On 1/05/09 23:22, Brice Figureau wrote: > On 1/05/09 20:22, Nigel Kersten wrote: >> On Fri, May 1, 2009 at 11:18 AM, Brice Figureau >> <[email protected]> wrote: >>> On 1/05/09 14:59, Luke Kanies wrote: >>>> On May 1, 2009, at 12:57 PM, Brice Figureau wrote: >>>> >>>>> On 30/04/09 23:16, Nigel Kersten wrote: >>>>>> So I seem to have followed Brice down a path here as I got to exactly >>>>>> the same point he did: >>>>>> >>>>>> http://jira.codehaus.org/browse/JRUBY-3349 >>>>>> >>>>>> Just wondering if anyone has gotten any further with this? >>>>> I'm surprised by how JRuby devs never got interested by this bug. >>>>> Last time I checked, nobody has even read the report. >>>> I concur. I've pinged Charles Nutter on Twitter, but I can't imagine >>>> it will do much. >>> Wooh, you seem to have real power :-) >>> The bug appears to be fixed in the latest jruby HEAD. >>> Now I can perform some puppet tests... >> >> haha. >> >> /me races brice on jruby testing. >
[snip] > But now, I'm encountering the following error: > null:-1:in `setSerialNumber': java.lang.IllegalArgumentException: serial > number must be a positive integer > from X509Cert.java:284:in `set_serial' > from X509Cert.java:155:in `initialize' > from > org/jruby/ext/openssl/X509Cert$i_method_0_1$RUBYFRAMEDINVOKER$initialize.gen:-1:in > > `call' > from DynamicMethod.java:168:in `call' > from CachingCallSite.java:288:in `cacheAndCall' > from CachingCallSite.java:126:in `callBlock' > from CachingCallSite.java:131:in `call' > from RubyClass.java:615:in `call' > ... Looking at the jruby-openssl code (in fact the Bouncy Castle code), I see that they forbid certs with serial number equals to 0. That's unfortunate because the CA cert of _all_ puppet installation has 0 as serial number. Note that the RFC[1] just mention a positive integer, which interpreted litteraly forbids 0 as a possible value, but I know openssl doesn't mind. Even if we fix all the other issues (and most of them will come from jruby-openssl/bouncy castle from my last tests), we'll still encounter this issue for which I don't clearly see a solution for old installations. So basically we have four solutions: * set our default starting serial number to 1 (this will solve new installs). * let Bouncy Castle people accept a patch which accepts 0 as a valid value. * lie to ruby, pretending our CA serial number (or any other) when 0 to be something else. * don't care, and use regular ruby :-) Any ideas? [1]: http://tools.ietf.org/html/rfc5280#section-4.1.2.2 -- Brice Figureau My blog: http://www.masterzen.fr/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en -~----------~----~----~----~------~----~------~--~---
