Jruby-openssl 0.6 - Recommended Upgrade

I’ve just released jruby-openssl 0.6. jruby-openssl is an add-on gem
that implements Ruby’s OpenSSL extension for JRuby.

PLEASE NOTE: this is a recommended upgrade. A security vulnerability
was discovered in jruby-openssl versions 0.5.2 and earlier. This
vulnerability only applies if you’re using JRuby and the jruby-openssl
library.

The security problem involves peer certificate verification where
failed verification silently did nothing, making affected applications
vulnerable to attackers. Attackers could lead a client application to
believe that a secure connection to a rogue SSL server is legitimate.
Attackers could also penetrate client-validated SSL server
applications with a dummy certificate. Your application might be
vulnerable if you’re using any of these versions of jruby-openssl
along with the OpenSSL::SSL::VERIFY_PEER mode on the SSL socket.
Please see the full disclosure below 1 to determine if your
application is affected. If you have any questions, please send email
to [email protected], a private email address.

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CVE-2009-4123 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

Thanks to NaHi (NAKAMURA Hiroshi) for finding the problem and
providing the fix.

/Nick

Changelog:

  • Many fixes from NaHi, including issues related to certificate
    verification and certificate store purpose verification.
    • implement OpenSSL::X509::Store#set_default_paths
    • MRI compat. fix: OpenSSL::X509::Store#add_file
    • Fix nsCertType handling.
    • Fix Cipher#key_len for DES-EDE3: 16 should be 24.
    • Modified test expectations around Cipher#final.
  • Public keys are lazily instantiated when the
    X509::Certificate#public_key method is called (Dave Garcia)