TLS1.2 enforcement pains & JRuby, particularly hurting for TLS_RSA_WITH_AES_256_CBC_SHA256

Continuing on https://github.com/jruby/jruby/issues/2194, as the title says, more and more services force TLS v1.2 and the lack of ciphers on JRuby is hurting very, very badly - a particular critical service jumped out yesterday due to TLS v1.2 enforcement, and I've got no options to put it back up at the moment under JRuby (MRI works fine with C openssl).

An urgent workaround would also be amazing, if possible <3 I've been playing with something like this but with little success so far:

``` ruby
    uri = URI.parse(ds_url)
    http = Net::HTTP.new(uri.host, uri.port)
    http.use_ssl = true
    http.ssl_version = :"TLSv1_2"
    http.verify_mode = OpenSSL::SSL::VERIFY_NONE # OpenSSL::SSL::VERIFY_PEER, OpenSSL::SSL::VERIFY_NONE
    http.cert = client_cert
    http.key = client_key
    http.ca_file = ds_cert_file
    http.ciphers = OpenSSL::SSL::SSLContext.new.ciphers.map do |c|
      c[0].gsub("-", "+")
    end
    puts http.ciphers.inspect

    resp = http.post(uri.request_uri, http_body, 'Content-Type' => 'application/xml; charset=utf-8')
    resp.body
```

that said, the response is always `OpenSSL::SSL::SSLError: Socket closed`, the `openssl s_client` command with this same data plugged in works, and it works when MRI ruby is used.

these are the currently active ciphers:

```
["EXP+DES+CBC+SHA", "EXP+EDH+RSA+DES+CBC+SHA", "EXP+EDH+DSS+DES+CBC+SHA", "DES+CBC+SHA", "EDH+RSA+DES+CBC+SHA", "ECDHE+ECDSA+AES128+SHA256", "ECDHE+RSA+AES128+SHA256", "ECDH+ECDSA+AES128+SHA256", "ECDH+RSA+AES128+SHA256", "ECDHE+ECDSA+AES128+SHA", "ECDHE+RSA+AES128+SHA", "AES128+SHA", "ECDH+ECDSA+AES128+SHA", "ECDH+RSA+AES128+SHA", "DHE+RSA+AES128+SHA", "DHE+DSS+AES128+SHA", "ECDHE+ECDSA+DES+CBC3+SHA", "ECDHE+RSA+DES+CBC3+SHA", "DES+CBC3+SHA", "ECDH+ECDSA+DES+CBC3+SHA", "ECDH+RSA+DES+CBC3+SHA", "EDH+RSA+DES+CBC3+SHA", "EDH+DSS+DES+CBC3+SHA", "ECDHE+ECDSA+AES256+SHA384", "ECDHE+RSA+AES256+SHA384", "ECDH+ECDSA+AES256+SHA384", "ECDH+RSA+AES256+SHA384", "ECDHE+ECDSA+AES256+SHA", "ECDHE+RSA+AES256+SHA", "AES256+SHA", "ECDH+ECDSA+AES256+SHA", "ECDH+RSA+AES256+SHA", "DHE+RSA+AES256+SHA", "DHE+DSS+AES256+SHA"]
```
Ruby is `jruby 9.1.13.0 (2.3.3)`

PS actually, any of these would be a life-saver:

```
ECDHE-RSA-AES256-GCM-SHA384 TLS1.2
ECDHE-RSA-AES256-SHA384 TLS1.2
ECDHE-RSA-AES256-CBC-SHA TLS1.2
ECDHE-ECDSA-AES256-SHA384 TLS1.2
ECDHE-ECDSA-AES256-SHA TLS1.2
ECDH-RSA-AES256-SHA384 TLS1.2
ECDH-ECDSA-AES256-SHA384 TLS1.2
ECDH-RSA-AES256-SHA TLS1.2
ECDH-ECDSA-AES256-SHA TLS1.2
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

TLS1.2 enforcement pains & JRuby, particularly hurting for TLS_RSA_WITH_AES_256_CBC_SHA256 #168

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

TLS1.2 enforcement pains & JRuby, particularly hurting for TLS_RSA_WITH_AES_256_CBC_SHA256 #168

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions