The Dude JRuby-OpenSSL Release28 Jul 2015
JRuby-OpenSSL has taken up another step in C OpenSSL compatibility for JRuby.
- no more
uninitialized constant OpenSSL::SSL::Session
(although session support is limited by what Java APIs allow us)
PKCS5.pbkdf2_hmac_sha1work with an empty salt/key + is a little faster
OpenSSL::HMAC.hexdigestaccepts an empty key (Java APIs don’t)
- .rb parts have been updated to align with Ruby 2.2 (for JRuby 9000)
- improved “incomplete” X.509 certificates parsing (the MRI-way)
Regarding certificate parsing JRuby-OpenSSL used to rely on what’s there with the security provider. Since, we’re trying to do more work using Bouncy-Castle directly and only touch the provider for things the library can no handle.
While generating X.509 certificate objects (e.g. when using libraries such as
ActiveMerchant that set
Net::HTTP#ca_path= for https:// endpoints),
both the Sun provider (present in OracleJDK) and BC exhibit some contention.
Meaning, that while certificate parsing seems fast with a simple test, under concurrent threads doing the same operation might cause a slow-down. An experimental feature to cache certificates on lookup has been included - try it with
-J-Djruby.openssl.x509.lookup.cache=true and report if there’s any
discrepancy improving the numbers.
Also, there’s always a little bit of security in the end. For TLS we’ve disabled
the DHE algorithm on Java 7 while on Java 8 we’re forcing it to have a key size
of 2048. Not a long-term solution but needed due compatibility, we recommend
that you try disabling DHE
and switch to ECDHE (elliptic curves) instead.