JRuby (please use github issues at http://bugs.jruby.org)
  1. JRuby (please use github issues at http://bugs.jruby.org)
  2. JRUBY-6140

Net::POP3 (and possibly other things) cannot verify certificate using JRE's trust anchors

    Details

    • Type: Bug Bug
    • Status: Resolved Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: JRuby 1.7.0.RC2, JRuby 1.7.3
    • Component/s: OpenSSL
    • Labels:
      None
    • Environment:
      Ubuntu Linux, sun jdk 1.6.0_26, rvm 1.6.22, jruby 1.5.6 and 1.6.4
    • Number of attachments :
      0

      Description

      Using the following ruby script:

      #!/usr/bin/env ruby
      
      require 'openssl'
      require 'net/pop'
      
      begin
      
        mail_server = '' # SOME SERVER HERE, e.g. mail.example.com
        mail_user = 'username'
        mail_password = 'password'
      
        pop = Net::POP3.new(mail_server)
        pop.enable_ssl()
        pop.start(mail_user, mail_password)
      
        exit 0 if pop.mails.empty?
        i = 0
        pop.each_mail do |m|
          puts "found mail: (snip)"
          m.pop
          i = i + 1
        end
        puts "#{i} mails popped"
        exit 0
      end
      

      When run using jruby 1.6.4:

      (1:31:29):cmyers@cmyers-ubuntu:3 master] /home/cmyers/jvms/jdk1.6.0_26/bin/java -Djdk.home= -Djruby.home=/home/cmyers/.rvm/rubies/jruby-1.6.4 -Djruby.script=jruby -Djruby.shell=/bin/sh -Djffi.boot.library.path=/home/cmyers/.rvm/rubies/jruby-1.6.4/lib/native/x86_64-Linux:/home/cmyers/.rvm/rubies/jruby-1.6.4/lib/native/ppc-Linux:/home/cmyers/.rvm/rubies/jruby-1.6.4/lib/native/i386-Linux -Xmx500m -Xss2048k -Djruby.memory.max=500m -Djruby.stack.max=2048k -Dsun.java.command=org.jruby.Main -Djava.class.path= -Djavax.net.ssl.trustStore=$HOME/.keystore -Xbootclasspath/a:/home/cmyers/.rvm/rubies/jruby-1.6.4/lib/jruby.jar org/jruby/Main ./pop-proxy.rb
      JRuby limited openssl loaded. http://jruby.org/openssl
      gem install jruby-openssl for full support.
      SSL? : true
      LoadError: OpenSSL::SSL requires the jruby-openssl gem
          (root) at /home/cmyers/.rvm/rubies/jruby-1.6.4/lib/ruby/site_ruby/shared/jruby/openssl/autoloads/ssl.rb:8
        do_start at /home/cmyers/.rvm/rubies/jruby-1.6.4/lib/ruby/site_ruby/shared/jruby/openssl/autoloads/ssl.rb:537
           start at /home/cmyers/.rvm/rubies/jruby-1.6.4/lib/ruby/1.8/net/pop.rb:528
          (root) at ./pop-proxy.rb:20
      

      When run with cruby 1.9.2:

      (1:35:40):cmyers@cmyers-ubuntu:3 master] /home/cmyers/.rvm/rubies/ruby-1.9.2-p180/bin/ruby ./pop-proxy.rb 
      SSL? : true
      found mail: (snip)
      found mail: (snip)
      2 mails popped
      

      my server has a certificate signed by our internal certificate authority which has been added to my system's certificate store. I also added it to the JDK's keystore using keytool. I also attempted to specify an external keystore by setting -Djavax.net.ssl.trustStore=$HOME/.keystore and adding my certificate authority to that keystore using keytool - again to no avail.

        Issue Links

          Activity

          Hide
          Hiroshi Nakamura added a comment -

          Trust related change must be committed with test.

          Show
          Hiroshi Nakamura added a comment - Trust related change must be committed with test.
          Hide
          Matt Hauck added a comment -

          Hmm. Never heard back a response here. What was the actual fix for this issue? It appears that jruby is now using the JRE's truststore by default, but I just wanted to verify that...

          Show
          Matt Hauck added a comment - Hmm. Never heard back a response here. What was the actual fix for this issue? It appears that jruby is now using the JRE's truststore by default, but I just wanted to verify that...
          Hide
          Carl Myers added a comment -

          This seems to be fixed in jruby 1.7.3+.

          (9:37:30):cmyers@cmyers-ubuntu:4 master¹] rvm use jruby-1.6.7@global
          Using /home/cmyers/.rvm/gems/jruby-1.6.7 with gemset global
          (9:38:11):cmyers@cmyers-ubuntu:4 master¹] ./download-google.rb
          OpenSSL::SSL::SSLError: certificate verify failed
             connect at org/jruby/ext/openssl/SSLSocket.java:170
             connect at /home/cmyers/.rvm/rubies/jruby-1.6.7/lib/ruby/1.8/net/http.rb:586
            do_start at /home/cmyers/.rvm/rubies/jruby-1.6.7/lib/ruby/1.8/net/http.rb:553
               start at /home/cmyers/.rvm/rubies/jruby-1.6.7/lib/ruby/1.8/net/http.rb:542
              (root) at ./download-google.rb:16
          ./download-google.rb  6.52s user 0.27s system 179% cpu 3.788 total
          (9:38:20):cmyers@cmyers-ubuntu:4 master¹] rvm use jruby-1.7.3@global
          Using /home/cmyers/.rvm/gems/jruby-1.7.3 with gemset global
          (9:38:50):cmyers@cmyers-ubuntu:4 master¹] ./download-google.rb
          nil./download-google.rb  8.91s user 0.28s system 203% cpu 4.511 total
          

          I haven't confirmed whether it is using the jvm truststore or the system one, but either would be a sane choice as long as it is consistent.

          Personally, I don't use Net::HTTP anymore, the httpclient gem mentioned above is more portable (works in mri and jruby), more testable (supports easy mocking), more performant (reuses connections), and thread-safe. I highly recommend it.

          Thanks all!

          Show
          Carl Myers added a comment - This seems to be fixed in jruby 1.7.3+. (9:37:30):cmyers@cmyers-ubuntu:4 master¹] rvm use jruby-1.6.7@global Using /home/cmyers/.rvm/gems/jruby-1.6.7 with gemset global (9:38:11):cmyers@cmyers-ubuntu:4 master¹] ./download-google.rb OpenSSL::SSL::SSLError: certificate verify failed connect at org/jruby/ext/openssl/SSLSocket.java:170 connect at /home/cmyers/.rvm/rubies/jruby-1.6.7/lib/ruby/1.8/net/http.rb:586 do_start at /home/cmyers/.rvm/rubies/jruby-1.6.7/lib/ruby/1.8/net/http.rb:553 start at /home/cmyers/.rvm/rubies/jruby-1.6.7/lib/ruby/1.8/net/http.rb:542 (root) at ./download-google.rb:16 ./download-google.rb 6.52s user 0.27s system 179% cpu 3.788 total (9:38:20):cmyers@cmyers-ubuntu:4 master¹] rvm use jruby-1.7.3@global Using /home/cmyers/.rvm/gems/jruby-1.7.3 with gemset global (9:38:50):cmyers@cmyers-ubuntu:4 master¹] ./download-google.rb nil./download-google.rb 8.91s user 0.28s system 203% cpu 4.511 total I haven't confirmed whether it is using the jvm truststore or the system one, but either would be a sane choice as long as it is consistent. Personally, I don't use Net::HTTP anymore, the httpclient gem mentioned above is more portable (works in mri and jruby), more testable (supports easy mocking), more performant (reuses connections), and thread-safe. I highly recommend it. Thanks all!
          Hide
          Charles Oliver Nutter added a comment -

          Based on user input, we'll call this fixed as of 1.7.3. If it comes up again, open a new issue on Github.

          Show
          Charles Oliver Nutter added a comment - Based on user input, we'll call this fixed as of 1.7.3. If it comes up again, open a new issue on Github.
          Hide
          Matt Hauck added a comment -

          I believe Hiroshi reopened this because it was not committed with test code. I don't think it should be marked resolved either until it is clear how exactly the issue was resolved. There is no clarity in the comment history exactly what the right implementation was going to be – since a fix to this issue would indeed resolve a purposeful implementation change – and there is no reference to any commits that fixed this issue.

          Show
          Matt Hauck added a comment - I believe Hiroshi reopened this because it was not committed with test code. I don't think it should be marked resolved either until it is clear how exactly the issue was resolved. There is no clarity in the comment history exactly what the right implementation was going to be – since a fix to this issue would indeed resolve a purposeful implementation change – and there is no reference to any commits that fixed this issue.

            People

            • Assignee:
              Charles Oliver Nutter
              Reporter:
              Carl Myers
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: