On May 2, 2009, at 4:42 PM, Brice Figureau wrote:
>
> On 1/05/09 23:22, Brice Figureau wrote:
>> On 1/05/09 20:22, Nigel Kersten wrote:
>>> On Fri, May 1, 2009 at 11:18 AM, Brice Figureau
>>> <[email protected]> wrote:
>>>> On 1/05/09 14:59, Luke Kanies wrote:
>>>>> On May 1, 2009, at 12:57 PM, Brice Figureau wrote:
>>>>>
>>>>>> On 30/04/09 23:16, Nigel Kersten wrote:
>>>>>>> So I seem to have followed Brice down a path here as I got to
>>>>>>> exactly
>>>>>>> the same point he did:
>>>>>>>
>>>>>>> http://jira.codehaus.org/browse/JRUBY-3349
>>>>>>>
>>>>>>> Just wondering if anyone has gotten any further with this?
>>>>>> I'm surprised by how JRuby devs never got interested by this bug.
>>>>>> Last time I checked, nobody has even read the report.
>>>>> I concur. I've pinged Charles Nutter on Twitter, but I can't
>>>>> imagine
>>>>> it will do much.
>>>> Wooh, you seem to have real power :-)
>>>> The bug appears to be fixed in the latest jruby HEAD.
>>>> Now I can perform some puppet tests...
>>>
>>> haha.
>>>
>>> /me races brice on jruby testing.
>>
>
> [snip]
>
>> But now, I'm encountering the following error:
>> null:-1:in `setSerialNumber': java.lang.IllegalArgumentException:
>> serial
>> number must be a positive integer
>> from X509Cert.java:284:in `set_serial'
>> from X509Cert.java:155:in `initialize'
>> from
>> org/jruby/ext/openssl/X509Cert$i_method_0_1$RUBYFRAMEDINVOKER
>> $initialize.gen:-1:in
>> `call'
>> from DynamicMethod.java:168:in `call'
>> from CachingCallSite.java:288:in `cacheAndCall'
>> from CachingCallSite.java:126:in `callBlock'
>> from CachingCallSite.java:131:in `call'
>> from RubyClass.java:615:in `call'
>> ...
>
> Looking at the jruby-openssl code (in fact the Bouncy Castle code), I
> see that they forbid certs with serial number equals to 0.
> That's unfortunate because the CA cert of _all_ puppet installation
> has
> 0 as serial number.
>
> Note that the RFC[1] just mention a positive integer, which
> interpreted
> litteraly forbids 0 as a possible value, but I know openssl doesn't
> mind.
>
> Even if we fix all the other issues (and most of them will come from
> jruby-openssl/bouncy castle from my last tests), we'll still encounter
> this issue for which I don't clearly see a solution for old
> installations.
>
> So basically we have four solutions:
> * set our default starting serial number to 1 (this will solve new
> installs).
This gets my vote. Trivial, and apparently follows the spec.
>
> * let Bouncy Castle people accept a patch which accepts 0 as a valid
> value.
>
> * lie to ruby, pretending our CA serial number (or any other) when 0
> to be something else.
>
> * don't care, and use regular ruby :-)
Well, I think there are some real wins for using JRuby if we can do
it, so I'd like to be able to.
--
The most dangerous strategy is to jump a chasm in two leaps.
-- Benjamin Disraeli
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en
-~----------~----~----~----~------~----~------~--~---
