Forum: Ruby-core [ruby-trunk - Bug #9053][Open] SSL Issue with Ruby 2.0.0

48e210500e7a349b1989f2719cd00b36?d=identicon&s=25 tisba (Sebastian Cohnen) (Guest)
on 2013-10-25 11:25
(Received via mailing list)
Issue #9053 has been reported by tisba (Sebastian Cohnen).

----------------------------------------
Bug #9053: SSL Issue with Ruby 2.0.0
https://bugs.ruby-lang.org/issues/9053

Author: tisba (Sebastian Cohnen)
Status: Open
Priority: Normal
Assignee:
Category:
Target version:
ruby -v: ruby 2.0.0p247 (2013-06-27 revision 41674)
[x86_64-darwin13.0.0]
Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN


=begin
Steps to reproduce:

  ruby -rnet/http -e 'Net::HTTP.get(URI("https://stormforger.com"));'

results in:

  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect': SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`block in connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/timeout.rb:52:in
`timeout'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:862:in
`do_start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:851:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:582:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:477:in
`get_response'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:454:in
`get'
    from -e:1:in `<main>'

But I expected no output from the program.

Running the same code with Ruby 1.8.7 or 1.9.3 causes no problems. I was
able to reproduce this issue with OS X 10.8.5 as well as with 10.9.
Interestingly OS X 10.9's system ruby ((({ruby 2.0.0p247 (2013-06-27
revision 41674) [universal.x86_64-darwin13]}))) does not have the issue.
I appended the output of (({otool -L})) to look for the used OpenSSL
lib. Apple's ruby obviously uses Apples own OpenSSL lib. 1.9.3 and 2.0.0
use the same OpenSSL lib, but only 2.0.0 fails on my test.

ruby-head ((({ruby 2.1.0dev (2013-10-24 trunk 43413)
[x86_64-darwin13.0.0]}))) is also affected.

Just FYI: I initially reported the issue to RVM[0], but it appears to be
not really RVM related.

[0] https://github.com/wayneeseguin/rvm/issues/2315

[1] Output of otool for various tested Rubies:

((*1.9.3-p448*))

  $ find ~/.rvm/rubies/ruby-1.9.3-p448 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/ruby/1.9.1/x86_64-darwin13.0.0/openssl.bundle:
    /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/libruby.1.9.1.dylib
(compatibility version 1.9.1, current version 1.9.1)
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247*))

  $ find ~/.rvm/rubies/ruby-2.0.0-p247 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/x86_64-darwin13.0.0/openssl.bundle:
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247 System Ruby*))

  $ find /usr/lib/ruby/2.0.0/ -name openssl.bundle | xargs otool -L
  /usr/lib/ruby/2.0.0//universal-darwin13/openssl.bundle:
    /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)

=end
58479f76374a3ba3c69b9804163f39f4?d=identicon&s=25 drbrain (Eric Hodel) (Guest)
on 2013-10-25 22:59
(Received via mailing list)
Issue #9053 has been updated by drbrain (Eric Hodel).

Category set to ext/openssl
Status changed from Open to Rejected
Assignee set to drbrain (Eric Hodel)

You need to install certificates when using non-platform OpenSSL on OS
X.  Your certificates should be installed here:

ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE'

There are instructions on how to install them for RVM:

http://rvm.io/support/fixing-broken-ssl-certificates
----------------------------------------
Bug #9053: SSL Issue with Ruby 2.0.0
https://bugs.ruby-lang.org/issues/9053#change-42616

Author: tisba (Sebastian Cohnen)
Status: Rejected
Priority: Normal
Assignee: drbrain (Eric Hodel)
Category: ext/openssl
Target version:
ruby -v: ruby 2.0.0p247 (2013-06-27 revision 41674)
[x86_64-darwin13.0.0]
Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN


=begin
Steps to reproduce:

  ruby -rnet/http -e 'Net::HTTP.get(URI("https://stormforger.com"));'

results in:

  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect': SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`block in connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/timeout.rb:52:in
`timeout'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:862:in
`do_start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:851:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:582:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:477:in
`get_response'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:454:in
`get'
    from -e:1:in `<main>'

But I expected no output from the program.

Running the same code with Ruby 1.8.7 or 1.9.3 causes no problems. I was
able to reproduce this issue with OS X 10.8.5 as well as with 10.9.
Interestingly OS X 10.9's system ruby ((({ruby 2.0.0p247 (2013-06-27
revision 41674) [universal.x86_64-darwin13]}))) does not have the issue.
I appended the output of (({otool -L})) to look for the used OpenSSL
lib. Apple's ruby obviously uses Apples own OpenSSL lib. 1.9.3 and 2.0.0
use the same OpenSSL lib, but only 2.0.0 fails on my test.

ruby-head ((({ruby 2.1.0dev (2013-10-24 trunk 43413)
[x86_64-darwin13.0.0]}))) is also affected.

Just FYI: I initially reported the issue to RVM[0], but it appears to be
not really RVM related.

[0] https://github.com/wayneeseguin/rvm/issues/2315

[1] Output of otool for various tested Rubies:

((*1.9.3-p448*))

  $ find ~/.rvm/rubies/ruby-1.9.3-p448 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/ruby/1.9.1/x86_64-darwin13.0.0/openssl.bundle:
    /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/libruby.1.9.1.dylib
(compatibility version 1.9.1, current version 1.9.1)
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247*))

  $ find ~/.rvm/rubies/ruby-2.0.0-p247 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/x86_64-darwin13.0.0/openssl.bundle:
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247 System Ruby*))

  $ find /usr/lib/ruby/2.0.0/ -name openssl.bundle | xargs otool -L
  /usr/lib/ruby/2.0.0//universal-darwin13/openssl.bundle:
    /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)

=end
3ec52ed58eb92026d86e62c39bdb7589?d=identicon&s=25 Michal Papis (mpapis)
on 2013-10-26 03:31
(Received via mailing list)
Issue #9053 has been updated by mpapis (Michal Papis).


=begin
as per the RVM ticket
 rvm osx-ssl-certs update all
was used, I do not think this one is missing certificates, any steps to
help debug it?
=end

----------------------------------------
Bug #9053: SSL Issue with Ruby 2.0.0
https://bugs.ruby-lang.org/issues/9053#change-42619

Author: tisba (Sebastian Cohnen)
Status: Rejected
Priority: Normal
Assignee: drbrain (Eric Hodel)
Category: ext/openssl
Target version:
ruby -v: ruby 2.0.0p247 (2013-06-27 revision 41674)
[x86_64-darwin13.0.0]
Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN


=begin
Steps to reproduce:

  ruby -rnet/http -e 'Net::HTTP.get(URI("https://stormforger.com"));'

results in:

  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect': SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`block in connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/timeout.rb:52:in
`timeout'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:862:in
`do_start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:851:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:582:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:477:in
`get_response'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:454:in
`get'
    from -e:1:in `<main>'

But I expected no output from the program.

Running the same code with Ruby 1.8.7 or 1.9.3 causes no problems. I was
able to reproduce this issue with OS X 10.8.5 as well as with 10.9.
Interestingly OS X 10.9's system ruby ((({ruby 2.0.0p247 (2013-06-27
revision 41674) [universal.x86_64-darwin13]}))) does not have the issue.
I appended the output of (({otool -L})) to look for the used OpenSSL
lib. Apple's ruby obviously uses Apples own OpenSSL lib. 1.9.3 and 2.0.0
use the same OpenSSL lib, but only 2.0.0 fails on my test.

ruby-head ((({ruby 2.1.0dev (2013-10-24 trunk 43413)
[x86_64-darwin13.0.0]}))) is also affected.

Just FYI: I initially reported the issue to RVM[0], but it appears to be
not really RVM related.

[0] https://github.com/wayneeseguin/rvm/issues/2315

[1] Output of otool for various tested Rubies:

((*1.9.3-p448*))

  $ find ~/.rvm/rubies/ruby-1.9.3-p448 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/ruby/1.9.1/x86_64-darwin13.0.0/openssl.bundle:
    /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/libruby.1.9.1.dylib
(compatibility version 1.9.1, current version 1.9.1)
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247*))

  $ find ~/.rvm/rubies/ruby-2.0.0-p247 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/x86_64-darwin13.0.0/openssl.bundle:
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247 System Ruby*))

  $ find /usr/lib/ruby/2.0.0/ -name openssl.bundle | xargs otool -L
  /usr/lib/ruby/2.0.0//universal-darwin13/openssl.bundle:
    /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)

=end
58479f76374a3ba3c69b9804163f39f4?d=identicon&s=25 drbrain (Eric Hodel) (Guest)
on 2013-10-26 04:12
(Received via mailing list)
Issue #9053 has been updated by drbrain (Eric Hodel).

Status changed from Rejected to Assigned
Assignee changed from drbrain (Eric Hodel) to MartinBosslet (Martin
Bosslet)

Ah, I missed that.

Maybe Martin knows, I have assigned the issue to him.
----------------------------------------
Bug #9053: SSL Issue with Ruby 2.0.0
https://bugs.ruby-lang.org/issues/9053#change-42620

Author: tisba (Sebastian Cohnen)
Status: Assigned
Priority: Normal
Assignee: MartinBosslet (Martin Bosslet)
Category: ext/openssl
Target version:
ruby -v: ruby 2.0.0p247 (2013-06-27 revision 41674)
[x86_64-darwin13.0.0]
Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN


=begin
Steps to reproduce:

  ruby -rnet/http -e 'Net::HTTP.get(URI("https://stormforger.com"));'

results in:

  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect': SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`block in connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/timeout.rb:52:in
`timeout'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:862:in
`do_start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:851:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:582:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:477:in
`get_response'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:454:in
`get'
    from -e:1:in `<main>'

But I expected no output from the program.

Running the same code with Ruby 1.8.7 or 1.9.3 causes no problems. I was
able to reproduce this issue with OS X 10.8.5 as well as with 10.9.
Interestingly OS X 10.9's system ruby ((({ruby 2.0.0p247 (2013-06-27
revision 41674) [universal.x86_64-darwin13]}))) does not have the issue.
I appended the output of (({otool -L})) to look for the used OpenSSL
lib. Apple's ruby obviously uses Apples own OpenSSL lib. 1.9.3 and 2.0.0
use the same OpenSSL lib, but only 2.0.0 fails on my test.

ruby-head ((({ruby 2.1.0dev (2013-10-24 trunk 43413)
[x86_64-darwin13.0.0]}))) is also affected.

Just FYI: I initially reported the issue to RVM[0], but it appears to be
not really RVM related.

[0] https://github.com/wayneeseguin/rvm/issues/2315

[1] Output of otool for various tested Rubies:

((*1.9.3-p448*))

  $ find ~/.rvm/rubies/ruby-1.9.3-p448 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/ruby/1.9.1/x86_64-darwin13.0.0/openssl.bundle:
    /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/libruby.1.9.1.dylib
(compatibility version 1.9.1, current version 1.9.1)
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247*))

  $ find ~/.rvm/rubies/ruby-2.0.0-p247 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/x86_64-darwin13.0.0/openssl.bundle:
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247 System Ruby*))

  $ find /usr/lib/ruby/2.0.0/ -name openssl.bundle | xargs otool -L
  /usr/lib/ruby/2.0.0//universal-darwin13/openssl.bundle:
    /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)

=end
C4e88907313843cf07f6d85ba8162120?d=identicon&s=25 chittoor (Rajesh Malepati) (Guest)
on 2013-10-26 15:38
(Received via mailing list)
Issue #9053 has been updated by chittoor (Rajesh Malepati).


tisba (Sebastian Cohnen) wrote:
> =begin
> Steps to reproduce:
>
>   ruby -rnet/http -e 'Net::HTTP.get(URI("https://stormforger.com"));'
>
> results in:
>
>   /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verify failed (OpenSSL::SSL::SSLError)

Your certificate chain is incomplete.
Serve "StartCom Class 1 Primary Intermediate Server CA" certificate
along with your server certificate.
----------------------------------------
Bug #9053: SSL Issue with Ruby 2.0.0
https://bugs.ruby-lang.org/issues/9053#change-42628

Author: tisba (Sebastian Cohnen)
Status: Assigned
Priority: Normal
Assignee: MartinBosslet (Martin Bosslet)
Category: ext/openssl
Target version:
ruby -v: ruby 2.0.0p247 (2013-06-27 revision 41674)
[x86_64-darwin13.0.0]
Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN


=begin
Steps to reproduce:

  ruby -rnet/http -e 'Net::HTTP.get(URI("https://stormforger.com"));'

results in:

  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect': SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`block in connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/timeout.rb:52:in
`timeout'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:862:in
`do_start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:851:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:582:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:477:in
`get_response'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:454:in
`get'
    from -e:1:in `<main>'

But I expected no output from the program.

Running the same code with Ruby 1.8.7 or 1.9.3 causes no problems. I was
able to reproduce this issue with OS X 10.8.5 as well as with 10.9.
Interestingly OS X 10.9's system ruby ((({ruby 2.0.0p247 (2013-06-27
revision 41674) [universal.x86_64-darwin13]}))) does not have the issue.
I appended the output of (({otool -L})) to look for the used OpenSSL
lib. Apple's ruby obviously uses Apples own OpenSSL lib. 1.9.3 and 2.0.0
use the same OpenSSL lib, but only 2.0.0 fails on my test.

ruby-head ((({ruby 2.1.0dev (2013-10-24 trunk 43413)
[x86_64-darwin13.0.0]}))) is also affected.

Just FYI: I initially reported the issue to RVM[0], but it appears to be
not really RVM related.

[0] https://github.com/wayneeseguin/rvm/issues/2315

[1] Output of otool for various tested Rubies:

((*1.9.3-p448*))

  $ find ~/.rvm/rubies/ruby-1.9.3-p448 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/ruby/1.9.1/x86_64-darwin13.0.0/openssl.bundle:
    /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/libruby.1.9.1.dylib
(compatibility version 1.9.1, current version 1.9.1)
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247*))

  $ find ~/.rvm/rubies/ruby-2.0.0-p247 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/x86_64-darwin13.0.0/openssl.bundle:
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247 System Ruby*))

  $ find /usr/lib/ruby/2.0.0/ -name openssl.bundle | xargs otool -L
  /usr/lib/ruby/2.0.0//universal-darwin13/openssl.bundle:
    /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)

=end
48e210500e7a349b1989f2719cd00b36?d=identicon&s=25 tisba (Sebastian Cohnen) (Guest)
on 2013-10-28 08:56
(Received via mailing list)
Issue #9053 has been updated by tisba (Sebastian Cohnen).


chittoor (Rajesh Malepati) wrote:
> Your certificate chain is incomplete.
> Serve "StartCom Class 1 Primary Intermediate Server CA" certificate along with
your server certificate.

Okay thanks, I'll take a look.

But this doesn't really explain, why only Ruby 2.0 is affected, or does
it?
----------------------------------------
Bug #9053: SSL Issue with Ruby 2.0.0
https://bugs.ruby-lang.org/issues/9053#change-42643

Author: tisba (Sebastian Cohnen)
Status: Assigned
Priority: Normal
Assignee: MartinBosslet (Martin Bosslet)
Category: ext/openssl
Target version:
ruby -v: ruby 2.0.0p247 (2013-06-27 revision 41674)
[x86_64-darwin13.0.0]
Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN


=begin
Steps to reproduce:

  ruby -rnet/http -e 'Net::HTTP.get(URI("https://stormforger.com"));'

results in:

  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect': SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`block in connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/timeout.rb:52:in
`timeout'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:862:in
`do_start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:851:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:582:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:477:in
`get_response'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:454:in
`get'
    from -e:1:in `<main>'

But I expected no output from the program.

Running the same code with Ruby 1.8.7 or 1.9.3 causes no problems. I was
able to reproduce this issue with OS X 10.8.5 as well as with 10.9.
Interestingly OS X 10.9's system ruby ((({ruby 2.0.0p247 (2013-06-27
revision 41674) [universal.x86_64-darwin13]}))) does not have the issue.
I appended the output of (({otool -L})) to look for the used OpenSSL
lib. Apple's ruby obviously uses Apples own OpenSSL lib. 1.9.3 and 2.0.0
use the same OpenSSL lib, but only 2.0.0 fails on my test.

ruby-head ((({ruby 2.1.0dev (2013-10-24 trunk 43413)
[x86_64-darwin13.0.0]}))) is also affected.

Just FYI: I initially reported the issue to RVM[0], but it appears to be
not really RVM related.

[0] https://github.com/wayneeseguin/rvm/issues/2315

[1] Output of otool for various tested Rubies:

((*1.9.3-p448*))

  $ find ~/.rvm/rubies/ruby-1.9.3-p448 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/ruby/1.9.1/x86_64-darwin13.0.0/openssl.bundle:
    /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/libruby.1.9.1.dylib
(compatibility version 1.9.1, current version 1.9.1)
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247*))

  $ find ~/.rvm/rubies/ruby-2.0.0-p247 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/x86_64-darwin13.0.0/openssl.bundle:
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247 System Ruby*))

  $ find /usr/lib/ruby/2.0.0/ -name openssl.bundle | xargs otool -L
  /usr/lib/ruby/2.0.0//universal-darwin13/openssl.bundle:
    /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)

=end
C4e88907313843cf07f6d85ba8162120?d=identicon&s=25 chittoor (Rajesh Malepati) (Guest)
on 2013-10-28 19:07
(Received via mailing list)
Issue #9053 has been updated by chittoor (Rajesh Malepati).


tisba (Sebastian Cohnen) wrote:
> chittoor (Rajesh Malepati) wrote:
> > Your certificate chain is incomplete.
> > Serve "StartCom Class 1 Primary Intermediate Server CA" certificate along with
your server certificate.
>
> Okay thanks, I'll take a look.
>
> But this doesn't really explain, why only Ruby 2.0 is affected, or does it?

Are you sure it's just Ruby 2.0? openssl doesn't attempt to download
missing certificates.
Browsers on the other hand, look at 'Authority Information Access'
extension in the certificate to download additional certificates.
----------------------------------------
Bug #9053: SSL Issue with Ruby 2.0.0
https://bugs.ruby-lang.org/issues/9053#change-42645

Author: tisba (Sebastian Cohnen)
Status: Assigned
Priority: Normal
Assignee: MartinBosslet (Martin Bosslet)
Category: ext/openssl
Target version:
ruby -v: ruby 2.0.0p247 (2013-06-27 revision 41674)
[x86_64-darwin13.0.0]
Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN


=begin
Steps to reproduce:

  ruby -rnet/http -e 'Net::HTTP.get(URI("https://stormforger.com"));'

results in:

  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect': SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`block in connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/timeout.rb:52:in
`timeout'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:862:in
`do_start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:851:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:582:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:477:in
`get_response'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:454:in
`get'
    from -e:1:in `<main>'

But I expected no output from the program.

Running the same code with Ruby 1.8.7 or 1.9.3 causes no problems. I was
able to reproduce this issue with OS X 10.8.5 as well as with 10.9.
Interestingly OS X 10.9's system ruby ((({ruby 2.0.0p247 (2013-06-27
revision 41674) [universal.x86_64-darwin13]}))) does not have the issue.
I appended the output of (({otool -L})) to look for the used OpenSSL
lib. Apple's ruby obviously uses Apples own OpenSSL lib. 1.9.3 and 2.0.0
use the same OpenSSL lib, but only 2.0.0 fails on my test.

ruby-head ((({ruby 2.1.0dev (2013-10-24 trunk 43413)
[x86_64-darwin13.0.0]}))) is also affected.

Just FYI: I initially reported the issue to RVM[0], but it appears to be
not really RVM related.

[0] https://github.com/wayneeseguin/rvm/issues/2315

[1] Output of otool for various tested Rubies:

((*1.9.3-p448*))

  $ find ~/.rvm/rubies/ruby-1.9.3-p448 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/ruby/1.9.1/x86_64-darwin13.0.0/openssl.bundle:
    /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/libruby.1.9.1.dylib
(compatibility version 1.9.1, current version 1.9.1)
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247*))

  $ find ~/.rvm/rubies/ruby-2.0.0-p247 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/x86_64-darwin13.0.0/openssl.bundle:
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247 System Ruby*))

  $ find /usr/lib/ruby/2.0.0/ -name openssl.bundle | xargs otool -L
  /usr/lib/ruby/2.0.0//universal-darwin13/openssl.bundle:
    /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)

=end
3ec52ed58eb92026d86e62c39bdb7589?d=identicon&s=25 Michal Papis (mpapis)
on 2013-11-02 00:46
(Received via mailing list)
Issue #9053 has been updated by mpapis (Michal Papis).


I think it can be closed as per
https://github.com/wayneeseguin/rvm/issues/2315#is... -
adding the missing certificate fixes the problem
----------------------------------------
Bug #9053: SSL Issue with Ruby 2.0.0
https://bugs.ruby-lang.org/issues/9053#change-42717

Author: tisba (Sebastian Cohnen)
Status: Assigned
Priority: Normal
Assignee: MartinBosslet (Martin Bosslet)
Category: ext/openssl
Target version:
ruby -v: ruby 2.0.0p247 (2013-06-27 revision 41674)
[x86_64-darwin13.0.0]
Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN


=begin
Steps to reproduce:

  ruby -rnet/http -e 'Net::HTTP.get(URI("https://stormforger.com"));'

results in:

  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect': SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`block in connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/timeout.rb:52:in
`timeout'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:862:in
`do_start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:851:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:582:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:477:in
`get_response'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:454:in
`get'
    from -e:1:in `<main>'

But I expected no output from the program.

Running the same code with Ruby 1.8.7 or 1.9.3 causes no problems. I was
able to reproduce this issue with OS X 10.8.5 as well as with 10.9.
Interestingly OS X 10.9's system ruby ((({ruby 2.0.0p247 (2013-06-27
revision 41674) [universal.x86_64-darwin13]}))) does not have the issue.
I appended the output of (({otool -L})) to look for the used OpenSSL
lib. Apple's ruby obviously uses Apples own OpenSSL lib. 1.9.3 and 2.0.0
use the same OpenSSL lib, but only 2.0.0 fails on my test.

ruby-head ((({ruby 2.1.0dev (2013-10-24 trunk 43413)
[x86_64-darwin13.0.0]}))) is also affected.

Just FYI: I initially reported the issue to RVM[0], but it appears to be
not really RVM related.

[0] https://github.com/wayneeseguin/rvm/issues/2315

[1] Output of otool for various tested Rubies:

((*1.9.3-p448*))

  $ find ~/.rvm/rubies/ruby-1.9.3-p448 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/ruby/1.9.1/x86_64-darwin13.0.0/openssl.bundle:
    /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/libruby.1.9.1.dylib
(compatibility version 1.9.1, current version 1.9.1)
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247*))

  $ find ~/.rvm/rubies/ruby-2.0.0-p247 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/x86_64-darwin13.0.0/openssl.bundle:
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247 System Ruby*))

  $ find /usr/lib/ruby/2.0.0/ -name openssl.bundle | xargs otool -L
  /usr/lib/ruby/2.0.0//universal-darwin13/openssl.bundle:
    /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)

=end
C4e88907313843cf07f6d85ba8162120?d=identicon&s=25 "davispuh (Dāvis Mosāns)" <redmine@ruby-lang.org> (Guest)
on 2013-11-02 01:20
(Received via mailing list)
Issue #9053 has been updated by davispuh (Dāvis Mosāns).


=begin
I've same problem on Windows 8 using Ruby 2.0.0-p247 (x86) from
((<RubyInstaller|URL:http://rubyinstaller.org/downloads>)), no RVM
=end


----------------------------------------
Bug #9053: SSL Issue with Ruby 2.0.0
https://bugs.ruby-lang.org/issues/9053#change-42718

Author: tisba (Sebastian Cohnen)
Status: Assigned
Priority: Normal
Assignee: MartinBosslet (Martin Bosslet)
Category: ext/openssl
Target version:
ruby -v: ruby 2.0.0p247 (2013-06-27 revision 41674)
[x86_64-darwin13.0.0]
Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN


=begin
Steps to reproduce:

  ruby -rnet/http -e 'Net::HTTP.get(URI("https://stormforger.com"));'

results in:

  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect': SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`block in connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/timeout.rb:52:in
`timeout'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:862:in
`do_start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:851:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:582:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:477:in
`get_response'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:454:in
`get'
    from -e:1:in `<main>'

But I expected no output from the program.

Running the same code with Ruby 1.8.7 or 1.9.3 causes no problems. I was
able to reproduce this issue with OS X 10.8.5 as well as with 10.9.
Interestingly OS X 10.9's system ruby ((({ruby 2.0.0p247 (2013-06-27
revision 41674) [universal.x86_64-darwin13]}))) does not have the issue.
I appended the output of (({otool -L})) to look for the used OpenSSL
lib. Apple's ruby obviously uses Apples own OpenSSL lib. 1.9.3 and 2.0.0
use the same OpenSSL lib, but only 2.0.0 fails on my test.

ruby-head ((({ruby 2.1.0dev (2013-10-24 trunk 43413)
[x86_64-darwin13.0.0]}))) is also affected.

Just FYI: I initially reported the issue to RVM[0], but it appears to be
not really RVM related.

[0] https://github.com/wayneeseguin/rvm/issues/2315

[1] Output of otool for various tested Rubies:

((*1.9.3-p448*))

  $ find ~/.rvm/rubies/ruby-1.9.3-p448 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/ruby/1.9.1/x86_64-darwin13.0.0/openssl.bundle:
    /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/libruby.1.9.1.dylib
(compatibility version 1.9.1, current version 1.9.1)
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247*))

  $ find ~/.rvm/rubies/ruby-2.0.0-p247 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/x86_64-darwin13.0.0/openssl.bundle:
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247 System Ruby*))

  $ find /usr/lib/ruby/2.0.0/ -name openssl.bundle | xargs otool -L
  /usr/lib/ruby/2.0.0//universal-darwin13/openssl.bundle:
    /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)

=end
C4e88907313843cf07f6d85ba8162120?d=identicon&s=25 "davispuh (Dāvis Mosāns)" <redmine@ruby-lang.org> (Guest)
on 2013-11-02 01:24
(Received via mailing list)
Issue #9053 has been updated by davispuh (Dāvis Mosāns).


=begin
On Linux it works fine, but on Windows:

  N:\Projects>ruby -rnet/http -e
'Net::HTTP.get(URI("https://google.com"));'
  P:/Ruby200/lib/ruby/2.0.0/net/http.rb:918:in `connect': SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed (OpenSSL::SSL::SSLError)
        from P:/Ruby200/lib/ruby/2.0.0/net/http.rb:918:in `block in
connect'
        from P:/Ruby200/lib/ruby/2.0.0/timeout.rb:52:in `timeout'
        from P:/Ruby200/lib/ruby/2.0.0/net/http.rb:918:in `connect'
        from P:/Ruby200/lib/ruby/2.0.0/net/http.rb:862:in `do_start'
        from P:/Ruby200/lib/ruby/2.0.0/net/http.rb:851:in `start'
        from P:/Ruby200/lib/ruby/2.0.0/net/http.rb:582:in `start'
        from P:/Ruby200/lib/ruby/2.0.0/net/http.rb:477:in `get_response'
        from P:/Ruby200/lib/ruby/2.0.0/net/http.rb:454:in `get'
        from -e:1:in `<main>'
=end

----------------------------------------
Bug #9053: SSL Issue with Ruby 2.0.0
https://bugs.ruby-lang.org/issues/9053#change-42719

Author: tisba (Sebastian Cohnen)
Status: Assigned
Priority: Normal
Assignee: MartinBosslet (Martin Bosslet)
Category: ext/openssl
Target version:
ruby -v: ruby 2.0.0p247 (2013-06-27 revision 41674)
[x86_64-darwin13.0.0]
Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN


=begin
Steps to reproduce:

  ruby -rnet/http -e 'Net::HTTP.get(URI("https://stormforger.com"));'

results in:

  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect': SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`block in connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/timeout.rb:52:in
`timeout'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:862:in
`do_start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:851:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:582:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:477:in
`get_response'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:454:in
`get'
    from -e:1:in `<main>'

But I expected no output from the program.

Running the same code with Ruby 1.8.7 or 1.9.3 causes no problems. I was
able to reproduce this issue with OS X 10.8.5 as well as with 10.9.
Interestingly OS X 10.9's system ruby ((({ruby 2.0.0p247 (2013-06-27
revision 41674) [universal.x86_64-darwin13]}))) does not have the issue.
I appended the output of (({otool -L})) to look for the used OpenSSL
lib. Apple's ruby obviously uses Apples own OpenSSL lib. 1.9.3 and 2.0.0
use the same OpenSSL lib, but only 2.0.0 fails on my test.

ruby-head ((({ruby 2.1.0dev (2013-10-24 trunk 43413)
[x86_64-darwin13.0.0]}))) is also affected.

Just FYI: I initially reported the issue to RVM[0], but it appears to be
not really RVM related.

[0] https://github.com/wayneeseguin/rvm/issues/2315

[1] Output of otool for various tested Rubies:

((*1.9.3-p448*))

  $ find ~/.rvm/rubies/ruby-1.9.3-p448 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/ruby/1.9.1/x86_64-darwin13.0.0/openssl.bundle:
    /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/libruby.1.9.1.dylib
(compatibility version 1.9.1, current version 1.9.1)
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247*))

  $ find ~/.rvm/rubies/ruby-2.0.0-p247 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/x86_64-darwin13.0.0/openssl.bundle:
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247 System Ruby*))

  $ find /usr/lib/ruby/2.0.0/ -name openssl.bundle | xargs otool -L
  /usr/lib/ruby/2.0.0//universal-darwin13/openssl.bundle:
    /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)

=end
1ecef11b3cc6abfda85798858745ef72?d=identicon&s=25 MartinBosslet (Martin Bosslet) (Guest)
on 2013-11-04 01:48
(Received via mailing list)
Issue #9053 has been updated by MartinBosslet (Martin Bosslet).


Thanks everyone for contributing, I'm sorry I couldn't look into it any
sooner. Special thanks to Rajesh for finding the issue!

@Sebastian: Adding the missing certificate in the chain fixed the issue
for you?

@Dāvis: What does

  openssl version -a

print for you? At the very end, there should be an entry similar to

  OPENSSLDIR: "/etc/pki/tls"

What directory does the command display? Does it exist, and if yes, what
files are in there?

----------------------------------------
Bug #9053: SSL Issue with Ruby 2.0.0
https://bugs.ruby-lang.org/issues/9053#change-42735

Author: tisba (Sebastian Cohnen)
Status: Assigned
Priority: Normal
Assignee: MartinBosslet (Martin Bosslet)
Category: ext/openssl
Target version:
ruby -v: ruby 2.0.0p247 (2013-06-27 revision 41674)
[x86_64-darwin13.0.0]
Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN


=begin
Steps to reproduce:

  ruby -rnet/http -e 'Net::HTTP.get(URI("https://stormforger.com"));'

results in:

  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect': SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`block in connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/timeout.rb:52:in
`timeout'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:862:in
`do_start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:851:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:582:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:477:in
`get_response'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:454:in
`get'
    from -e:1:in `<main>'

But I expected no output from the program.

Running the same code with Ruby 1.8.7 or 1.9.3 causes no problems. I was
able to reproduce this issue with OS X 10.8.5 as well as with 10.9.
Interestingly OS X 10.9's system ruby ((({ruby 2.0.0p247 (2013-06-27
revision 41674) [universal.x86_64-darwin13]}))) does not have the issue.
I appended the output of (({otool -L})) to look for the used OpenSSL
lib. Apple's ruby obviously uses Apples own OpenSSL lib. 1.9.3 and 2.0.0
use the same OpenSSL lib, but only 2.0.0 fails on my test.

ruby-head ((({ruby 2.1.0dev (2013-10-24 trunk 43413)
[x86_64-darwin13.0.0]}))) is also affected.

Just FYI: I initially reported the issue to RVM[0], but it appears to be
not really RVM related.

[0] https://github.com/wayneeseguin/rvm/issues/2315

[1] Output of otool for various tested Rubies:

((*1.9.3-p448*))

  $ find ~/.rvm/rubies/ruby-1.9.3-p448 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/ruby/1.9.1/x86_64-darwin13.0.0/openssl.bundle:
    /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/libruby.1.9.1.dylib
(compatibility version 1.9.1, current version 1.9.1)
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247*))

  $ find ~/.rvm/rubies/ruby-2.0.0-p247 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/x86_64-darwin13.0.0/openssl.bundle:
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247 System Ruby*))

  $ find /usr/lib/ruby/2.0.0/ -name openssl.bundle | xargs otool -L
  /usr/lib/ruby/2.0.0//universal-darwin13/openssl.bundle:
    /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)

=end
E7cff3cfd41c495e1012227d7dc24202?d=identicon&s=25 Luis Lavena (luislavena)
on 2013-11-04 03:43
(Received via mailing list)
Issue #9053 has been updated by luislavena (Luis Lavena).


=begin
@davispuh: OpenSSL in Windows do not come with support for Windows
certificate storage, so it cannot connect to HTTPS servers without a
valid certificate bundle.

You need to use ((|SSL_CERT_FILE|)) environment variable and set to the
path to a curl CA cert bundle.

As for RubyGems, I recommend updating to the latest version of the
version you're using (e.g. 2.1.10 for 2.1.x, 2.0.13 for 2.0.x and 1.8.28
for 1.8.x)

You can follow the installation instructions here:

http://rubygems.rubyforge.org/rubygems-update/UPGR...

=end
----------------------------------------
Bug #9053: SSL Issue with Ruby 2.0.0
https://bugs.ruby-lang.org/issues/9053#change-42736

Author: tisba (Sebastian Cohnen)
Status: Assigned
Priority: Normal
Assignee: MartinBosslet (Martin Bosslet)
Category: ext/openssl
Target version:
ruby -v: ruby 2.0.0p247 (2013-06-27 revision 41674)
[x86_64-darwin13.0.0]
Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN


=begin
Steps to reproduce:

  ruby -rnet/http -e 'Net::HTTP.get(URI("https://stormforger.com"));'

results in:

  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect': SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`block in connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/timeout.rb:52:in
`timeout'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:862:in
`do_start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:851:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:582:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:477:in
`get_response'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:454:in
`get'
    from -e:1:in `<main>'

But I expected no output from the program.

Running the same code with Ruby 1.8.7 or 1.9.3 causes no problems. I was
able to reproduce this issue with OS X 10.8.5 as well as with 10.9.
Interestingly OS X 10.9's system ruby ((({ruby 2.0.0p247 (2013-06-27
revision 41674) [universal.x86_64-darwin13]}))) does not have the issue.
I appended the output of (({otool -L})) to look for the used OpenSSL
lib. Apple's ruby obviously uses Apples own OpenSSL lib. 1.9.3 and 2.0.0
use the same OpenSSL lib, but only 2.0.0 fails on my test.

ruby-head ((({ruby 2.1.0dev (2013-10-24 trunk 43413)
[x86_64-darwin13.0.0]}))) is also affected.

Just FYI: I initially reported the issue to RVM[0], but it appears to be
not really RVM related.

[0] https://github.com/wayneeseguin/rvm/issues/2315

[1] Output of otool for various tested Rubies:

((*1.9.3-p448*))

  $ find ~/.rvm/rubies/ruby-1.9.3-p448 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/ruby/1.9.1/x86_64-darwin13.0.0/openssl.bundle:
    /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/libruby.1.9.1.dylib
(compatibility version 1.9.1, current version 1.9.1)
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247*))

  $ find ~/.rvm/rubies/ruby-2.0.0-p247 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/x86_64-darwin13.0.0/openssl.bundle:
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247 System Ruby*))

  $ find /usr/lib/ruby/2.0.0/ -name openssl.bundle | xargs otool -L
  /usr/lib/ruby/2.0.0//universal-darwin13/openssl.bundle:
    /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)

=end
48e210500e7a349b1989f2719cd00b36?d=identicon&s=25 tisba (Sebastian Cohnen) (Guest)
on 2013-11-05 09:41
(Received via mailing list)
Issue #9053 has been updated by tisba (Sebastian Cohnen).


MartinBosslet (Martin Bosslet) wrote:
> Thanks everyone for contributing, I'm sorry I couldn't look into it any sooner.
Special thanks to Rajesh for finding the issue!
>
> @Sebastian: Adding the missing certificate in the chain fixed the issue for you?

Yes, I added the intermediate certificate to be served as well.
----------------------------------------
Bug #9053: SSL Issue with Ruby 2.0.0
https://bugs.ruby-lang.org/issues/9053#change-42753

Author: tisba (Sebastian Cohnen)
Status: Assigned
Priority: Normal
Assignee: MartinBosslet (Martin Bosslet)
Category: ext/openssl
Target version:
ruby -v: ruby 2.0.0p247 (2013-06-27 revision 41674)
[x86_64-darwin13.0.0]
Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN


=begin
Steps to reproduce:

  ruby -rnet/http -e 'Net::HTTP.get(URI("https://stormforger.com"));'

results in:

  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect': SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`block in connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/timeout.rb:52:in
`timeout'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:862:in
`do_start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:851:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:582:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:477:in
`get_response'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:454:in
`get'
    from -e:1:in `<main>'

But I expected no output from the program.

Running the same code with Ruby 1.8.7 or 1.9.3 causes no problems. I was
able to reproduce this issue with OS X 10.8.5 as well as with 10.9.
Interestingly OS X 10.9's system ruby ((({ruby 2.0.0p247 (2013-06-27
revision 41674) [universal.x86_64-darwin13]}))) does not have the issue.
I appended the output of (({otool -L})) to look for the used OpenSSL
lib. Apple's ruby obviously uses Apples own OpenSSL lib. 1.9.3 and 2.0.0
use the same OpenSSL lib, but only 2.0.0 fails on my test.

ruby-head ((({ruby 2.1.0dev (2013-10-24 trunk 43413)
[x86_64-darwin13.0.0]}))) is also affected.

Just FYI: I initially reported the issue to RVM[0], but it appears to be
not really RVM related.

[0] https://github.com/wayneeseguin/rvm/issues/2315

[1] Output of otool for various tested Rubies:

((*1.9.3-p448*))

  $ find ~/.rvm/rubies/ruby-1.9.3-p448 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/ruby/1.9.1/x86_64-darwin13.0.0/openssl.bundle:
    /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/libruby.1.9.1.dylib
(compatibility version 1.9.1, current version 1.9.1)
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247*))

  $ find ~/.rvm/rubies/ruby-2.0.0-p247 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/x86_64-darwin13.0.0/openssl.bundle:
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247 System Ruby*))

  $ find /usr/lib/ruby/2.0.0/ -name openssl.bundle | xargs otool -L
  /usr/lib/ruby/2.0.0//universal-darwin13/openssl.bundle:
    /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)

=end
48e210500e7a349b1989f2719cd00b36?d=identicon&s=25 tisba (Sebastian Cohnen) (Guest)
on 2013-11-05 09:55
(Received via mailing list)
Issue #9053 has been updated by tisba (Sebastian Cohnen).


chittoor (Rajesh Malepati) wrote:
> Browsers on the other hand, look at 'Authority Information Access' extension in
the certificate to download additional certificates.
I just removed the intermediate certificate again from the server to
test it again. I noticed that Ruby 1.9.3 (and 1.8.7) does not seem to
verify the SSL certificate by default (OpenSSL::SSL::VERIFY_NONE). This
code fails for all Rubies (1.8.7, 1.9.3 and 2.0.0) with the missing
intermediate certificate:

 require "net/http"
 http = Net::HTTP.new("stormforger.com", 443)
 http.use_ssl = true
 http.verify_mode = OpenSSL::SSL::VERIFY_PEER
 request = Net::HTTP::Get.new("/")
 response = http.request(request)

results in:

 OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verify failed
----------------------------------------
Bug #9053: SSL Issue with Ruby 2.0.0
https://bugs.ruby-lang.org/issues/9053#change-42754

Author: tisba (Sebastian Cohnen)
Status: Assigned
Priority: Normal
Assignee: MartinBosslet (Martin Bosslet)
Category: ext/openssl
Target version:
ruby -v: ruby 2.0.0p247 (2013-06-27 revision 41674)
[x86_64-darwin13.0.0]
Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN


=begin
Steps to reproduce:

  ruby -rnet/http -e 'Net::HTTP.get(URI("https://stormforger.com"));'

results in:

  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect': SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`block in connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/timeout.rb:52:in
`timeout'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
`connect'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:862:in
`do_start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:851:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:582:in
`start'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:477:in
`get_response'
    from
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:454:in
`get'
    from -e:1:in `<main>'

But I expected no output from the program.

Running the same code with Ruby 1.8.7 or 1.9.3 causes no problems. I was
able to reproduce this issue with OS X 10.8.5 as well as with 10.9.
Interestingly OS X 10.9's system ruby ((({ruby 2.0.0p247 (2013-06-27
revision 41674) [universal.x86_64-darwin13]}))) does not have the issue.
I appended the output of (({otool -L})) to look for the used OpenSSL
lib. Apple's ruby obviously uses Apples own OpenSSL lib. 1.9.3 and 2.0.0
use the same OpenSSL lib, but only 2.0.0 fails on my test.

ruby-head ((({ruby 2.1.0dev (2013-10-24 trunk 43413)
[x86_64-darwin13.0.0]}))) is also affected.

Just FYI: I initially reported the issue to RVM[0], but it appears to be
not really RVM related.

[0] https://github.com/wayneeseguin/rvm/issues/2315

[1] Output of otool for various tested Rubies:

((*1.9.3-p448*))

  $ find ~/.rvm/rubies/ruby-1.9.3-p448 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/ruby/1.9.1/x86_64-darwin13.0.0/openssl.bundle:
    /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/libruby.1.9.1.dylib
(compatibility version 1.9.1, current version 1.9.1)
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247*))

  $ find ~/.rvm/rubies/ruby-2.0.0-p247 -name openssl.bundle | xargs
otool -L
  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/x86_64-darwin13.0.0/openssl.bundle:
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version
1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility
version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version
1.2.5)
    /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)


((*2.0.0-p247 System Ruby*))

  $ find /usr/lib/ruby/2.0.0/ -name openssl.bundle | xargs otool -L
  /usr/lib/ruby/2.0.0//universal-darwin13/openssl.bundle:
    /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib
(compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current
version 50.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
version 228.0.0)

=end
This topic is locked and can not be replied to.