search

jruby / jruby-openssl

JRuby's OpenSSL gem
http://www.jruby.org
Other
45 stars 79 forks source link

SSL handshake failure #137

Open nackep opened 7 years ago

nackep commented 7 years ago

SSL fails with latest http gem under jruby:

jruby-9.0.4.0 :031 > require "http" => true jruby-9.0.4.0 :032 > HTTP.get("https://blocktrades.us") OpenSSL::SSL::SSLError: Received fatal alert: handshake_failure from org/jruby/ext/openssl/SSLSocket.java:218:in connect' from /home/.rvm/gems/jruby-9.0.4.0/gems/http-2.2.2/lib/http/timeout/null.rb:26:inconnect_ssl' from /home/.rvm/gems/jruby-9.0.4.0/gems/http-2.2.2/lib/http/timeout/null.rb:35:in start_tls' from /home/.rvm/gems/jruby-9.0.4.0/gems/http-2.2.2/lib/http/connection.rb:158:instart_tls' from /home/.rvm/gems/jruby-9.0.4.0/gems/http-2.2.2/lib/http/connection.rb:44:in initialize' from /home/.rvm/gems/jruby-9.0.4.0/gems/http-2.2.2/lib/http/client.rb:60:inperform' from /home/.rvm/gems/jruby-9.0.4.0/gems/http-2.2.2/lib/http/client.rb:41:in request' from /home/.rvm/gems/jruby-9.0.4.0/gems/http-2.2.2/lib/http/chainable.rb:75:inrequest' from /home/.rvm/gems/jruby-9.0.4.0/gems/http-2.2.2/lib/http/chainable.rb:19:in get' from (irb):32:in' from org/jruby/RubyKernel.java:978:in eval' from org/jruby/RubyKernel.java:1291:inloop' from org/jruby/RubyKernel.java:1098:in catch' from org/jruby/RubyKernel.java:1098:incatch' from /home/user/.rvm/rubies/jruby-9.0.4.0/bin/irb:13:in `'

SSL is working: https://www.sslshopper.com/ssl-checker.html#hostname=blocktrades.us

thank you heroes <3

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/46314384-ssl-handshake-failure?utm_campaign=plugin&utm_content=tracker%2F136995&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F136995&utm_medium=issues&utm_source=github).
nackep commented 7 years ago 
jruby-openssl (0.9.20-java)
kares commented 7 years ago

could you upgrade to latest 9.1 (or at least 9.0.5) and than also report back your JVM version. some older JRuby 9.x had an issue with not picking up the latest jruby-openssl gem even when its installed

nackep commented 7 years ago

same error upgrading to JRuby 9.1.7.0 thanks

kares commented 7 years ago

could you upgrade to latest 9.1 (or at least 9.0.5) and than also report back your JVM version.

nackep commented 7 years ago

jruby 9.1.7.0 (2.3.1) 2017-01-11 68056ae Java HotSpot(TM) Client VM 25.66-b17 on 1.8.0_66-b17 +jit [linux-i386] jruby-openssl (0.9.20 java, 0.9.18 java) thanks

headius commented 6 years ago

This is still failing on JRuby master, but we have a reproduction script courtesy of https://twitter.com/notsleepy/status/951564023920721921

require 'rubygems'
require "httpclient"

# RUN : jruby test.rb
=begin
I GET THIS CRAP:
Error: Java::JavaxNetSsl::SSLHandshakeException: Received fatal alert: handshake_failure https://jeanmartainnaturopath.com.au/likeslinks/
/Users/tony/.rvm/gems/jruby-9.1.12.0/gems/httpclient-2.8.3/lib/httpclient/jruby_ssl_socket.rb:495:in `initialize'
/Users/tony/.rvm/gems/jruby-9.1.12.0/gems/httpclient-2.8.3/lib/httpclient/jruby_ssl_socket.rb:474:in `create_socket'
/Users/tony/.rvm/gems/jruby-9.1.12.0/gems/httpclient-2.8.3/lib/httpclient/session.rb:752:in `block in connect'
org/jruby/ext/timeout/Timeout.java:149:in `timeout'
/Users/tony/.rvm/gems/jruby-9.1.12.0/gems/httpclient-2.8.3/lib/httpclient/session.rb:748:in `connect'
/Users/tony/.rvm/gems/jruby-9.1.12.0/gems/httpclient-2.8.3/lib/httpclient/session.rb:511:in `query'
/Users/tony/.rvm/gems/jruby-9.1.12.0/gems/httpclient-2.8.3/lib/httpclient/session.rb:177:in `query'
/Users/tony/.rvm/gems/jruby-9.1.12.0/gems/httpclient-2.8.3/lib/httpclient.rb:1242:in `do_get_block'
/Users/tony/.rvm/gems/jruby-9.1.12.0/gems/httpclient-2.8.3/lib/httpclient.rb:1019:in `block in do_request'
/Users/tony/.rvm/gems/jruby-9.1.12.0/gems/httpclient-2.8.3/lib/httpclient.rb:1133:in `protect_keep_alive_disconnected'
/Users/tony/.rvm/gems/jruby-9.1.12.0/gems/httpclient-2.8.3/lib/httpclient.rb:1014:in `do_request'
/Users/tony/.rvm/gems/jruby-9.1.12.0/gems/httpclient-2.8.3/lib/httpclient.rb:856:in `request'
/Users/tony/.rvm/gems/jruby-9.1.12.0/gems/httpclient-2.8.3/lib/httpclient.rb:743:in `get'
test.rb:27:in `get_page_content'
=end

def get_page_content(path, timeout) # timeout is in seconds
  # ***** SET THE CHOICE OF LIB FOR REQUESTS HERE! ************
  usecurl = false
  #************************************************************
  begin
    # OPTION 1: CURL
    if usecurl
      status = Timeout::timeout(timeout) {
        response = Curl::Easy.new(path) do |curl| 
          curl.headers["User-Agent"] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11"
          curl.connect_timeout = timeout
          curl.ssl_verify_peer = false
        end

        response.perform
      }
      # OPTION 2: HTTPCLIENT
    else
      client = HTTPClient.new()
      client.connect_timeout = timeout  #give up after X seconds
      client.receive_timeout = timeout  #give up after X seconds
      client.send_timeout = timeout  #give up after X seconds
      client.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE
      response = client.get(path, 
        :header => {'User-Agent' => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11', 'Referer' => 'http://www.google.com', }
        )
    end
    rescue => e
    puts "Error: #{$!} #{path}"
    puts e.backtrace
    return "Error retrieving: #{$!}"
  end
  return response
end

url = "https://jeanmartainnaturopath.com.au/likeslinks/"
response = get_page_content(url, 5000)
puts response.body
revodoge commented 6 years ago

the problem here is likely with the Java cacerts on your machine (since JRuby is running on top of Java) and not in this gem.

The following Java snippet would confirm if that was the case

new URL("https://letsencrypt.org/").openConnection().connect();

Your letsencrypt cert should work if you update to the latest Java, otherwise you'd have to follow these instructions

amo13 commented 4 years ago

A week ago I started getting the same error without having changed anything in my jruby code or with my letsencrypt certificate, it just suddenly broke. I am on jruby 9.2.7.0 (9.2.8 not yet available through rvm) with jruby-openssl 0.10.2 on jre8.u222.

I also tested for max key length and the allowed key length for AES is 2147483647 on my machine.

How do I run the above snippet to better sort out the problem? (I don't know java)

Any help is greatly appreciated!

amo13 commented 4 years ago

Solved my problem by adding the TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 cipher to my nginx config (even though this one is considered weak as of today). It looks like jruby-openssl (or is it java8?) and let's encrypt (certbot) do not share a common cipher any more - at least when keeping the defaults.