Skip to content

Releases: jruby/jruby-openssl

0.9.12

08 Oct 19:18
@mkristian mkristian
v0.9.12
246dbb7
Compare
Choose a tag to compare
0.9.12
  • when the Cipher/Signature needs to be created via java reflection use a constructor
    which avoids verifying the bouncy-castle jars (which is the main reason for using
    reflection since some classloader setups fails to verify those jars) (#73)
  • force US locale for date formatting
    otherwise it uses system locale, which is inconsistent with MRI.
  • X509::Store.set_default_paths ignores FileNotFound errors like MRI does (#68)
  • check type on X509::Store.verify
    throw a TypeError if the argument is not a OpenSSL::X509::Certificate (#69)
  • keep the default x509 certs and directories in line with MRI, only if
    they do not exists fallback on cacerts from the java.home/lib/security/cacerts
  • bring the default ca-certs paths/location more in line with MRI and fallback on
    jvm truststore (java.home/lib/security/cacerts) when needed
Assets 2
Loading

0.9.11

08 Oct 15:33
@kares kares
v0.9.11
3b4bc77
Compare
Choose a tag to compare
0.9.11
  • add TLSv1_1_client, TLSv1_1_server, TLSv1_2_client and TLSv1_2_server options
    to ssl_version (#65)
  • regression make sure we hold a buffered reader so that the loop continues
    reading PEMs - previously introduced an incompatibility with cert verify (#67)
  • support negotiating up to TLS1_1 and TLS1_2 when the server supports these
    ssl_versions (#63)
Assets 2
Loading

0.9.10

21 Aug 06:08
@kares kares
v0.9.10
9445efd
Compare
Choose a tag to compare
0.9.10
  • regression reverted fix for #49 (as it needs more work/testing) :
    keep the default x509 certs and directories in line with MRI (#49), only if
    they do not exists fallback on cacerts from the java.home/lib/security/cacerts
Assets 2
Loading

0.9.9

21 Aug 06:07
@kares kares
v0.9.9
7d8db94
Compare
Choose a tag to compare
0.9.9
  • regression causing to re-package a RaiseException in SSLSocket#accept
  • fix load error: jopenssl/load -- java.lang.VerifyError: using BC 1.51 or 1.52 (#62)
  • keep the default x509 certs and directories in line with MRI (#49), only if
    they do not exists fallback on cacerts from the java.home/lib/security/cacerts
Assets 2
Loading

0.9.8

28 Jul 07:56
@kares kares
v0.9.8
12bc095
Compare
Choose a tag to compare
0.9.8
  • refactor PKCS5.pbkdf2_hmac_sha1 to use BC APIs
    thus less dependent on provider internals (jruby/jruby#3025)
  • HMAC - use our SimpleKey impl so that there's less[] copy
    ... also allows for an empty key to work like MRI (jruby/jruby#2854)
  • fixing oaep encryption to use correct algorithm (#54)
  • [experimental] support NOT loading any (BC) jars on our own ... (#10)
  • disable DHE (by default) on Java <= 7 ... on Java 8 we (still) force 1024/2048
    (see jruby/jruby#2872 and #45)
  • regression handle parsing of "incomplete" X.509 certs like MRI does (#42)
  • implement a CRL/certificate caching (for now off by default) in Lookup
    ... set -J-Djruby.openssl.x509.lookup.cache=true to enable
  • improve Store helper concurrency (with less synchronization)
  • reviewed OpenSSL's .rb parts to match those present in MRI 1.9.3 / 2.2.2
  • initial support for OpenSSL::SSL::Session (id, time, timeout work)
  • session_cache_mode as present in OpenSSL makes no sense with Java APIs
  • use the set SSLContext#session_cache_size on the underlying javax.net API
  • tidy up SSLSocket's internals + add stack-trace debugging on accept/connect
  • add SSLSocket ssl_version property like MRI has (#38)
  • avoid unnecessary _initialize naming - it's confusing to see in JVM tools
  • use SecurityHelper to get a X.509 certificate factory
    we'll know prefer BC's X.509 factory over the built-in (Sun provider) one
Assets 2
Loading

0.9.7

28 Jul 07:56
@kares kares
v0.9.7
f984029
Compare
Choose a tag to compare
0.9.7
  • put in some more ossl to jsse mappings for SSL/TLS
    (SSL_DHE_xxx, TLS_ECDH_xxx, TLS_ECDHE_xxx)
  • exclude SSLv2 in reported METHODS (all fine to close jruby/jruby#1874)
  • support passing ssl_version as an argument to initialize SSLContext.new ...
  • now that we've matched w MRI's SSLContext::METHODS don't report custom ones
  • more ssl_version= compatibility fixes that match MRI (jruby/jruby#1736)
  • support setting ssl_version = "TLSv1_1" (or "TLSv1_2") just like MRI
  • [regression] make sure version is set when reading encoded certificate
    • signature algorithm should be read as well when decoding certificate (#39)
  • better accept handshake errors instead of "General SSLEngine problem (#37)
  • trying to decode DER application specific objects (based on patch from #36)
  • we've not been compatible with MRI's DES (EDE) - partly due DES(3) ECB
    fixing jruby/jruby#2617 as well as jruby/jruby#931
  • exclude reporting algorithms with CFB-1 cipher mode as supported (due #35)
  • do not change CFB1 to CFB ... it's something different (although broken on BC)
  • attempt to deal with update/final buffering incompatibility with MRI
  • fix HMAC digest incorrect when data contains invalid characters (#33)
  • add Gemfile and specify ruby-maven as dependency
  • use SafePropertyAccessor to access properties instead of directly (#28)
  • make sure SSLSocket's cipher and hostname are nil by default (avoids NPE)
  • update to (packed) BC version 1.50 + start declaring 1.51 as semi-supported
Assets 2
Loading

0.9.6

28 Jul 07:55
@kares kares
v0.9.6
0c69405
Compare
Choose a tag to compare
0.9.6
  • ClassCastException still happen deep within BC - turn them into SignatureExeption
  • make sure empty object can be serialize via to_pem
  • use the classname as message in case the exception has no message (jruby/jruby#2249)
  • make sure X509Object list is synchronized properly
  • use JRubyFile to get input-stream to file-resource fixes #11
  • Cache the discovered classes for digest engines. Fixes #15.
  • avoid the rest of Ruby.getGlobalRuntime usages - only worked in 1 runtime envs
  • refactored CRL - using light-weight BC API (avoids deprecated X.509 generator)
  • implement X509::Certificate#to_text for happiness (the MRI-way - only RSA for now)
  • allow to "fake" our inspect() support and match MRI's X509::Certificate#inspect
  • decode BC's ASN1Enumarated into a OpenSSL::ASN1::Enumerated
  • we can (ASN.1) encode an infinite-length bit-string constructive
  • turns out all ASN1 primitives in MRI have the infinite_length attribute
  • support (so-far only dummy) @servername_cb attribute on SSLSocket
  • handle (CRL) extension's issuerAltName wrapping without an exception
  • fix SSL (cert) verification - now working on 1.8/1.9 better than before
  • do not skip first 2 bytes of key identifier hash when encoding to hex!
  • match X.509 extension short-comings of the Java API in order to align with MRI
  • improve cert.extension's value - extendedKeyUsage was not returned correctly
  • make sure ASN1::ObjectId.new(...).ln and ASN1::ObjectId.new(...).sn are correct!
  • better working to_der conversion esp. with constructives (indefinite lengths)
  • improve our ASN1 decoding for better MRI compatibility
  • avoiding Krypt gem dependency completely (was used for OpenSSL::PKCS5)
  • cleanup OpenSSL::Digest internals - make sure block_length works for more
  • OpenSSL deprecated_warning_flag and check_func API compatibility stubs
  • do not force loading of jar-dependencies + possibly respect jars skipped
  • X509::Name.to_a compatibility - MRI seems to never return "UNDEF"
    experimental support for passing down "real" Java JCE cipher names
  • rewriten Cipher internals - now faster, slimmer and more compatible than ever!
  • rebuilt our global ASN1Registry and refactored it (back) internally to use string oids
  • report OpenSSL::VERSION 1.1.0 since 1.9.3
  • fill RaiseException's cause whenever we use a factory passing down a Throwable
  • allow X509::Revoked.serial= to receive an integer
  • make sure X509::CRL's to_text representation si (fully) MRI compatible
  • handle authority key-id unwrapping correctly in X509::Extension#value
  • long time coming - OpenSSL::X509::CRL support for loading revoked entries (#5)
  • Reflect Java cacert location in DEFAULT_CERT_* constants (jruby/jruby#1953)
  • X509::Certificate.new MRI compatibility + make sure inspect works the same
  • BN.inspect() and make sure BN.new(0) works just fine (both as in MRI)
  • X509::CRL instantiation compatibility with MRI
  • inspect() X509::Certificate an X509::CRL just like MRI does
  • handle OpenSSL::X509::Store.add error messages correctly (fix based on #6)
  • update to using BC 1.49 by default (still compatible with older versions)
  • implement X509::StoreContext#current_crl method
  • support X509::StoreContext cleanup and error_depth instance methods
  • support disabling of warnings using system property -Djruby.openssl.warn
  • Throw error when chain certs are not OpenSSL::X509::Certificate (#3)
  • avoid using JRuby IO APIs (will likely not work in 9k)
  • make 'jopenssl/load' also work on jruby-1.6.8 mode 1.9
Assets 2
Loading

0.9.5

28 Jul 07:55
@kares kares
v0.9.5
8ecc049
Compare
Choose a tag to compare
0.9.5

MASSIVE internal "rewrite" to avoid depending on a registered (BC) security
provider. This releases restores compatibility with BC version 1.47 while being
compatible with newer bouncy-castle jars as well (1.48, 1.49 and 1.50).

  • handle SSLErrorWaitReadable/Writable as SSLErrors on Ruby 1.8 and 1.9 mode
  • Treat SSL NOT_HANDSHAKING as FINISHED
  • only add DER.TRUE when encoding X.509 extension when non-critical
  • do not der encode non-critical flag in X509::Extension (jruby/jruby#389)
  • SSLContext internals + support SSLContext::METHODS correctly (jruby/jruby#1596)
  • correct visibility of initialize* and respond_to_missing? methods
  • fix spinning indefinitely on partial TLS record (jruby/jruby#1280)
  • Support file input for PKey::RSA.new
  • fix bug jruby/jruby#1156
  • openssl: add handling for base 0 to new and to_s
Assets 2
Loading