openssl ignores OpenSSL::X509::DEFAULT_CERT_FILE

[phuesler]

Even though OpenSSL::X509::DEFAULT_CERT_FILE is set to a path, JRuby does not seem use the ca file stored there. Of course exporting SSL_CERT_FILE works, therefore I consider this a minor issue. I could replicate this behavior both locally on OSX 10.9.4 and on a server running FreeBSD 9.3.

I used the following test script. It is important to note that certificate for openexchangerates.org is not in the installed JVMs trust store, this is how we stumbled over this problem.

require 'openssl'
require "net/https"
require "uri"

uri = URI.parse("https://openexchangerates.org?missing_app_id=true")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true

request = Net::HTTP::Get.new(uri.request_uri)

response = http.request(request)
puts response.body

I downloaded the latest cacert.pem from curl

curl -O http://curl.haxx.se/ca/cacert.pem

This is how MRI Ruby 2.1.2p95 behaves:

$: ruby -v
ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-darwin13.0]
$: ruby -ropenssl -e "p OpenSSL::X509::DEFAULT_CERT_FILE"
"/etc/openssl/cert.pem"
$: sudo cp -f cacert.pem /etc/openssl/cert.pem
$: ruby test_ssl.rb | head -n 1
<!DOCTYPE html>
$: sudo mv /etc/openssl/cert.pem /etc/openssl/cert.pem.bak
$: ruby test_ssl.rb | head -n 1
/Users/phuesler/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/net/http.rb:920:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from /Users/phuesler/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/net/http.rb:920:in `block in connect'
    from /Users/phuesler/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/timeout.rb:76:in `timeout'
    from /Users/phuesler/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/net/http.rb:920:in `connect'
    from /Users/phuesler/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/net/http.rb:863:in `do_start'
    from /Users/phuesler/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/net/http.rb:852:in `start'
    from /Users/phuesler/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/net/http.rb:1369:in `request'
    from test_ssl.rb:12:in `<main>'

And now JRuby

$: ruby -v
jruby 1.7.15 (1.9.3p392) 2014-09-03 82b5cc3 on Java HotSpot(TM) 64-Bit Server VM 1.7.0_10-ea-b14 +jit [darwin-x86_64]
$:  ruby -ropenssl -e "p OpenSSL::X509::DEFAULT_CERT_FILE"
"/usr/lib/ssl/cert.pem"
$: sudo cp -f cacert.pem /usr/lib/ssl/cert.pem
$: ruby test_ssl.rb | head -n 1
OpenSSL::SSL::SSLError: certificate verify failed
   connect at org/jruby/ext/openssl/SSLSocket.java:180
   connect at /Users/phuesler/.rvm/rubies/jruby-1.7.15/lib/ruby/1.9/net/http.rb:799
   timeout at org/jruby/ext/timeout/Timeout.java:104
   connect at /Users/phuesler/.rvm/rubies/jruby-1.7.15/lib/ruby/1.9/net/http.rb:799
  do_start at /Users/phuesler/.rvm/rubies/jruby-1.7.15/lib/ruby/1.9/net/http.rb:755
     start at /Users/phuesler/.rvm/rubies/jruby-1.7.15/lib/ruby/1.9/net/http.rb:744
   request at /Users/phuesler/.rvm/rubies/jruby-1.7.15/lib/ruby/1.9/net/http.rb:1292
    (root) at test_ssl.rb:12
$: SSL_CERT_FILE=/usr/lib/ssl/cert.pem ruby test_ssl.rb | head -n 1
$: <!DOCTYPE html>

[headius]

Yup, confirmed...it looks like we just set this constant to a hardcoded value but don't actually use that value as the cert file.

[headius]

Ok, so I have a fix, but all it really does is set up those constants to point to where we actually load the CA certs from. I am proceeding under the assumption that this is ok :-)

Note, however, that the CA cert file Java installs is not a text-based .pem file...it is a keystore file that holds all the CA certs. You can add certs to it, but using the keytool command that comes with JDK.