jruby-openssl icon indicating copy to clipboard operation
jruby-openssl copied to clipboard
verified publisher icon jruby

Certificate chain support via extra_chain_cert in SSL context

Open p-mongo opened this issue 6 years ago • 2 comments

We implemented client certificate chain support in MongoDB Ruby driver by using the following code: https://github.com/mongodb/mongo-ruby-driver/pull/1366/files#diff-ed625ecdabf4aeff5d1a5fc04b958a3a

Briefly speaking, this specifies the leaf certificate as SSLContext#cert and adds all intermediate certificates as SSLContext#extra_chain_cert. This is meant to ship both to the server which will be able to follow the cert chain from leaf through intermediates to the CA. The server only knows the CA cert.

The related tests pass on MRI but not on JRuby. It seems to me that jruby-openssl is not actually sending the intermediate certs to the server based on the error messages the server is producing. As debugging openssl (https://github.com/openssl/openssl) is extremely time consuming, I thought I would ask here whether extra_chain_cert are sent to the server over the wire first. Looking at jruby-openssl code I see this field being seemingly used for certificate verification, but perhaps it is not sent over the wire to the remote end.

Thanks for your time.

p-mongo avatar Jun 04 '19 22:06 p-mongo

Would be nice if someone could at least respond. I have to find a way to make mTLS work in jRuby or punt pretty soon.

sfdc-slumos avatar Sep 08 '21 21:09 sfdc-slumos

Think I made some progress here. It seems that if you set #cert and #extra_chain_cert, then JRuby OpenSSL sends the chain certs but not the client cert. As a workaround you can add the client cert to the chain. In other words:

http = Net::HTTP.new('localhost', 4433)
http.use_ssl = true
http.key = OpenSSL::PKey::RSA.new(File.read('test-client.key'))
http.cert = OpenSSL::X509::Certificate.new(File.read('test-client.crt'))
http.extra_chain_cert = [
  http.cert, # !!! JRuby fails without this line.
  OpenSSL::X509::Certificate.new(File.read('test-intermediate.crt'))
]
response = http.request(Net::HTTP::Get.new('/'))

I do not know the standards implications of doing that, but it appears to work equally in JRuby and Ruby for the server I'm testing against.

The JRuby I'm using:

jruby 9.2.17.0 (2.5.8) 2021-03-29 84d363da97 OpenJDK 64-Bit Server VM 11.0.11-internal+9-adhoc.root.openjdk on 11.0.11-internal+9-adhoc.root.openjdk +jit [linux-x86_64]

Ruby:

ruby 2.5.9p229 (2021-04-05 revision 67939) [x86_64-linux]

sfdc-slumos avatar Sep 15 '21 20:09 sfdc-slumos