JewelRuby

... bytes and babes of JRuby

The Dude JRuby-OpenSSL Release

JRuby-OpenSSL 0.9.8 is dedicated to "The Dude" as '98 was the year!

JRuby-OpenSSL has taken up another step in C OpenSSL compatibility for JRuby.

  • no more uninitialized constant OpenSSL::SSL::Session
    (although session support is limited by what Java APIs allow us)
  • PKCS5.pbkdf2_hmac_sha1 work with an empty salt/key + is a little faster
  • OpenSSL::HMAC.hexdigest accepts an empty key (Java APIs don’t)
  • .rb parts have been updated to align with Ruby 2.2 (for JRuby 9000)
  • improved “incomplete” X.509 certificates parsing (the MRI-way)

Regarding certificate parsing JRuby-OpenSSL used to rely on what’s there with the security provider. Since, we’re trying to do more work using Bouncy-Castle directly and only touch the provider for things the library can no handle.

While generating X.509 certificate objects (e.g. when using libraries such as ActiveMerchant that set Net::HTTP#ca_path= for https:// endpoints), both the Sun provider (present in OracleJDK) and BC exhibit some contention.
Meaning, that while certificate parsing seems fast with a simple test, under concurrent threads doing the same operation might cause a slow-down. An experimental feature to cache certificates on lookup has been included - try it with -J-Djruby.openssl.x509.lookup.cache=true and report if there’s any discrepancy improving the numbers.

Also, there’s always a little bit of security in the end. For TLS we’ve disabled the DHE algorithm on Java 7 while on Java 8 we’re forcing it to have a key size of 2048. Not a long-term solution but needed due compatibility, we recommend that you try disabling DHE -J-Djdk.tls.disabledAlgorithms="SSLv3, DHE" and switch to ECDHE (elliptic curves) instead.