jruby-openssl OpenSSL::SSL::SSLErrorWaitReadable with TLS 1.3

Starting in April we started seeing lots of "read would block" and OpenSSL::SSL::SSLErrorWaitReadable errors in our Sentry instance. The errors occur only with TLS 1.3 and not with TLS 1.2. This issue is hard to debug for us and we could not write a script to reproduce this error. The issue occurs for multiple different endpoints from different systems of different companies that we send HTTPS requests to, so it is definitely on our side.

We are using JRuby 9.3.14.0 and Java 11.0.22+0. The error seems to occur on JRuby 9.3.13.0, too.

May 21 '24 11:05 jpsikorra

what kind of libraries are using the SSL stack or is it application code directly? any more details such as a trace?

May 26 '24 14:05 kares

We are using HTTParty. There is no trace on the exception.

May 27 '24 08:05 jpsikorra

If you can please update to jruby-openssl 0.14.6 and try setting: JRUBY_OPTS="-J-Djruby.openssl.ssl.error_wait_nonblock.backtrace=true" ... so that the WaitReadable errors end up having backtraces. (it's just a Java system property so if you do not use standalone JRuby, set it appropriately)

May 27 '24 09:05 kares

How should we update to jruby-openssl 0.14.6? Wait for a new jruby 9.3 release?

May 28 '24 13:05 jpsikorra

are you using Bundler? if so just declare the gem with a version requirement

May 30 '24 04:05 kares

The error still occurs with 0.15.0, the stacktrace is not really helpful, it looks like this

OpenSSL::SSL::SSLErrorWaitReadable: read would block
  from net/http.rb:1546:in `transport_request'
  from net/http.rb:1490:in `request'
  ...

Aug 03 '24 12:08 jpsikorra

JRUBY_OPTS="-J-Djruby.openssl.ssl.error_wait_nonblock.backtrace=true"

Aug 13 '24 08:08 kares

The above backtrace had the flag -J-Djruby.openssl.ssl.error_wait_nonblock.backtrace=true enabled.

Aug 20 '24 08:08 jpsikorra