Issues with the BouncyCastle provider -------------------------------------
Key: JRUBY-4535 URL: http://jira.codehaus.org/browse/JRUBY-4535 Project: JRuby Issue Type: Bug Components: OpenSSL Affects Versions: JRuby-OpenSSL 0.6 Reporter: Giedrius Noreikis Hi, we are running Redmine (it's implemented in Ruby) on a Glassfish V3 AS (of course, using the JRuby container). The jruby-openssl gem has to be installed as well, in order for the IMAP email receiving to function (actually, we are not using SSL, but I couldn't find an option to disable this requirement). All the time we were facing strange issues with the BouncyCastle provider. We have several applications deployed on the Glassfish which use the BC provider. Sometimes, the BC just disappears (judging from the logs, despite the BC is configured statically), and the appropriate application crashes. Further analysis (I was hunting this bug for a few days) showed that the root of the problem lies in the org.jruby.ext.openssl.OpenSSLReal.getWithBCProvider(). The design of this method is based on the following logic. It installs the BC provider, then executes the specified action, and then removes the BC provider (i.e. installs it just "temporarily"). This can work in a stand-alone application, but never on an AS. Imagine the BC was already installed - either statically, or by another application running on the same AS. The first addProvider() effectively does nothing. However, the removeProvider() does remove the BC - from the entire AS, of course. If the AS is running with a security manager enabled, the insert or removal of a security provider may be prevented, leading to the runtime exceptions however. Having several years of experience with Java and JCE/JCA, I believe it's impossible to remove a JCE provider safely once it is installed. Any other application may start using it immediately, once the provider is installed, and the consequences of the removal "in the middle of the action" are always hard to predict. To fix this bug, at least, a check should be performed to determine if the BC is already installed. If it is installed, it should be assigned to the "public static java.security.Provider PROVIDER", and then never ever get removed by the getWithBCProvider(). -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email