Use only SSLv3, getting SSL bad_record_mac

davidtl · April 15, 2010, 4:32pm

We’re trying to make web service calls against a web service that seems
to have upgraded their SSL certificate to use SSLv3. We are now
experiencing web service call failures.

We’re using the rest-client with jruby-openssl and getting
bad_record_mac talking to the web service.

The code to create a new resource is as follows:

    @apiobject = RestClient::Resource.new("#{@api_call}",
        :user => @username,
        :password => @password)

This works in Ruby, but not JRuby.

We’ve tried the following:

    @apiobject = RestClient::Resource.new("#{@api_call}",
        :user => @username,
        :password => @password,
        :verify_ssl => OpenSSL::SSL::VERIFY_NONE)

But got the bad_record_mac error.

Exception: Received fatal alert: bad_record_mac
C:/Program Files (x86)/Tap In Systems/Control Plan
Editor/jrubylib/lib/ruby/1.8/net/http.rb:586:in connect' C:/Program Files (x86)/Tap In Systems/Control Plan Editor/jrubylib/lib/ruby/1.8/net/http.rb:553:indo_start’
C:/Program Files (x86)/Tap In Systems/Control Plan
Editor/jrubylib/lib/ruby/1.8/net/http.rb:542:in start' C:/Program Files (x86)/Tap In Systems/Control Plan Editor/jrubylib/lib/ruby/gems/1.8/gems/rest-client-1.4.2/lib/restclient/request.rb:150:intransmit’
C:/Program Files (x86)/Tap In Systems/Control Plan
Editor/jrubylib/lib/ruby/gems/1.8/gems/rest-client-1.4.2/lib/restclient/request.rb:55:in
execute' C:/Program Files (x86)/Tap In Systems/Control Plan Editor/jrubylib/lib/ruby/gems/1.8/gems/rest-client-1.4.2/lib/restclient/request.rb:30:inexecute’
C:/Program Files (x86)/Tap In Systems/Control Plan
Editor/jrubylib/lib/ruby/gems/1.8/gems/rest-client-1.4.2/lib/restclient/resource.rb:54:in
get' C:/Program Files (x86)/Tap In Systems/Control Plan Editor/jrubylib/lib/ruby/site_ruby/1.8/RightAPI.rb:98:insend’

From what I’ve read, I believe we somehow need to force jruby-openssl to
only use SSLv3 (and not TLS). Or, at least, something along those
lines.

Can anyone give me some pointers on what to try next? Can anyone tell
me how to specify the SSL version so that it will be picked up by
jruby-openssl?

Cheers.

davidtl · April 15, 2010, 4:57pm

Hi,

On Thu, Apr 15, 2010 at 23:32, David T. [email protected]
wrote:

We’re trying to make web service calls against a web service that seems
to have upgraded their SSL certificate to use SSLv3. We are now
experiencing web service call failures.

Interesting. What version of JRuby and jruby-openssl gem are you
using? Can you tell me the URL which you are trying to connect?

Regards,
// NaHi

To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

davidtl · April 15, 2010, 4:58pm

On Thu, Apr 15, 2010 at 9:32 AM, David T. [email protected]
wrote:

       :user => @username,
Editor/jrubylib/lib/ruby/gems/1.8/gems/rest-client-1.4.2/lib/restclient/request.rb:150:in
C:/Program Files (x86)/Tap In Systems/Control Plan
Cheers.
Which version of jruby-openssl are you using? Have you tried a recent
snapshot?

http://ci.jruby.org/job/jruby-openssl/lastSuccessfulBuild/artifact/pkg/

Oops, NaHi beat me to it.

/Nick

To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

davidtl · April 15, 2010, 5:08pm

NAKAMURA, Hiroshi wrote:

Hi,

On Thu, Apr 15, 2010 at 23:32, David T. [email protected]
wrote:

We’re trying to make web service calls against a web service that seems
to have upgraded their SSL certificate to use SSLv3. ï¿½We are now
experiencing web service call failures.

Interesting. What version of JRuby and jruby-openssl gem are you
using? Can you tell me the URL which you are trying to connect?

Hi,

I’ve tried this with JRuby 1.2 and 1.3.1 on my Ubuntu 9.10 laptop and
with JRuby 1.4.0 on our Ubuntu 8.04 server. Using jruby-openssl-0.6 in
all cases.

The URL is
https://my.rightscale.com/api/acct/20572/login?api_version=1.0

Cheers,
David.

davidtl · April 15, 2010, 5:15pm

David T. wrote:

NAKAMURA, Hiroshi wrote:

Hi,

On Thu, Apr 15, 2010 at 23:32, David T. [email protected]
wrote:

We’re trying to make web service calls against a web service that seems
to have upgraded their SSL certificate to use SSLv3. ï¿½We are now
experiencing web service call failures.

Interesting. What version of JRuby and jruby-openssl gem are you
using? Can you tell me the URL which you are trying to connect?

Hi,

I’ve tried this with JRuby 1.2 and 1.3.1 on my Ubuntu 9.10 laptop and
with JRuby 1.4.0 on our Ubuntu 8.04 server. Using jruby-openssl-0.6 in
all cases.

Oh, and the traceback earlier comes from a colleague’s Windows box, also
exhibiting the same problem.

Cheers,
David.

davidtl · April 15, 2010, 5:21pm

Hi,

On Fri, Apr 16, 2010 at 00:08, David T. [email protected]
wrote:

Interesting. What version of JRuby and jruby-openssl gem are you
using? Can you tell me the URL which you are trying to connect?

I’ve tried this with JRuby 1.2 and 1.3.1 on my Ubuntu 9.10 laptop and
with JRuby 1.4.0 on our Ubuntu 8.04 server. Using jruby-openssl-0.6 in
all cases.

The URL is
https://my.rightscale.com/api/acct/20572/login?api_version=1.0

JRuby 1.4 + jruby-openssl 0.6.1 (not released yet; get it from the URL
Nick posted) seems to work for me.

% SSL_CERT_DIR=/etc/ssl/certs /home/nahi/java/jruby-1.4.0/bin/jruby
-I/home/nahi/git/jruby-openssl/lib -ropen-uri -ve ‘p open(ARGV.shift)’
“https://my.rightscale.com/api/acct/20572/login?api_version=1.0”
jruby 1.4.0 (ruby 1.8.7 patchlevel 174) (2009-11-02 69fbfa3) (Java
HotSpot™ Client VM 1.6.0_16) [i386-java]
/home/nahi/java/jruby-1.4.0/lib/ruby/1.8/open-uri.rb:277:in
`open_http’: 401 Unauthorized (OpenURI::HTTPError)

% /home/nahi/java/jruby-1.4.0/bin/jruby
-I/home/nahi/git/jruby-openssl/lib -ropen-uri -ve ‘p open(ARGV.shift)’
“https://my.rightscale.com/api/acct/20572/login?api_version=1.0”
jruby 1.4.0 (ruby 1.8.7 patchlevel 174) (2009-11-02 69fbfa3) (Java
HotSpot™ Client VM 1.6.0_16) [i386-java]
/home/nahi/java/jruby-1.4.0/lib/ruby/1.8/net/http.rb:586:in `connect’:
certificate verify failed (OpenSSL::SSL::SSLError)

With SSL_CERT_DIR (on Ubuntu 9.10), open-uri returns 401 (means
successfully connected to SSL server). Without SSL_CERT_DIR, open-uri
raises SSLError (means SSL verification failed).

Can you try your client with jruby-openssl 0.6.1 gem?

Regards,
// NaHi

To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

davidtl · April 15, 2010, 5:22pm

David T. wrote:

David T. wrote:

NAKAMURA, Hiroshi wrote:

Hi,

On Thu, Apr 15, 2010 at 23:32, David T. [email protected]
wrote:

We’re trying to make web service calls against a web service that seems
to have upgraded their SSL certificate to use SSLv3. ï¿½We are now
experiencing web service call failures.

Interesting. What version of JRuby and jruby-openssl gem are you
using? Can you tell me the URL which you are trying to connect?

Hi,

I’ve tried this with JRuby 1.2 and 1.3.1 on my Ubuntu 9.10 laptop and
with JRuby 1.4.0 on our Ubuntu 8.04 server. Using jruby-openssl-0.6 in
all cases.

Oh, and the traceback earlier comes from a colleague’s Windows box, also
exhibiting the same problem.

Another colleague reports that he was using “jruby 1.4.0 (ruby 1.8.7
patchlevel 174) (2009-11-02 69fbfa3) (Java HotSpot™ Client VM
1.6.0_18) [x86-java]”.

Cheers,
David.

davidtl · April 15, 2010, 5:08pm

Hi,

On Thu, Apr 15, 2010 at 23:57, Nick S. [email protected] wrote:

Which version of jruby-openssl are you using? Have you tried a recent snapshot?

http://ci.jruby.org/job/jruby-openssl/lastSuccessfulBuild/artifact/pkg/

If you’re on jruby 1.4 and getting ‘NoSuchMethodError’, please apply
the patch at Lookup.java.patch · GitHub. I’m waiting for JIRA is
back…

Regards,
// NaHi

To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

davidtl · April 15, 2010, 5:56pm

Dear All,

We really appreciate the quick responses thus far. I’ve created a test
account so this issue can be verified.

We’re using the RightScale Ruby wrapper at

github.com

robertcarr/RightAPI/blob/master/RightAPI.rb

#!/usr/bin/ruby
#
# Copyright 2009 RightScale, Inc.
# http://www.rightscale.com
# <user>
#
# Ruby API Wrapper for RightScale API functions
# Class: RightAPI
#
# Allows easier access to the RightScale API within your own ruby code and
# Has limited debugging & error handling at this point.
# 
# Requires rest_client Ruby gem available online.
# 'gem install rest-client' 
#  
# Example:
# api = RightAPI.new	
# api.log = true
# api.login(:username => 'user', :password => 'pass', :account => '1234')
#

This file has been truncated. show original

with the following code:

require ‘RightAPI.rb’

api = RightAPI.new
api.login(‘[email protected]’,‘2wsx#EDC’,‘25764’)

scripts = api.send(‘right_scripts.xml’,‘get’)
puts scripts

We should receive the following:

<?xml version="1.0" encoding="UTF-8"?> 2010-04-15T15:47:24Z Test true Hello 2010-04-15T15:47:24Z 1 https://my.rightscale.com/api/acct/25764/right_scripts/206441

Works from Ruby but not from JRUby:

I’m currently using:

jruby 1.4.0 (ruby 1.8.7 patchlevel 174) (2009-11-02 69fbfa3) (Java
HotSpot™ Client VM 1.6.0_18) [x86-java]

As my colleague David suggested earlier, this has started occurring
after the web service provider (RightScale.com) upgraded to a SSLv3
cert.

Any help would be greatly appreciated. Thanks very much in advance.

Sincerely,
Ameer D…

David T. wrote:

David T. wrote:

David T. wrote:

NAKAMURA, Hiroshi wrote:

Hi,

On Thu, Apr 15, 2010 at 23:32, David T. [email protected]
wrote:

We’re trying to make web service calls against a web service that seems
to have upgraded their SSL certificate to use SSLv3. ï¿½We are now
experiencing web service call failures.

Interesting. What version of JRuby and jruby-openssl gem are you
using? Can you tell me the URL which you are trying to connect?

Hi,

I’ve tried this with JRuby 1.2 and 1.3.1 on my Ubuntu 9.10 laptop and
with JRuby 1.4.0 on our Ubuntu 8.04 server. Using jruby-openssl-0.6 in
all cases.

Oh, and the traceback earlier comes from a colleague’s Windows box, also
exhibiting the same problem.

Another colleague reports that he was using “jruby 1.4.0 (ruby 1.8.7
patchlevel 174) (2009-11-02 69fbfa3) (Java HotSpot™ Client VM
1.6.0_18) [x86-java]”.

Cheers,
David.

davidtl · April 16, 2010, 1:46am

NAKAMURA, Hiroshi wrote:

jruby 1.4 + jruby-openssl gem 0.6.1 works as expected.

Hi,

Thanks for your help so far. I’m still having difficulties.

How you’re installing jruby-openssl-0.6.1 or where you’re getting it
from?

My laptop seems to see 0.6 as the latest. I’ve tried reinstalling
jruby-openssl. I’ve tried installing a specific version (“ERROR: could
not find gem jruby-openssl-0.6.1 locally or in a repository”). I’ve
tried updating all installed gems. I still can only get
jruby-openssl-0.6.

Cheers,
David.

davidtl · April 16, 2010, 1:48am

Nick S. wrote:

On Thu, Apr 15, 2010 at 9:32 AM, David T. [email protected]
wrote:

ï¿½ ï¿½ ï¿½ ï¿½ ï¿½ ï¿½:user => @username,

Editor/jrubylib/lib/ruby/gems/1.8/gems/rest-client-1.4.2/lib/restclient/request.rb:150:in
C:/Program Files (x86)/Tap In Systems/Control Plan
Cheers.
Which version of jruby-openssl are you using? Have you tried a recent
snapshot?

http://ci.jruby.org/job/jruby-openssl/lastSuccessfulBuild/artifact/pkg/

Ah, I overlooked this. I’ll give it a try.

Cheers,
David.

davidtl · April 16, 2010, 1:57am

David T. wrote:

Nick S. wrote:

On Thu, Apr 15, 2010 at 9:32 AM, David T. [email protected]
wrote:

ï¿½ ï¿½ ï¿½ ï¿½ ï¿½ ï¿½:user => @username,

Editor/jrubylib/lib/ruby/gems/1.8/gems/rest-client-1.4.2/lib/restclient/request.rb:150:in
C:/Program Files (x86)/Tap In Systems/Control Plan
Cheers.
Which version of jruby-openssl are you using? Have you tried a recent
snapshot?

http://ci.jruby.org/job/jruby-openssl/lastSuccessfulBuild/artifact/pkg/

Ah, I overlooked this. I’ll give it a try.

Looks like it’s working on my laptop:

root@continuity:~# JRUBY_HOME=/opt/jruby-1.3.1
GEM_HOME=/var/lib/gems/1.8 jruby test.rb | head -5
[warning] You should set the log with a logger

<?xml version="1.0" encoding="UTF-8"?> 2009-10-27T07:01:27Z Web Server Sandbox root@continuity:~#

I’ll give it a try on the server now.

Cheers,
David.

davidtl · April 16, 2010, 2:59am

Hi there Nahi/Nick,

Jruby-openssl 0.6.1 worked for us. You guys have been very generous in
your help and it’s much appreciated. Thank you very much.

Ameer.

davidtl · April 15, 2010, 6:07pm

Hi,

On Fri, Apr 16, 2010 at 00:56, Ameer D. [email protected] wrote:

scripts = api.send(‘right_scripts.xml’,‘get’)
puts scripts

api.login(a, b, c)
should be
api.login(:username => a, :password => b, :account => c)
right?

jruby 1.4 + jruby-openssl gem 0.6.1 works as expected.

% gem install --user-install rest-client --no-ri --no-rdoc
Successfully installed mime-types-1.16
Successfully installed rest-client-1.4.2
2 gems installed
0% ruby -I. tst.rb

<?xml version="1.0" encoding="UTF-8"?> 2010-04-15T15:47:24Z Test true Hello 2010-04-15T15:47:24Z 1 https://my.rightscale.com/api/acct/25764/right_scripts/206441

% /home/nahi/java/jruby-1.4.0/bin/jruby -S gem install --user-install
rest-client --no-ri --no-rdoc
WARNING: You don’t have /home/nahi/.gem/jruby/1.8/bin in your PATH,
gem executables will not run.
Successfully installed mime-types-1.16
Successfully installed rest-client-1.4.2
2 gems installed
% /home/nahi/java/jruby-1.4.0/bin/jruby
-I/home/nahi/git/jruby-openssl/lib -I. tst.rb

<?xml version="1.0" encoding="UTF-8"?> 2010-04-15T15:47:24Z Test true Hello 2010-04-15T15:47:24Z 1 https://my.rightscale.com/api/acct/25764/right_scripts/206441 %

Regards,
// NaHi

To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

davidtl · April 16, 2010, 3:02am

Ameer D. wrote:

Hi there Nahi/Nick,

Jruby-openssl 0.6.1 worked for us. You guys have been very generous in
your help and it’s much appreciated. Thank you very much.

Absolutely! Thanks very much. It’s working on the server now using a
combination of the jruby-openssl-0.6.1 build and specifying the
“JRUBY_HOME=” with “jruby -S gem install…” for JRuby 1.4.0.

Thanks guys!

Cheers,
David.

davidtl · April 16, 2010, 3:18am

Hi, Ameer and David,

Good to hear it works. Thanks.

On Fri, Apr 16, 2010 at 10:02, David T. [email protected]
wrote:

Jruby-openssl 0.6.1 worked for us. You guys have been very generous in
your help and it’s much appreciated. Thank you very much.

Absolutely! Thanks very much. It’s working on the server now using a
combination of the jruby-openssl-0.6.1 build and specifying the
“JRUBY_HOME=” with “jruby -S gem install…” for JRuby 1.4.0.

And I confirmed that the sample script does not work with
jruby-openssl 0.6.0 (the latest released version). I think the
following commit fixes SSL protocol version handling.

Regards,
// NaHi

To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

davidtl · April 16, 2010, 7:57am

Hi NaHi,

And I think I can safely speak for entire JRuby Core team in this
case, I would just say that your contributions to the jruby-openssl ar
GREATLY appreciated. Just an outstanding work, really! It is a great
feeling that SSL stuff on JRuby is in shape now and thoroughly
supported.

Thanks,
–Vladimir

On Fri, Apr 16, 2010 at 3:17 AM, NAKAMURA, Hiroshi [email protected]
wrote:

“JRUBY_HOME=” with “jruby -S gem install…” for JRuby 1.4.0.

To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

davidtl · April 16, 2010, 1:34pm

Hi,

Thanks for kind words. I’m very honored if I can help letting Ola and
others great work to see the light.

Regards,
// NaHi

On Fri, Apr 16, 2010 at 14:56, Vladimir S. [email protected]
wrote:

And I think I can safely speak for entire JRuby Core team in this
case, I would just say that your contributions to the jruby-openssl ar
GREATLY appreciated. Just an outstanding work, really! It is a great
feeling that SSL stuff on JRuby is in shape now and thoroughly
supported.

To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email