JRuby

Silent fallback to smaller key sizes causes trouble

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: JRuby-OpenSSL 0.5.1
  • Fix Version/s: JRuby-OpenSSL 0.6
  • Component/s: OpenSSL
  • Labels:
    None
  • Number of attachments :
    0

Description

org.jruby.ext.openssl.Cipher falls back to smaller keys automatically without any warning or something. This was the cause of a lot of trouble in my app:

As it turned out the unrestricted security pack of Sun's JRE was not installed on my production box. So my app used 128 bit keys instead of the requested 256 bits - me being totally unaware of it.

That's not good of course, but so far the app was working (with weaker encryption though). The real bummer was this: I start some rake tasks every once in a while and those are run with IcedTea (was preinstalled on that Linux box). And guess what: IcedTea doesn't have that security restriction (like Apple's JRE or MRI of course). I ended up with mixed key sizes.

IMO this automatic degradation of the key size shouldn't happen.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Hiroshi Nakamura added a comment -

jruby-openssl/0.6 raises an exception for such case. Can you confirm the fix?
cf. http://jira.codehaus.org/browse/JRUBY-4326

Show
Hiroshi Nakamura added a comment - jruby-openssl/0.6 raises an exception for such case. Can you confirm the fix? cf. http://jira.codehaus.org/browse/JRUBY-4326
Hide
Permalink
Nick Sieger added a comment -

NaHi, you should be able to control issues now. Please feel free to resolve.

Show
Nick Sieger added a comment - NaHi, you should be able to control issues now. Please feel free to resolve.
Hide
Permalink
Hiroshi Nakamura added a comment -

Thanks!

Resolved in master:5bfb152d0d4d9ebd29c0090f82cb246bfe3bae85
Now it should raise exception.

Show
Hiroshi Nakamura added a comment - Thanks! Resolved in master:5bfb152d0d4d9ebd29c0090f82cb246bfe3bae85 Now it should raise exception.
Hide
Permalink
Christian Seiler added a comment -

Thanks for the fix, source changes look good to me. Unfortunately I haven't got the chance to test this in my production environment in the next couple of days.

Show
Christian Seiler added a comment - Thanks for the fix, source changes look good to me. Unfortunately I haven't got the chance to test this in my production environment in the next couple of days.

People

  • Assignee:
    Hiroshi Nakamura
    Reporter:
    Christian Seiler
Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: