jruby-ossl icon indicating copy to clipboard operation
jruby-ossl copied to clipboard

Published 20 hours ago verified publisher icon jruby

OpenSSL::SSL::SSLError: Received fatal alert: bad_record_mac

Open charl opened this issue 14 years ago • 4 comments

When trying to retrieve a page from a SSL resource, the exception above is thrown, even though OpenSSL::SSL::VERIFY_NONE is set.

Environment: OS X 10.6.6

$ jruby -v
jruby 1.5.5 (ruby 1.8.7 patchlevel 249) (2010-11-10 4bd4200) (Java HotSpot(TM) 64-Bit Server VM 1.6.0_22) [x86_64-java]

$ jirb -v
irb 0.9.5(05/04/13)

 $ jruby -S gem list jruby-openssl

*** LOCAL GEMS ***

jruby-openssl (0.7.2)

$ jirb
~> Console extensions: wirble hirb ap rails2 rails3
jruby-1.5.5 :001 > require 'openssl'
 => true 
jruby-1.5.5 :002 > require 'net/https'
 => true 
jruby-1.5.5 :003 > 
jruby-1.5.5 :004 >   http = Net::HTTP.new 'msp.ibm.com', 443
 => #<:http msp.ibm.com:443 open="false"> 
jruby-1.5.5 :005 > http.use_ssl = true
 => true 
jruby-1.5.5 :006 > http.verify_mode = OpenSSL::SSL::VERIFY_NONE
 => 0 
jruby-1.5.5 :007 > req = Net::HTTP::Get.new '/'
 => #<:http::get get> 
jruby-1.5.5 :008 > http.request(req).body
OpenSSL::SSL::SSLError: Received fatal alert: bad_record_mac
    from /Users/charl/.rvm/rubies/jruby-1.5.5/lib/ruby/1.8/net/http.rb:586:in `connect'
    from /Users/charl/.rvm/rubies/jruby-1.5.5/lib/ruby/1.8/net/http.rb:553:in `do_start'
    from /Users/charl/.rvm/rubies/jruby-1.5.5/lib/ruby/1.8/net/http.rb:542:in `start'
    from /Users/charl/.rvm/rubies/jruby-1.5.5/lib/ruby/1.8/net/http.rb:1035:in `request'
    from (irb):8

charl avatar Jan 20 '11 22:01 charl

I have just tried it with jruby-openssl-0.7.3 and the results are the same.

charl avatar Jan 20 '11 22:01 charl

I see the issue I am experiencing is related to the fact that the web server on the end of the request only support SSLv3 connections.

The workaround is to run your script with:

ruby -J-Dhttps.protocols=SSLv3 SCRIPT_NAME

charl avatar Jan 21 '11 00:01 charl

Hmm. Interesting. Java's JSSE cannnot connect to https://msp.ibm.com...

net/https does not have ssl version parameter ATM. The following might work. (ugly monkey patching only works for 1.8)

http.instance_eval("@ssl_context").ssl_version = "SSLv3"

With httpclient gem, this script works for me.

c = HTTPClient.new
c.ssl_config.options = OpenSSL::SSL::OP_NO_TLSv1
c.get("https://msp.ibm.com")

It seems that it's from Java's JSSE restriction, your solution is the best I think...

nahi avatar Jan 21 '11 01:01 nahi

Additional information:

  • JDK7 beta fails to connect the server as same as JDK6
  • J9 IBMJSSE successfully connects the server.

It seems to be related to TLS extension...

nahi avatar Jan 21 '11 05:01 nahi