-
Type: Bug
-
Resolution: Fixed
-
Priority: Minor - P4
-
Affects Version/s: None
-
Component/s: Connections
-
Fully Compatible
It appears that JRuby cannot parse a certificate+private key bundle, per https://github.com/jruby/jruby-openssl/issues/176. When a client certificate is passed via URI options, since there is only one option which expects to be given such a bundle, JRuby fails to parse the client certificate. This means, as far as I can tell, that on JRuby the driver is currently unable to connect to a server configured to verify client certificates when certificates/TLS configuration is specified via URI options.
Our key handling logic is currently as follows:
def set_key(context, options)
passphrase = options[:ssl_key_pass_phrase]
if options[:ssl_key]
context.key = passphrase ? OpenSSL::PKey.read(File.read(options[:ssl_key]), passphrase) :
OpenSSL::PKey.read(File.open(options[:ssl_key]))
elsif options[:ssl_key_string]
context.key = passphrase ? OpenSSL::PKey.read(options[:ssl_key_string], passphrase) :
OpenSSL::PKey.read(options[:ssl_key_string])
elsif options[:ssl_key_object]
context.key = options[:ssl_key_object]
end
end
We could possibly make it work by explicitly using OpenSSL::PKey::RSA and OpenSSL::PKey::DSA on jruby.
Exception for wrong key type looks like this:
OpenSSL::PKey::DSAError: Neither PUB key nor PRIV key: (invalid key type org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey) initialize at org/jruby/ext/openssl/PKeyDSA.java:271 <main> at rsa.rb:3
DSAError is a subclass of PKeyError which is what we can probably rescue.