[#JRUBY-3694] Webrick HTTPS produces some SSL stack trace. - jira.codehaus.org

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: JRuby-OpenSSL 0.5
Fix Version/s: JRuby-OpenSSL 0.5.1
Component/s: OpenSSL
Labels:
None
Environment:
jruby 1.3.0RC2 (ruby 1.8.6p287) (2009-05-21 3aadd8a) (Java HotSpot(TM) 64-Bit Server VM 1.6.0_07) [x86_64-java]

Testcase included:
yes
Number of attachments :
2

Description

Descriptiont:
-----------------

With the latest jruby, jruby-openssl + the patches I contributed in ~~JRUBY-3689~~, ~~JRUBY-3690~~, ~~JRUBY-3691~~, ~~JRUBY-3692~~, ~~JRUBY-3692~~ + the patch in this bug report to add some needed missing methods, webrick produces some java stack trace.

Analysis:
------------

javax.net.ssl.SSLSession.getPeerCertificates() throws SSLPeerUnverifiedException if the client is not authenticated.
That's a real issue, because that means there is no way to get access to the peer certificate unless it is already valid for the current server CA.
This is not the same behavior in MRI, and this behavior is important to be able to run Puppet with webrick as Puppet manages its own PKI.

Note that the error is produced by webrick when trying to get access to the peer certificate to populate the request that will be handed to the webrick servlet.

I don't see any immediate fix for this issue

Note that it doesn't seem to prevent webrick to run, it's only if your servlet needs to get access to the certficate or if you run webrick in OpenSSL::VERIFY_PEER mode, I guess.

Steps to reproduce:
--------------------------

1) Start the included mini webrick HTTPS server:

jruby test_webrick.rb

2) In another terminal/host Launch the stub client, and type the HTTP request, followed by 2 returns.

% openssl s_client -host localhost -port 2000
...
GET / HTTP/1.0

3) Look to the webrick console in the first terminal, and see the following issue:
...
May 24, 2009 6:00:36 PM org.jruby.ext.openssl.SSLSocket peer_cert
SEVERE: null
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
at org.jruby.ext.openssl.SSLSocket.peer_cert(SSLSocket.java:517)
at org.jruby.ext.openssl.SSLSocket$i_method_0_0$RUBYINVOKER$peer_cert.call(org/jruby/ext/openssl/SSLSocket$i_method_0_0$RUBYINVOKER$peer_cert.gen)
at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:258)
at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:77)
at org.jruby.ast.CallNoArgNode.interpret(CallNoArgNode.java:61)
at org.jruby.ast.InstAsgnNode.interpret(InstAsgnNode.java:95)
at org.jruby.ast.NewlineNode.interpret(NewlineNode.java:104)
at org.jruby.ast.BlockNode.interpret(BlockNode.java:71)
at org.jruby.ast.IfNode.interpret(IfNode.java:112)
at org.jruby.ast.NewlineNode.interpret(NewlineNode.java:104)
at org.jruby.ast.BlockNode.interpret(BlockNode.java:71)
at org.jruby.internal.runtime.methods.InterpretedMethod.call(InterpretedMethod.java:173)
at org.jruby.internal.runtime.methods.DefaultMethod.call(DefaultMethod.java:151)
at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:278)
at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:117)
at org.jruby.ast.CallOneArgNode.interpret(CallOneArgNode.java:57)
at org.jruby.ast.NewlineNode.interpret(NewlineNode.java:104)
at org.jruby.ast.BlockNode.interpret(BlockNode.java:71)
at org.jruby.ast.RescueNode.executeBody(RescueNode.java:225)
at org.jruby.ast.RescueNode.interpretWithJavaExceptions(RescueNode.java:147)
at org.jruby.ast.RescueNode.interpret(RescueNode.java:110)
at org.jruby.ast.EnsureNode.interpret(EnsureNode.java:96)
at org.jruby.ast.BeginNode.interpret(BeginNode.java:83)
at org.jruby.ast.NewlineNode.interpret(NewlineNode.java:104)
at org.jruby.ast.BlockNode.interpret(BlockNode.java:71)
at org.jruby.ast.WhileNode.interpret(WhileNode.java:131)
at org.jruby.ast.NewlineNode.interpret(NewlineNode.java:104)
at org.jruby.internal.runtime.methods.InterpretedMethod.call(InterpretedMethod.java:173)
at org.jruby.internal.runtime.methods.DefaultMethod.call(DefaultMethod.java:151)
at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:278)
at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:117)
at org.jruby.ast.FCallOneArgNode.interpret(FCallOneArgNode.java:36)
at org.jruby.ast.IfNode.interpret(IfNode.java:114)
at org.jruby.ast.NewlineNode.interpret(NewlineNode.java:104)
at org.jruby.ast.BlockNode.interpret(BlockNode.java:71)
at org.jruby.ast.RescueNode.executeBody(RescueNode.java:225)
at org.jruby.ast.RescueNode.interpretWithJavaExceptions(RescueNode.java:147)
at org.jruby.ast.RescueNode.interpret(RescueNode.java:110)
at org.jruby.ast.EnsureNode.interpret(EnsureNode.java:96)
at org.jruby.ast.BeginNode.interpret(BeginNode.java:83)
at org.jruby.ast.NewlineNode.interpret(NewlineNode.java:104)
at org.jruby.runtime.InterpretedBlock.evalBlockBody(InterpretedBlock.java:218)
at org.jruby.runtime.InterpretedBlock.yield(InterpretedBlock.java:206)
at org.jruby.runtime.BlockBody.call(BlockBody.java:72)
at org.jruby.runtime.BlockBody.call(BlockBody.java:78)
at org.jruby.runtime.Block.call(Block.java:89)
at org.jruby.RubyProc.call(RubyProc.java:220)
at org.jruby.RubyProc.call(RubyProc.java:203)
at org.jruby.internal.runtime.RubyRunnable.run(RubyRunnable.java:92)
at java.lang.Thread.run(Thread.java:637)
May 24, 2009 6:00:36 PM org.jruby.ext.openssl.SSLSocket peer_cert_chain
SEVERE: null
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(SSLSessionImpl.java:401)
at org.jruby.ext.openssl.SSLSocket.peer_cert_chain(SSLSocket.java:532)
at org.jruby.ext.openssl.SSLSocket$i_method_0_0$RUBYINVOKER$peer_cert_chain.call(org/jruby/ext/openssl/SSLSocket$i_method_0_0$RUBYINVOKER$peer_cert_chain.gen)
at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:258)
at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:77)
at org.jruby.ast.CallNoArgNode.interpret(CallNoArgNode.java:61)
at org.jruby.ast.InstAsgnNode.interpret(InstAsgnNode.java:95)
at org.jruby.ast.NewlineNode.interpret(NewlineNode.java:104)
at org.jruby.ast.BlockNode.interpret(BlockNode.java:71)
at org.jruby.ast.IfNode.interpret(IfNode.java:112)
at org.jruby.ast.NewlineNode.interpret(NewlineNode.java:104)
at org.jruby.ast.BlockNode.interpret(BlockNode.java:71)
at org.jruby.internal.runtime.methods.InterpretedMethod.call(InterpretedMethod.java:173)
at org.jruby.internal.runtime.methods.DefaultMethod.call(DefaultMethod.java:151)
at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:278)
at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:117)
at org.jruby.ast.CallOneArgNode.interpret(CallOneArgNode.java:57)
at org.jruby.ast.NewlineNode.interpret(NewlineNode.java:104)
at org.jruby.ast.BlockNode.interpret(BlockNode.java:71)
at org.jruby.ast.RescueNode.executeBody(RescueNode.java:225)
at org.jruby.ast.RescueNode.interpretWithJavaExceptions(RescueNode.java:147)
at org.jruby.ast.RescueNode.interpret(RescueNode.java:110)
at org.jruby.ast.EnsureNode.interpret(EnsureNode.java:96)
at org.jruby.ast.BeginNode.interpret(BeginNode.java:83)
at org.jruby.ast.NewlineNode.interpret(NewlineNode.java:104)
at org.jruby.ast.BlockNode.interpret(BlockNode.java:71)
at org.jruby.ast.WhileNode.interpret(WhileNode.java:131)
at org.jruby.ast.NewlineNode.interpret(NewlineNode.java:104)
at org.jruby.internal.runtime.methods.InterpretedMethod.call(InterpretedMethod.java:173)
at org.jruby.internal.runtime.methods.DefaultMethod.call(DefaultMethod.java:151)
at org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:278)
at org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:117)
at org.jruby.ast.FCallOneArgNode.interpret(FCallOneArgNode.java:36)
at org.jruby.ast.IfNode.interpret(IfNode.java:114)
at org.jruby.ast.NewlineNode.interpret(NewlineNode.java:104)
at org.jruby.ast.BlockNode.interpret(BlockNode.java:71)
at org.jruby.ast.RescueNode.executeBody(RescueNode.java:225)
at org.jruby.ast.RescueNode.interpretWithJavaExceptions(RescueNode.java:147)
at org.jruby.ast.RescueNode.interpret(RescueNode.java:110)
at org.jruby.ast.EnsureNode.interpret(EnsureNode.java:96)
at org.jruby.ast.BeginNode.interpret(BeginNode.java:83)
at org.jruby.ast.NewlineNode.interpret(NewlineNode.java:104)
at org.jruby.runtime.InterpretedBlock.evalBlockBody(InterpretedBlock.java:218)
at org.jruby.runtime.InterpretedBlock.yield(InterpretedBlock.java:206)
at org.jruby.runtime.BlockBody.call(BlockBody.java:72)
at org.jruby.runtime.BlockBody.call(BlockBody.java:78)
at org.jruby.runtime.Block.call(Block.java:89)
at org.jruby.RubyProc.call(RubyProc.java:220)
at org.jruby.RubyProc.call(RubyProc.java:203)
at org.jruby.internal.runtime.RubyRunnable.run(RubyRunnable.java:92)
at java.lang.Thread.run(Thread.java:637)

More Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

0007-Implement-some-missing-SSLSocket-methods.patch

24/May/09 11:20 AM

4 kB

Brice Figureau
test_webrick.rb

24/May/09 11:20 AM

4 kB

Brice Figureau

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Brice Figureau added a comment - 24/May/09 3:45 PM

I stand corrected, this doesn't seem to be as critical as I thought, as I could modify my testcase to run in VERIFY_PEER mode without any issues and have a client connect with a certificate.

Still the stack trace is not normal when the client is not authenticated (it should be at worst ignored).
The attached patches are still necessary for webrick to run fine, though.

Show

Brice Figureau added a comment - 24/May/09 3:45 PM I stand corrected, this doesn't seem to be as critical as I thought, as I could modify my testcase to run in VERIFY_PEER mode without any issues and have a client connect with a certificate. Still the stack trace is not normal when the client is not authenticated (it should be at worst ignored). The attached patches are still necessary for webrick to run fine, though.

Hide

Permalink

Charles Oliver Nutter added a comment - 24/May/09 5:05 PM

I believe I pulled this in via the fork queue, yes? Marking resolved in 0.5.1. If there's additional work needed that wasn't solved by this patch, open another bug.

Show

Charles Oliver Nutter added a comment - 24/May/09 5:05 PM I believe I pulled this in via the fork queue, yes? Marking resolved in 0.5.1. If there's additional work needed that wasn't solved by this patch, open another bug.

Hide

Permalink

Courtney Evans added a comment - 13/Nov/09 5:30 PM

I'm still seeing this issue in 0.5.2. I'm running JRuby 1.4 with Ruby 1.8.7 and Rails 2.2.2 with Webrick. I have a server cert but have set the client cert to not be required in the server file -> SSLVerifyClient => OpenSSL::SSL::VERIFY_NONE
Everything seems to run fine however the error messaging is quite verbose and I'd rather not have to turn it down for this single issue. Please advise.

Show

Courtney Evans added a comment - 13/Nov/09 5:30 PM I'm still seeing this issue in 0.5.2. I'm running JRuby 1.4 with Ruby 1.8.7 and Rails 2.2.2 with Webrick. I have a server cert but have set the client cert to not be required in the server file -> SSLVerifyClient => OpenSSL::SSL::VERIFY_NONE Everything seems to run fine however the error messaging is quite verbose and I'd rather not have to turn it down for this single issue. Please advise.

JRuby

Webrick HTTPS produces some SSL stack trace.

Details

Description

Attachments

Activity

People

Dates