SSL issue with Ruby 2.0.0 on OS X 10.9 using rvm 1.23.10

[tisba]

I'm trying to debug issues with the SSL certs of my domain, https://stormforger.com (I'm sure there are other domains/certs having this issue too). Before I updated to OS X 10.9 yesterday, Ruby 2.0.0 (using RVM) did just fine. I confirmed the issue under OS X 10.8.5 and OS X 10.9.

Steps to reproduce (no output = no issue):

ruby -rnet/http -e 'Net::HTTP.get(URI("https://stormforger.com"));'

…results for ruby-2.0.0-p247 in:

/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

I already ran rvm osx-ssl-certs update all according to http://rvm.io/support/fixing-broken-ssl-certificates, without any effect.

$ rvm osx-ssl-certs update all
  5.93s user 0.39s system 177% cpu 3.566 total
  5.97s user 0.44s system 175% cpu 3.643 total
Updating certificates for /usr/lib/ssl/cert.pem: Already are up to date.
Updating certificates for /usr/local/etc/openssl/cert.pem: Already are up to date.
  6.27s user 0.66s system 166% cpu 4.169 total

Reinstalling 2.0.0-p247 didn't helped either.

I took a look at my different rubies and their usage of OpenSSL:

RVM ruby-1.9.3-p448

OK

$ find ~/.rvm/rubies/ruby-1.9.3-p448 -name openssl.bundle | xargs otool -L
/Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/ruby/1.9.1/x86_64-darwin13.0.0/openssl.bundle:
    /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/libruby.1.9.1.dylib (compatibility version 1.9.1, current version 1.9.1)
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)

RVM ruby-2.0.0-p247

BROKEN: /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in 'connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

$ find ~/.rvm/rubies/ruby-2.0.0-p247 -name openssl.bundle | xargs otool -L
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/x86_64-darwin13.0.0/openssl.bundle:
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5)
    /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/libruby.2.0.0.dylib (compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)

System Ruby (2.0.0p247)

OK

$ find /usr/lib/ruby/2.0.0/ -name openssl.bundle | xargs otool -L
/usr/lib/ruby/2.0.0//universal-darwin13/openssl.bundle:
    /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib (compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0)
    /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)

[mpapis]

try with this two rubies:

rvm reinstall 2.0.0 --disable-binary
rvm install 2.0.0-head

[tisba]

@mpapis both fail, with the same error (beside the ruby path):

/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

[mpapis]

@tisba last test with:

rvm install ruby-head

in any way open bug for ruby with the details => https://bugs.ruby-lang.org/

[tisba]

ruby-head (https://github.com/ruby/ruby/tree/9493eb7) gives me the same error :-/ I'll compile everything I know on this issue and open a bug over at ruby-lang.

[tisba]

@mpapis do you have any suggestion for a (maybe even ugly) workaround?

[mpapis]

unfortunately nothing comes to my mind, I have suspected static compilation but --disable-binary ruled out this possibility.

[tisba]

Just FYI: It seems that it is not OS X 10.9 specific, @railsbros-dirk just confirmed the same issue under OS X 10.8.5 with Ruby 2.0.0-p247.

[tisba]

Ruby issue created: https://bugs.ruby-lang.org/issues/9053 /cc @mpapis

[mpapis]

I will monitor it for progress

[mpapis]

from the ruby ticket:

Your certificate chain is incomplete. Serve "StartCom Class 1 Primary Intermediate Server CA" certificate along with your server certificate.

looks like it might be problem with the server

[tisba]

@mpapis I'll have a look and see if I can fix this server-side. Although I'm still a bit confused why this problem only occurs on 2.0.

[mpapis]

I was able to reproduce it on rubies 1.9.3, 2.0.0, jruby, rbx.

I was not able to reproduce it on 1.8.7 and ree (old ones).

[tisba]

@mpapis did you do something special to get to break on 1.9.3?

[mpapis]

it's all standard linux with openssl

[tisba]

very odd. adding the missing intermediate certificate fixed the issue for me. thanks for your help!

[mpapis]

@tisba can you please comment on this https://bugs.ruby-lang.org/issues/9053#note-10

[tisba]

@mpapis I just did, somehow the notification mails from ruby-lang didn't reached me :-/

[mpapis]

do not worry, I do not get them either