JRuby

Unexpected "certificate verify failed" which does not match MRI behavior

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Not A Bug
  • Affects Version/s: JRuby-OpenSSL 0.7
  • Fix Version/s: None
  • Component/s: OpenSSL
  • Labels:
    None
  • Environment:
    Linux
  • Number of attachments :
    0

Description

You can reproduce this issue with the following code:

require 'open-uri'
open("https://medioh-studio.s3.amazonaws.com/").read

On MRI (1.8.7) I get this:

OpenURI::HTTPError: 403 Forbidden

Which is the expected error in this case. The SSL certificate is verified and the anticipated response code is returned from Amazon's servers.

On JRuby 1.5.1 I get this:

OpenSSL::SSL::SSLError: certificate verify failed

This error seems to occur regardless of what version of jruby-openssl is installed. Perhaps open-uri is doing some custom stuff here which is breaking?

Issue Links

relates to

Bug - A problem which impairs or prevents the functions of the product. JRUBY-6140 Net::POP3 (and possibly other things) cannot verify certificate using JRE's trust anchors

  • Major - Major loss of function.
  • Reopened - This issue was once resolved, but the resolution was deemed incorrect. From here issues are either marked assigned or resolved.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Hiroshi Nakamura added a comment -

It might be a known limitation of jruby-ossl.

open-uri tries to use OS's default trusted CA certs when you don't set one explicitly.
OS's default trusted CA certs are set when the bundled openssl lib is compiled. It may be /etc/pki/certs, /etc/ssl/certs, etc.

When your openssl is '/usr/bin/openssl', normally it is '/usr/lib/ssl/certs' (bin -> lib, openssl -> ssl).

And unfortunately jruby-ossl does not depend on bundled openssl so jruby-ossl cannot detect the default trusted CA certs.

Would you please try the following? You need to change '/etc/ssl/certs' part for your env.

% SSL_CERT_DIR=/etc/ssl/certs jruby -ropen-uri -e 'p open("https://medioh-studio.s3.amazonaws.com/")'
Show
Hiroshi Nakamura added a comment - It might be a known limitation of jruby-ossl. open-uri tries to use OS's default trusted CA certs when you don't set one explicitly. OS's default trusted CA certs are set when the bundled openssl lib is compiled. It may be /etc/pki/certs, /etc/ssl/certs, etc. When your openssl is '/usr/bin/openssl', normally it is '/usr/lib/ssl/certs' (bin -> lib, openssl -> ssl). And unfortunately jruby-ossl does not depend on bundled openssl so jruby-ossl cannot detect the default trusted CA certs. Would you please try the following? You need to change '/etc/ssl/certs' part for your env. % SSL_CERT_DIR=/etc/ssl/certs jruby -ropen-uri -e 'p open("https://medioh-studio.s3.amazonaws.com/")'
Hide
Permalink
Tony Arcieri added a comment - - edited

That command does indeed give the expected behavior! Any way you could make things work more automagically without the need to specify SSL_CERT_DIR, or should I just add it into the JRuby bootstrap script? I would strongly prefer the former if at all possible as it simplifies deployment.

Maybe check for /etc/ssl/certs if it exists? You know, convention over configuration?

Show
Tony Arcieri added a comment - - edited That command does indeed give the expected behavior! Any way you could make things work more automagically without the need to specify SSL_CERT_DIR, or should I just add it into the JRuby bootstrap script? I would strongly prefer the former if at all possible as it simplifies deployment. Maybe check for /etc/ssl/certs if it exists? You know, convention over configuration?
Hide
Permalink
Hiroshi Nakamura added a comment -

Hi Tony, thanks for confirmation. I set the priority of this ticket to 'Minor' since it has the workaround. (SSL_CERT_DIR)

Scanning '/etc/ssl/certs' and '/etc/pki/certs' if the env is Debian or RedHat variants, should work fine but setting trust anchor CA certs in PKI world is very critical thing. I want to be cautious at this point.

To be honest, I'm opposed to the behavior that open-uri sets trust anchor CA certs by default...

I keep this ticket open. Please leave a comment if you have any idea on this.

Show
Hiroshi Nakamura added a comment - Hi Tony, thanks for confirmation. I set the priority of this ticket to 'Minor' since it has the workaround. (SSL_CERT_DIR) Scanning '/etc/ssl/certs' and '/etc/pki/certs' if the env is Debian or RedHat variants, should work fine but setting trust anchor CA certs in PKI world is very critical thing. I want to be cautious at this point. To be honest, I'm opposed to the behavior that open-uri sets trust anchor CA certs by default... I keep this ticket open. Please leave a comment if you have any idea on this.
Hide
Permalink
Tony Arcieri added a comment -

I think, at the very least, that open-uri should match the behavior of the jruby-openssl gem. It doesn't make any sense to me that SSL would work everywhere else except with open-uri. We are able to use SSL via the jruby-openssl gem without issue, even though the SSL_CERT_DIR environment variable was unset. I don't know how jruby-openssl finds the certs but IMHO open-uri should use the same method.

Show
Tony Arcieri added a comment - I think, at the very least, that open-uri should match the behavior of the jruby-openssl gem. It doesn't make any sense to me that SSL would work everywhere else except with open-uri. We are able to use SSL via the jruby-openssl gem without issue, even though the SSL_CERT_DIR environment variable was unset. I don't know how jruby-openssl finds the certs but IMHO open-uri should use the same method.
Hide
Permalink
Tony Arcieri added a comment -

I just wanted to note a solution I ended up using for this which appears to be working like a charm.

This was occurring within a Rails application, and in production our certs are always found under /etc/ssl/certs

In config/environments/production.rb, I added:

ENV['SSL_CERT_DIR'] = '/etc/ssl/certs'

Which resolves my problem and doesn't require any additional configuration when the app is deployed.

This solution is good enough for me for now, although I would suggest that OpenURI uses the same approach as jruby-openssl when locating the SSL certificates, whatever that may be.

Show
Tony Arcieri added a comment - I just wanted to note a solution I ended up using for this which appears to be working like a charm. This was occurring within a Rails application, and in production our certs are always found under /etc/ssl/certs In config/environments/production.rb, I added: ENV ['SSL_CERT_DIR'] = '/etc/ssl/certs' Which resolves my problem and doesn't require any additional configuration when the app is deployed. This solution is good enough for me for now, although I would suggest that OpenURI uses the same approach as jruby-openssl when locating the SSL certificates, whatever that may be.
Hide
Permalink
Mike Perham added a comment -

We have a similar issue contacting https://admin.buysub.com.

> irb
jruby-1.5.6 :001 > require 'open-uri'
jruby-1.5.6 :002 > open('https://admin.buysub.com') 
OpenSSL::SSL::SSLError: certificate verify failed
Show
Mike Perham added a comment - We have a similar issue contacting https://admin.buysub.com . > irb jruby-1.5.6 :001 > require 'open-uri' jruby-1.5.6 :002 > open('https://admin.buysub.com') OpenSSL::SSL::SSLError: certificate verify failed
Hide
Permalink
Alex Khesin added a comment -

The workaround of setting SSL_CERT_DIR does not work on a 10.6+ Mac OS
X without installing additional packages to get certificates
(http://www.kurokoproject.com/2011/06/openly-certifying-your-rubies/), and then it is not SSL_CERT_DIR but SSL_CERT_FILE that needs to get set (to /opt/local/etc/openssl/cert.pem). Even on Linux, discovering how to do the right thing is apparently hard enough that the net is full of advice on how to turn off certificate validation to work around the "unavoidable" certificate verification error (http://snippets.aktagon.com/snippets/370-Hack-for-using-OpenURI-with-SSL, http://stufftohelpyouout.blogspot.com/2012/01/workaround-for-certificate-verify.html, the entire www.ruby-forum.com/topic/601688 thread is particularly sad, with Hiroshi attempting to help and the last entry on the thread claiming that turning off verification is the right fix for both CRuby and JRuby).

Hiroshi, in www.ruby-forum.com/topic/601688 you said that "importing JDK's cacerts looks good
for Java integration, but this might cause 'CRuby and JRuby behaves a slightly different' issue". CRuby and JRuby are already different in this regard - given a properly configured openssl, CRuby can find certificate store (even on 10.6+ Mac - Apple patched openssl that it ships to teach it how to read certificates out of keychain, see http://comments.gmane.org/gmane.comp.web.webdav.neon.general/803), but out-of-the-box JRuby is just broken.

It seems reasonable to me to use JDK's cacerts for JRuby - yes it would be different from CRuby (in a different way than it currently is), but at least it would work out of the box.

Show
Alex Khesin added a comment - The workaround of setting SSL_CERT_DIR does not work on a 10.6+ Mac OS X without installing additional packages to get certificates ( http://www.kurokoproject.com/2011/06/openly-certifying-your-rubies/ ), and then it is not SSL_CERT_DIR but SSL_CERT_FILE that needs to get set (to /opt/local/etc/openssl/cert.pem). Even on Linux, discovering how to do the right thing is apparently hard enough that the net is full of advice on how to turn off certificate validation to work around the "unavoidable" certificate verification error ( http://snippets.aktagon.com/snippets/370-Hack-for-using-OpenURI-with-SSL , http://stufftohelpyouout.blogspot.com/2012/01/workaround-for-certificate-verify.html , the entire www.ruby-forum.com/topic/601688 thread is particularly sad, with Hiroshi attempting to help and the last entry on the thread claiming that turning off verification is the right fix for both CRuby and JRuby). Hiroshi, in www.ruby-forum.com/topic/601688 you said that "importing JDK's cacerts looks good for Java integration, but this might cause 'CRuby and JRuby behaves a slightly different' issue". CRuby and JRuby are already different in this regard - given a properly configured openssl, CRuby can find certificate store (even on 10.6+ Mac - Apple patched openssl that it ships to teach it how to read certificates out of keychain, see http://comments.gmane.org/gmane.comp.web.webdav.neon.general/803 ), but out-of-the-box JRuby is just broken. It seems reasonable to me to use JDK's cacerts for JRuby - yes it would be different from CRuby (in a different way than it currently is), but at least it would work out of the box.
Hide
Permalink
Hiroshi Nakamura added a comment -

Please discuss JRE's trust anchor handling at JRUBY-6140

Show
Hiroshi Nakamura added a comment - Please discuss JRE's trust anchor handling at JRUBY-6140
Hide
Permalink
Hiroshi Nakamura added a comment -

I'm closing this ticket because we have a workaround (SSL_CERT_DIR and SSL_CERT_FILE). We should consider to incorporate JRE's trust anchor as Alex said so let's discuss it at JRUBY-6140.

Show
Hiroshi Nakamura added a comment - I'm closing this ticket because we have a workaround (SSL_CERT_DIR and SSL_CERT_FILE). We should consider to incorporate JRE's trust anchor as Alex said so let's discuss it at JRUBY-6140 .

People

  • Assignee:
    Hiroshi Nakamura
    Reporter:
    Tony Arcieri
Vote (1)
Watch (2)

Dates

  • Created:
    Updated:
    Resolved: