Reputation: 1308
OpenSSL::Cipher::CipherError with Rails4 on JRuby
Rails4 uses an encrypted cookie session store by default. When the app tries to encrypt a cookie the following error is raised: OpenSSL::Cipher::CipherError: Illegal key size: possibly you need to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for your JRE (stacktrace: https://gist.github.com/8ba56b18060ae30e4d44).
As mentioned here this can be worked around by downgrading cryptography or installing JCE - the first being something I don't really want to do and the latter being impossible (afaik) on heroku.
Upvotes: 22
Views: 4863
Answers (3)
Reputation: 1514
Not sure if it will work on Heroku, but this resolves the issue on my local Jruby.
Create config/initializers/unlimited_strength_cryptography.rb:
if RUBY_PLATFORM == 'java' # Allows the application to work with other Rubies if not JRuby
require 'java'
java_import 'java.lang.ClassNotFoundException'
begin
security_class = java.lang.Class.for_name('javax.crypto.JceSecurity')
restricted_field = security_class.get_declared_field('isRestricted')
restricted_field.accessible = true
restricted_field.set nil, false
rescue ClassNotFoundException => e
# Handle Mac Java, etc not having this configuration setting
$stderr.print "Java told me: #{e}n"
end
end
Upvotes: 18
Reputation: 6222
Using Leons' approach, this solved my issue in production, but broke dev without the rescue.
# config/initializers/unrestricted_crypto.rb
begin # Enable 'restricted' cipher libraries on crippled systems
prop = Java::JavaxCrypto::JceSecurity.get_declared_field 'isRestricted'
prop.accessible = true
prop.set nil, false
rescue NameError
end
It's because different javas have different flavas... ...I'll let myself out.
Upvotes: 1
Reputation: 10616
The Heroku Dev Center now has this article: "Customizing the JDK".
There are some cases where files need to be bundled with the JDK in order to expose functionality in the runtime JVM. For example, the inclusion of unlimited strength Java Cryptography Extensions (JCE) is often added to a JDK in order to utilize stronger cryptographic libraries. To handle such cases, Heroku will copy files designated by the app in a .jdk-overlay folder into the JDK’s directory structure.
Here's how to add JCE files to your app:
In your application’s root directory, create a
.jdk-overlayfolderCopy the JCE
local_policy.jarandUS_export_policy.jarinto.jdk-overlay/jre/lib/security/Commit the files
$ git add .jdk-overlay
$ git commit -m "Custom JCE files"Deploy to Heroku
$ git push heroku master
Upvotes: 3
Related Questions
- Can't find the source of this error: OpenSSL::Cipher::CipherError
- OpenSSL::Cipher::CipherError Rails 5.2
- How to resolve "key not found: :ciphers"?
- Getting error: "OpenSSL::SSL::SSLError: certificate verify failed" in JRuby
- How to fix 'OpenSSL::SSL::SSLError' error in Ruby?
- Heroku Rails Net::HTTP: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
- Error generating SSL private key - Heroku - OpenSSL - Rails
- OpenSSL 1.0.1 on Heroku
- JRuby Heroku Gem
- OpenSSL::SSL::SSLError in jruby 1.6.7/1.7.0 1.9 mode