OpenSSL::X509::Store doesn't support an intermediate CA like in MRI.

[ph]

I am currently implementing a client side verification and I have encountered a bug when working with certificate signed with an intermediate CA. And I am not able to make it work under JRuby but it works with MRI.

System information: OS: MacOS X Yosemite JRuby: 1.7.24 Ruby: 2.3.0

My certificate chain is setup like this:

Root CA -> Intermediate CA -> server certificate/key

I have created a small script to reproduce the problem in this gist, including the generated certificates: https://gist.github.com/ph/fe7aa913f389699611ed

For this test both the client and the server is using the same certificate/key and use the same CA. If you try to connect to the server with openssl using this command:

openssl s_client -connect localhost:6666 -showcerts -CAfile ./ca -key certificate.key -cert certificate.crt

On MRI you will see "new connection" but under jruby you will get "certificate verify failed", if you inspect the verification context#error_string it will return "unable to get local issuer certificate".

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/32479674-openssl-x509-store-doesn-t-support-an-intermediate-ca-like-in-mri?utm_campaign=plugin&utm_content=tracker%2F136995&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F136995&utm_medium=issues&utm_source=github).

[ph]

I also tried to split the CA file into 2 certificates and add them to the store. It worked on MRI but not on JRuby, So i think the chain isn't correctly verified.

[JNachtwey]

+1

[mgla]

+1

[hardcore]

+1

[knweiss]

+1

[segiddins]

Unfortunately, this is a major blocker to being able to do any sort of public key cryptography on jruby