Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RubyGems.org patched for Poodle SSLv3 (CVE-2014-3566) breaks Windows gem commands #241

Closed
ferventcoder opened this issue Oct 16, 2014 · 14 comments
Closed

RubyGems.org patched for Poodle SSLv3 (CVE-2014-3566) breaks Windows gem commands #241

ferventcoder opened this issue Oct 16, 2014 · 14 comments

Comments

@ferventcoder
Copy link

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566

Ruby 1.9.3

  • ruby 1.9.3p545 (2014-02-24) [i386-mingw32]
  • gem version 2.0.14
PS C:\Users\rob> gem install facter --debug
Exception `Errno::EEXIST' at C:/ruby193/lib/ruby/1.9.1/fileutils.rb:247 - File exists - C:/Users/rob/.gem/specs/rubygems.org%443
Exception `OpenSSL::SSL::SSLError' at C:/ruby193/lib/ruby/1.9.1/net/http.rb:800 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Exception `OpenSSL::SSL::SSLError' at C:/ruby193/lib/ruby/1.9.1/net/http.rb:807 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Exception `Gem::RemoteFetcher::FetchError' at C:/ruby193/lib/ruby/site_ruby/1.9.1/rubygems/remote_fetcher.rb:420 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/latest_specs.4.8.gz) Exception `Gem::RemoteFetcher::FetchError' at C:/ruby193/lib/ruby/site_ruby/1.9.1/rubygems/remote_fetcher.rb:283 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/latest_specs.4.8.gz) Exception `Gem::SpecificGemNotFoundException' at C:/ruby193/lib/ruby/site_ruby/1.9.1/rubygems/dependency_installer.rb:308 - Could not find a valid gem 'facter' (>= 0) locally or in a repository
ERROR:  Could not find a valid gem 'facter' (>= 0), here is why:
          Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/latest_specs.4.8.gz)
Exception `Errno::EEXIST' at C:/ruby193/lib/ruby/1.9.1/fileutils.rb:247 - File exists - C:/Users/rob/.gem/specs/rubygems.org%443
Exception `OpenSSL::SSL::SSLError' at C:/ruby193/lib/ruby/1.9.1/net/http.rb:800 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Exception `OpenSSL::SSL::SSLError' at C:/ruby193/lib/ruby/1.9.1/net/http.rb:807 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Exception `Gem::RemoteFetcher::FetchError' at C:/ruby193/lib/ruby/site_ruby/1.9.1/rubygems/remote_fetcher.rb:420 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/prerelease_specs.4.8.gz)
Exception `Gem::RemoteFetcher::FetchError' at C:/ruby193/lib/ruby/site_ruby/1.9.1/rubygems/remote_fetcher.rb:283 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/prerelease_specs.4.8.gz)
Exception `Errno::EEXIST' at C:/ruby193/lib/ruby/1.9.1/fileutils.rb:247 - File exists - C:/Users/rob/.gem/specs/rubygems.org%443
Exception `OpenSSL::SSL::SSLError' at C:/ruby193/lib/ruby/1.9.1/net/http.rb:800 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Exception `OpenSSL::SSL::SSLError' at C:/ruby193/lib/ruby/1.9.1/net/http.rb:807 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Exception `Gem::RemoteFetcher::FetchError' at C:/ruby193/lib/ruby/site_ruby/1.9.1/rubygems/remote_fetcher.rb:420 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/specs.4.8.gz)
Exception `Gem::RemoteFetcher::FetchError' at C:/ruby193/lib/ruby/site_ruby/1.9.1/rubygems/remote_fetcher.rb:283 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/specs.4.8.gz)

Ruby 2.0.0

  • ruby 2.0.0p481 (2014-05-08) [x64-mingw32]
  • 2.0.14
C:\Users\rob>gem install facter --debug
Exception `NameError' at C:/ruby200/lib/ruby/2.0.0/fiddle/import.rb:153 - uninitialized constant Fiddle::Function::STDCALL
Exception `Errno::EEXIST' at C:/ruby200/lib/ruby/2.0.0/fileutils.rb:245 - File exists - C:/Users/rob/.gem/specs/rubygems.org%443
Exception `OpenSSL::SSL::SSLError' at C:/ruby200/lib/ruby/2.0.0/net/http.rb:918 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Exception `OpenSSL::SSL::SSLError' at C:/ruby200/lib/ruby/2.0.0/net/http.rb:926 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Exception `Gem::RemoteFetcher::FetchError' at C:/ruby200/lib/ruby/2.0.0/rubygems/remote_fetcher.rb:420 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/latest_specs.4.8.gz)
Exception `Gem::RemoteFetcher::FetchError' at C:/ruby200/lib/ruby/2.0.0/rubygems/remote_fetcher.rb:283 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/latest_specs.4.8.gz)
Exception `Gem::SpecificGemNotFoundException' at C:/ruby200/lib/ruby/2.0.0/rubygems/dependency_installer.rb:308 - Could not find a valid gem 'facter' (>= 0) locally or in a repository
ERROR:  Could not find a valid gem 'facter' (>= 0), here is why:
          Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/latest_specs.4.8.gz)
Exception `Errno::EEXIST' at C:/ruby200/lib/ruby/2.0.0/fileutils.rb:245 - File exists - C:/Users/rob/.gem/specs/rubygems.org%443
Exception `OpenSSL::SSL::SSLError' at C:/ruby200/lib/ruby/2.0.0/net/http.rb:918 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Exception `OpenSSL::SSL::SSLError' at C:/ruby200/lib/ruby/2.0.0/net/http.rb:926 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Exception `Gem::RemoteFetcher::FetchError' at C:/ruby200/lib/ruby/2.0.0/rubygems/remote_fetcher.rb:420 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/prerelease_specs.4.8.gz)
Exception `Gem::RemoteFetcher::FetchError' at C:/ruby200/lib/ruby/2.0.0/rubygems/remote_fetcher.rb:283 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/prerelease_specs.4.8.gz)
Exception `Errno::EEXIST' at C:/ruby200/lib/ruby/2.0.0/fileutils.rb:245 - File exists - C:/Users/rob/.gem/specs/rubygems.org%443
Exception `OpenSSL::SSL::SSLError' at C:/ruby200/lib/ruby/2.0.0/net/http.rb:918 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Exception `OpenSSL::SSL::SSLError' at C:/ruby200/lib/ruby/2.0.0/net/http.rb:926 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Exception `Gem::RemoteFetcher::FetchError' at C:/ruby200/lib/ruby/2.0.0/rubygems/remote_fetcher.rb:420 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/specs.4.8.gz)
Exception `Gem::RemoteFetcher::FetchError' at C:/ruby200/lib/ruby/2.0.0/rubygems/remote_fetcher.rb:283 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/specs.4.8.gz)

Ruby 2.1.3

  • ruby 2.1.3p242 (2014-09-19 revision 47630) [x64-mingw32]
  • gem version 2.2.2
c:\tools\ruby213\bin>gem install facter --debug
Exception `NameError' at c:/tools/ruby213/lib/ruby/2.1.0/fiddle/import.rb:153 - uninitialized constant Fiddle::Function::STDCALL
Exception `Win32::Registry::Error' at c:/tools/ruby213/lib/ruby/2.1.0/win32/registry.rb:238 - The system cannot find the file specified.
Exception `Win32::Registry::Error' at c:/tools/ruby213/lib/ruby/2.1.0/win32/registry.rb:238 - The system cannot find the file specified.
Exception `Win32::Registry::Error' at c:/tools/ruby213/lib/ruby/2.1.0/win32/registry.rb:238 - The system cannot find the file specified.
Exception `Win32::Registry::Error' at c:/tools/ruby213/lib/ruby/2.1.0/win32/registry.rb:238 - The system cannot find the file specified.
Exception `Win32::Registry::Error' at c:/tools/ruby213/lib/ruby/2.1.0/win32/registry.rb:238 - The system cannot find the file specified.
Exception `Win32::Registry::Error' at c:/tools/ruby213/lib/ruby/2.1.0/win32/registry.rb:238 - The system cannot find the file specified.
Exception `Win32::Registry::Error' at c:/tools/ruby213/lib/ruby/2.1.0/win32/registry.rb:238 - The system cannot find the file specified.
Exception `Win32::Registry::Error' at c:/tools/ruby213/lib/ruby/2.1.0/win32/registry.rb:238 - The system cannot find the file specified.
Exception `Win32::Registry::Error' at c:/tools/ruby213/lib/ruby/2.1.0/win32/registry.rb:238 - The system cannot find the file specified.
Exception `Win32::Registry::Error' at c:/tools/ruby213/lib/ruby/2.1.0/win32/registry.rb:238 - No more data is available.
Exception `Errno::EEXIST' at c:/tools/ruby213/lib/ruby/2.1.0/fileutils.rb:250 - File exists @ dir_s_mkdir - C:/Users/rob/.gem/specs/api.rubygems.org%443
Exception `Errno::ENOENT' at c:/tools/ruby213/lib/ruby/2.1.0/rubygems/remote_fetcher.rb:294 - No such file or directory @ rb_file_s_stat - C:/Users/rob/.gem/specs/api.rubygems.org%443/latest_specs.4.8
Exception `OpenSSL::SSL::SSLError' at c:/tools/ruby213/lib/ruby/2.1.0/net/http.rb:920 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Exception `OpenSSL::SSL::SSLError' at c:/tools/ruby213/lib/ruby/2.1.0/net/http.rb:928 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Exception `Gem::RemoteFetcher::FetchError' at c:/tools/ruby213/lib/ruby/2.1.0/rubygems/request.rb:101 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/latest_specs.4.8.gz)
Exception `Gem::RemoteFetcher::FetchError' at c:/tools/ruby213/lib/ruby/2.1.0/rubygems/remote_fetcher.rb:278 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/latest_specs.4.8.gz) Exception `Gem::RemoteFetcher::FetchError' at c:/tools/ruby213/lib/ruby/2.1.0/rubygems/spec_fetcher.rb:268 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/latest_specs.4.8.gz)
Exception `Gem::SpecificGemNotFoundException' at c:/tools/ruby213/lib/ruby/2.1.0/rubygems/dependency_installer.rb:297 - Could not find a valid gem 'facter' (>= 0) locally or in a repository
ERROR:  Could not find a valid gem 'facter' (>= 0), here is why:
          Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/latest_specs.4.8.gz)
Exception `Errno::EEXIST' at c:/tools/ruby213/lib/ruby/2.1.0/fileutils.rb:250 - File exists @ dir_s_mkdir - C:/Users/rob/.gem/specs/api.rubygems.org%443
Exception `OpenSSL::SSL::SSLError' at c:/tools/ruby213/lib/ruby/2.1.0/net/http.rb:920 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Exception `OpenSSL::SSL::SSLError' at c:/tools/ruby213/lib/ruby/2.1.0/net/http.rb:928 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Exception `Gem::RemoteFetcher::FetchError' at c:/tools/ruby213/lib/ruby/2.1.0/rubygems/request.rb:101 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/prerelease_specs.4.8.gz)
Exception `Gem::RemoteFetcher::FetchError' at c:/tools/ruby213/lib/ruby/2.1.0/rubygems/remote_fetcher.rb:278 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/prerelease_specs.4.8.gz)
Exception `Errno::EEXIST' at c:/tools/ruby213/lib/ruby/2.1.0/fileutils.rb:250 - File exists @ dir_s_mkdir - C:/Users/rob/.gem/specs/api.rubygems.org%443
Exception `OpenSSL::SSL::SSLError' at c:/tools/ruby213/lib/ruby/2.1.0/net/http.rb:920 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Exception `OpenSSL::SSL::SSLError' at c:/tools/ruby213/lib/ruby/2.1.0/net/http.rb:928 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Exception `Gem::RemoteFetcher::FetchError' at c:/tools/ruby213/lib/ruby/2.1.0/rubygems/request.rb:101 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)
Exception `Gem::RemoteFetcher::FetchError' at c:/tools/ruby213/lib/ruby/2.1.0/rubygems/remote_fetcher.rb:278 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)
Exception `Gem::RemoteFetcher::FetchError' at c:/tools/ruby213/lib/ruby/2.1.0/rubygems/spec_fetcher.rb:268 - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)
@luislavena
Copy link
Member

@ferventcoder is a local patch? a new release of RubyGems?

I'm not fully understand what RubyInstaller has to do with this, if is RubyGems or Ruby issues needs to be reported to them.

Can you clarify?

Thank you.

@ferventcoder
Copy link
Author

@luislavena giving you a heads up. Not sure of what/where yet, but I think rubygems.org just patched their servers.

@ferventcoder ferventcoder changed the title RubyGems patched for Poodle SSLv3 (CVE-2014-3566) breaks Windows gem commands RubyGems.org patched for Poodle SSLv3 (CVE-2014-3566) breaks Windows gem commands Oct 16, 2014
@ferventcoder
Copy link
Author

Does the workaround suggested here work? #209 (comment)

@luislavena
Copy link
Member

@ferventcoder then this needs to be reported to RubyGems, not RubyInstaller (we don't alter or modify Ruby or RubyGems beyond packaging, as described in #39)

@ferventcoder
Copy link
Author

@luislavena right on, was looking for verification on this. I will follow up with Nick et. al.

@ferventcoder
Copy link
Author

I can confirm the workaround works

adding this to your ~/.gemrc file:

:sources:
 - http://rubygems.org

@ferventcoder
Copy link
Author

Closing to report to right repo.

@ferventcoder ferventcoder mentioned this issue Oct 16, 2014
Closed
@MikaelSmith
Copy link

Are there any plans to update Rubyinstaller to incorporate the changes to gems? Right now Rubyinstaller ships a non-working gem version.

@joshcooper
Copy link

with the error:

C:\>ruby --version
ruby 2.1.5p273 (2014-11-13 revision 48405) [i386-mingw32]
C:\>gem install bundler
ERROR:  Could not find a valid gem 'bundler' (>= 0), here is why:
          Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/latest_specs.4.8.gz)

@luislavena
Copy link
Member

@MikaelSmith @joshcooper as mentioned above, this issue as nothing to do with RubyInstaller.

Please take a look to the following guide in order to manually patch Trust certs in your installation of RubyGems:

https://gist.github.com/luislavena/f064211759ee0f806c88

@MikaelSmith
Copy link

How is the version of Rubygems that appears in the installer determined? It seems to ship with version 2.2.2; including version 2.4.4 would fix that, and I assumed choosing the version is part of building RubyInstaller.

@MikaelSmith
Copy link

My mistake, it looks like ruby itself vendors rubygems at 2.2.2. So I guess this will be addressed in a future Ruby version.

@luislavena
Copy link
Member

@MikaelSmith

Answers to your previous post and new questions:

Yes, I'm aware; my point was that RubyInstaller is still shipping a version of RubyGems that doesn't contain that fix. Are there plans to fix that? Fixes would be: ship RubyGems 2.4.4 instead of 2.2.2, or include the workaround you mentioned in the RubyInstaller.

RubyInstaller versions are in sync with Ruby versions, if a new version of Ruby goes out, a new version of RubyInstaller will go out.

We don't patch or alter Ruby or the provided components.

Please see CONTRIBUTING

We release individual versions like updates to OpenSSL, zlib and such that can be freely updated after the installation. On each of those releases we bump versions in RubyInstaller so next releases ship that without manual installation.

Since you ship a version of RubyGems, I'm not sure why shipping a version that works has nothing to do with RubyInstaller.

This issue is about POODLE, which had nothing to do with RubyInstaller.

RubyGems ships with Ruby, and RubyInstaller ships Ruby, but we don't modify the version of RubyGems on releases.

And we don't perform releases of RubyInstaller simply because RubyGems needs patching (unless of course there is a Ruby release).

Please note that it takes considerable amount of effort to perform a new release of RubyInstaller, not to mention go and patch every single problem out there to make things work.

It seems to ship with version 2.2.2; including version 2.4.4 would fix that

RubyGems 2.4. is broken on Windows, as reported several times to RubyGems and RubyInstaller mailing list (and here):

Until that is fixed I cannot recommend upgrade to RubyGems 2.4

I personally don't have the time to go and fix those issues, but will be able to provide assistance and guidance to those willing to take the challenge.

Hope this makes it more clear and while I understand your concerns, this approach to handle releases will not be changed.

We dealt in the past with patches and such and the stress around that was too high.

Not only I have to deal with work, life and other, but personal accusations to my inbox (not your case) caused by RubyGems, false positives of virus reports or weird gems not working.

https://groups.google.com/d/topic/rubyinstaller/VoV0bOqMV4M/discussion

I've been doing this for the past 7 years, and patching gems for Windows compatibility for almost 9 years.

If someone believes that can do it better, please step up and get this fixed so everybody benefits.

I for sure will love to take a break when Ruby team releases versions on 25th December and I have to cook new releases every year after Xmas.

@MikaelSmith
Copy link

Thanks, and sorry for the tone. It's an irritating issue, and it took me a little bit to understand how packaging is being done.

@agross agross mentioned this issue Dec 3, 2014
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@luislavena @ferventcoder @joshcooper @MikaelSmith