Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

SSL issue with Ruby 2.0.0 on OS X 10.9 using rvm 1.23.10 #2315

Closed
tisba opened this Issue · 18 comments

2 participants

@tisba

I'm trying to debug issues with the SSL certs of my domain, https://stormforger.com (I'm sure there are other domains/certs having this issue too). Before I updated to OS X 10.9 yesterday, Ruby 2.0.0 (using RVM) did just fine. I confirmed the issue under OS X 10.8.5 and OS X 10.9.

Steps to reproduce (no output = no issue):

ruby -rnet/http -e 'Net::HTTP.get(URI("https://stormforger.com"));'

…results for ruby-2.0.0-p247 in:

/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

I already ran rvm osx-ssl-certs update all according to http://rvm.io/support/fixing-broken-ssl-certificates, without any effect.

$ rvm osx-ssl-certs update all
  5.93s user 0.39s system 177% cpu 3.566 total
  5.97s user 0.44s system 175% cpu 3.643 total
Updating certificates for /usr/lib/ssl/cert.pem: Already are up to date.
Updating certificates for /usr/local/etc/openssl/cert.pem: Already are up to date.
  6.27s user 0.66s system 166% cpu 4.169 total

Reinstalling 2.0.0-p247 didn't helped either.

I took a look at my different rubies and their usage of OpenSSL:

RVM ruby-1.9.3-p448

OK

$ find ~/.rvm/rubies/ruby-1.9.3-p448 -name openssl.bundle | xargs otool -L
/Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/ruby/1.9.1/x86_64-darwin13.0.0/openssl.bundle:
    /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/libruby.1.9.1.dylib (compatibility version 1.9.1, current version 1.9.1)
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)

RVM ruby-2.0.0-p247

BROKEN: /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in 'connect':
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

$ find ~/.rvm/rubies/ruby-2.0.0-p247 -name openssl.bundle | xargs otool -L
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/x86_64-darwin13.0.0/openssl.bundle:
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5)
    /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/libruby.2.0.0.dylib (compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)

System Ruby (2.0.0p247)

OK

$ find /usr/lib/ruby/2.0.0/ -name openssl.bundle | xargs otool -L
/usr/lib/ruby/2.0.0//universal-darwin13/openssl.bundle:
    /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib (compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0)
    /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
@mpapis
Owner

try with this two rubies:

rvm reinstall 2.0.0 --disable-binary
rvm install 2.0.0-head
@tisba

@mpapis both fail, with the same error (beside the ruby path):

/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
@mpapis
Owner

@tisba last test with:

rvm install ruby-head

in any way open bug for ruby with the details => https://bugs.ruby-lang.org/

@tisba

ruby-head (https://github.com/ruby/ruby/tree/9493eb7) gives me the same error :-/ I'll compile everything I know on this issue and open a bug over at ruby-lang.

@tisba

@mpapis do you have any suggestion for a (maybe even ugly) workaround?

@mpapis
Owner

unfortunately nothing comes to my mind, I have suspected static compilation but --disable-binary ruled out this possibility.

@tisba

Just FYI: It seems that it is not OS X 10.9 specific, @railsbros-dirk just confirmed the same issue under OS X 10.8.5 with Ruby 2.0.0-p247.

@mpapis
Owner

I will monitor it for progress

@mpapis
Owner

from the ruby ticket:

Your certificate chain is incomplete. Serve "StartCom Class 1 Primary Intermediate Server CA" certificate along with your server certificate.

looks like it might be problem with the server

@tisba

@mpapis I'll have a look and see if I can fix this server-side. Although I'm still a bit confused why this problem only occurs on 2.0.

@mpapis
Owner

I was able to reproduce it on rubies 1.9.3, 2.0.0, jruby, rbx.

I was not able to reproduce it on 1.8.7 and ree (old ones).

@tisba

@mpapis did you do something special to get to break on 1.9.3?

@mpapis
Owner

it's all standard linux with openssl

@tisba

very odd. adding the missing intermediate certificate fixed the issue for me. thanks for your help!

@tisba tisba closed this
@mpapis
Owner
@tisba

@mpapis I just did, somehow the notification mails from ruby-lang didn't reached me :-/

@mpapis
Owner

do not worry, I do not get them either

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.