv, IRubyO
   public IRubyObject initialize(ThreadContext threadContext, IRubyObject miniSSLContext)
       throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyManagementException {
     KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+    KeyStore ts = KeyStore.getInstance(KeyStore.getDefaultType());
 
     char[] password = miniSSLContext.callMethod(threadContext, "keystore_pass").convertToString().asJavaString().toCharArray();
-    ks.load(new FileInputStream(miniSSLContext.callMethod(threadContext, "keystore").convertToString().asJavaString()),
-        password);
+    String keystoreFile = miniSSLContext.callMethod(threadContext, "keystore").convertToString().asJavaString();
+    ks.load(new FileInputStream(keystoreFile), password);
+    ts.load(new FileInputStream(keystoreFile), password);
 
     KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
     kmf.init(ks, password);
 
+    TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
+    tmf.init(ts);
+
     SSLContext sslCtx = SSLContext.getInstance("TLS");
 
-    sslCtx.init(kmf.getKeyManagers(), null, null);
+    sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
     engine = sslCtx.createSSLEngine();
 
     String[] protocols = new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" };
     engine.setEnabledProtocols(protocols);
     engine.setUseClientMode(false);
 
+    long verify_mode = miniSSLContext.callMethod(threadContext, "verify_mode").convertToInteger().getLongValue();
+    if ((verify_mode & 0x1) != 0) { // 'peer'
+        engine.setWantClientAuth(true);
+    }
+    if ((verify_mode & 0x2) != 0) { // 'force_peer'
+        engine.setNeedClientAuth(true);
+    }
+
     SSLSession session = engine.getSession();
     inboundNetData = new MiniSSLBuffer(session.getPacketBufferSize());
     outboundAppData = new MiniSSLBuffer(session.getApplicationBufferSize());
diff --git a/test/test_puma_server_ssl.rb b/test/test_puma_server_ssl.rb
index 12e68b97d0..cd506ec9cc 100644
--- a/test/test_puma_server_ssl.rb
+++ b/test/test_puma_server_ssl.rb
@@ -132,92 +132,99 @@ def test_ssl_v3_rejection
 end
 
 # client-side TLS authentication tests
-unless defined?(JRUBY_VERSION)
-  class TestPumaServerSSLClient < Test::Unit::TestCase
+class TestPumaServerSSLClient < Test::Unit::TestCase
 
-    def assert_ssl_client_error_match(error, subject=nil, &blk)
-      @port = 3212
-      @host = "127.0.0.1"
+  def assert_ssl_client_error_match(error, subject=nil, &blk)
+    @port = 3212
+    @host = "127.0.0.1"
 
-      @app = lambda { |env| [200, {}, [env['rack.url_scheme']]] }
+    @app = lambda { |env| [200, {}, [env['rack.url_scheme']]] }
 
-      @ctx = Puma::MiniSSL::Context.new
+    @ctx = Puma::MiniSSL::Context.new
+    if defined?(JRUBY_VERSION)
+      @ctx.keystore =  File.expand_path "../../examples/puma/client-certs/keystore.jks", __FILE__
+      @ctx.keystore_pass = 'blahblah'
+    else
       @ctx.key = File.expand_path "../../examples/puma/client-certs/server.key", __FILE__
       @ctx.cert = File.expand_path "../../examples/puma/client-certs/server.crt", __FILE__
       @ctx.ca = File.expand_path "../../examples/puma/client-certs/ca.crt", __FILE__
-      @ctx.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT
+    end
+    @ctx.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT
 
-      events = SSLEventsHelper.new STDOUT, STDERR
-      @server = Puma::Server.new @app, events
-      @server.add_ssl_listener @host, @port, @ctx
-      @server.run
+    events = SSLEventsHelper.new STDOUT, STDERR
+    @server = Puma::Server.new @app, events
+    @server.add_ssl_listener @host, @port, @ctx
+    @server.run
 
-      @http = Net::HTTP.new @host, @port
-      @http.use_ssl = true
-      @http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    @http = Net::HTTP.new @host, @port
+    @http.use_ssl = true
+    @http.verify_mode = OpenSSL::SSL::VERIFY_NONE
 
-      blk.call(@http)
+    blk.call(@http)
 
-      client_error = false
-      begin
-        @http.start do
-          req = Net::HTTP::Get.new "/", {}
-          @http.request(req)
-        end
-      rescue OpenSSL::SSL::SSLError
-        client_error = true
+    client_error = false
+    begin
+      @http.start do
+        req = Net::HTTP::Get.new "/", {}
+        @http.request(req)
       end
+    rescue OpenSSL::SSL::SSLError
+      client_error = true
+    end
 
-      sleep 0.1
-      assert_equal !!error, client_error
+    sleep 0.1
+    assert_equal !!error, client_error
+    # The JRuby MiniSSL implementation lacks error capturing currently, so we can't inspect the
+    # messages here
+    unless defined?(JRUBY_VERSION)
       assert_match error, events.error.message if error
       assert_equal @host, events.addr if error
       assert_equal subject, events.cert.subject.to_s if subject
-    ensure
-      @server.stop(true)
     end
+  ensure
+    @server.stop(true)
+  end
 
-    def test_verify_fail_if_no_client_cert
-      return if DISABLE_SSL
+  def test_verify_fail_if_no_client_cert
+    return if DISABLE_SSL
 
-      assert_ssl_client_error_match 'peer did not return a certificate' do |http|
-        # nothing
-      end
+    assert_ssl_client_error_match 'peer did not return a certificate' do |http|
+      # nothing
     end
+  end
 
-    def test_verify_fail_if_client_unknown_ca
-      return if DISABLE_SSL
+  def test_verify_fail_if_client_unknown_ca
+    return if DISABLE_SSL
 
-      assert_ssl_client_error_match('self signed certificate in certificate chain', '/DC=net/DC=puma/CN=ca-unknown') do |http|
-        key = File.expand_path "../../examples/puma/client-certs/client_unknown.key", __FILE__
-        crt = File.expand_path "../../examples/puma/client-certs/client_unknown.crt", __FILE__
-        http.key = OpenSSL::PKey::RSA.new File.read(key)
-        http.cert = OpenSSL::X509::Certificate.new File.read(crt)
-        http.ca_file = File.expand_path "../../examples/puma/client-certs/unknown_ca.crt", __FILE__
-      end
+    assert_ssl_client_error_match('self signed certificate in certificate chain', '/DC=net/DC=puma/CN=ca-unknown') do |http|
+      key = File.expand_path "../../examples/puma/client-certs/client_unknown.key", __FILE__
+      crt = File.expand_path "../../examples/puma/client-certs/client_unknown.crt", __FILE__
+      http.key = OpenSSL::PKey::RSA.new File.read(key)
+      http.cert = OpenSSL::X509::Certificate.new File.read(crt)
+      http.ca_file = File.expand_path "../../examples/puma/client-certs/unknown_ca.crt", __FILE__
     end
+  end
 
-    def test_verify_fail_if_client_expired_cert
-      return if DISABLE_SSL
-      assert_ssl_client_error_match('certificate has expired', '/DC=net/DC=puma/CN=client-expired') do |http|
-        key = File.expand_path "../../examples/puma/client-certs/client_expired.key", __FILE__
-        crt = File.expand_path "../../examples/puma/client-certs/client_expired.crt", __FILE__
-        http.key = OpenSSL::PKey::RSA.new File.read(key)
-        http.cert = OpenSSL::X509::Certificate.new File.read(crt)
-        http.ca_file = File.expand_path "../../examples/puma/client-certs/ca.crt", __FILE__
-      end
+  def test_verify_fail_if_client_expired_cert
+    return if DISABLE_SSL
+    assert_ssl_client_error_match('certificate has expired', '/DC=net/DC=puma/CN=client-expired') do |http|
+      key = File.expand_path "../../examples/puma/client-certs/client_expired.key", __FILE__
+      crt = File.expand_path "../../examples/puma/client-certs/client_expired.crt", __FILE__
+      http.key = OpenSSL::PKey::RSA.new File.read(key)
+      http.cert = OpenSSL::X509::Certificate.new File.read(crt)
+      http.ca_file = File.expand_path "../../examples/puma/client-certs/ca.crt", __FILE__
     end
+  end
 
-    def test_verify_client_cert
-      return if DISABLE_SSL
-      assert_ssl_client_error_match(nil) do |http|
-        key = File.expand_path "../../examples/puma/client-certs/client.key", __FILE__
-        crt = File.expand_path "../../examples/puma/client-certs/client.crt", __FILE__
-        http.key = OpenSSL::PKey::RSA.new File.read(key)
-        http.cert = OpenSSL::X509::Certificate.new File.read(crt)
-        http.ca_file = File.expand_path "../../examples/puma/client-certs/ca.crt", __FILE__
-        http.verify_mode = OpenSSL::SSL::VERIFY_PEER
-      end
+  def test_verify_client_cert
+    return if DISABLE_SSL
+    assert_ssl_client_error_match(nil) do |http|
+      key = File.expand_path "../../examples/puma/client-certs/client.key", __FILE__
+      crt = File.expand_path "../../examples/puma/client-certs/client.crt", __FILE__
+      http.key = OpenSSL::PKey::RSA.new File.read(key)
+      http.cert = OpenSSL::X509::Certificate.new File.read(crt)
+      http.ca_file = File.expand_path "../../examples/puma/client-certs/ca.crt", __FILE__
+      http.verify_mode = OpenSSL::SSL::VERIFY_PEER
     end
   end
 end