13

I've followed many posts regarding this issue and non of them helped. I'm trying to connect using simplest irb commands:

require 'open-uri'
open ('https://aristo4stu3.bgu.ac.il')

The weird thing is that for any other https uri I tried, it worked fine (i.e. https://google.com).

For debugging purposes, I even tried to disable SSL verification using:

OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

which didn't seemed to help either.

My setup is (on AWS):

$ rvm -v

rvm 1.21.3 (stable) by Wayne E. Seguin <wayneeseguin@gmail.com>, Michal Papis <mpapis@gmail.com> [https://rvm.io/]

$ ruby -v
ruby 2.0.0p247 (2013-06-27 revision 41674) [x86_64-linux]

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 13.04
Release:    13.04
Codename:   raring

Complete log:

2.0.0-p247 :001 > require 'open-uri'
 => true 
2.0.0-p247 :002 > open('https://aristo4stu3.bgu.ac.il')
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=unknown state: (null)
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `connect'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `block in connect'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/timeout.rb:52:in `timeout'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `connect'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:862:in `do_start'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:851:in `start'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:313:in `open_http'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:708:in `buffer_open'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:210:in `block in open_loop'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:208:in `catch'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:208:in `open_loop'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:149:in `open_uri'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:688:in `open'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:34:in `open'
    from (irb):2
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/bin/irb:16:in `<main>'
Rizon
  • 1,516
  • 4
  • 25
  • 45
  • What are the logs on your server saying? – vgoff Jun 28 '13 at 17:29
  • @vgoff, what do u mean? It happens locally, with irb. – Rizon Jun 28 '13 at 18:04
  • You are running the open-uri, locally, that is true, but it is connecting to a server that is not giving your Ruby ssl client what it is looking for. See @rhashimoto with his insights. – vgoff Jun 28 '13 at 19:23
  • oh, but unfortunately I don't have an access to the server. And yes, @rhashimoto has a good point. – Rizon Jun 28 '13 at 19:25
  • In that case, it implies there are administrators for that server, I would ask them the questions regarding connecting via ssl, certificate versions required, etc. – vgoff Jun 28 '13 at 19:26

4 Answers4

19

The problem appears to be that your target site, aristo4stu3.bgu.ac.il, is picky about SSL/TLS handshaking. I got two different results with the following OpenSSL command with different versions of OpenSSL:

openssl s_client -connect aristo4stu3.bgu.ac.il:443

This does connect with the stock OpenSSL 0.9.8x on OS X 10.7.5. However, it does not connect using OpenSSL 1.0.1e - in that case the server just closes the connection (by sending a Close Notify alert) immediately after receiving the Client Hello.

I captured packets with Wireshark, and the difference between what these two versions send is that 0.9.8x is sending an SSLv2 Client Hello advertising support through TLS 1.0, while 1.0.1e is sending a TLSv1 Client Hello advertising support through TLS 1.2.

If I tell 1.0.1e not to use TLS:

openssl s_client -connect aristo4stu3.bgu.ac.il:443 -no_tls1

This connects successfully with an SSLv3 Client Hello advertising support through SSL 3.0.

Incidentally, my local ruby does make a successful connection with open-uri to your site:

$ irb
>> require 'open-uri'
=> true
>> open('https://aristo4stu3.bgu.ac.il')
=> #<StringIO:0x10271fa90>
>> require 'openssl'
=> false
>> OpenSSL::OPENSSL_VERSION
=> "OpenSSL 0.9.8r 8 Feb 2011"
>>

So the indicated approaches seem to be:

  1. Upgrade the server to handle more Client Hello variants, or
  2. Install a ruby that uses an older OpenSSL library, or
  3. Change your program to send a different Client Hello.

It does not appear that the open-uri module has an option to set the SSL/TLS version used to communicate. If you can't modify the server you may need to use a different module or library to establish the connection, or perhaps find a way to patch the openssl module so it uses a different Client Hello.

rhashimoto
  • 15,650
  • 2
  • 52
  • 80
  • I think option 3 is the most elegant to go with (the server isn't under my control and downgrading Ruby should be the last resort). Actually, I don't really use open-uri in my code, but Excon. Does Excon offers the option to set a Client Hello? in case not, does RestClient has it? – Rizon Jun 28 '13 at 19:18
  • I don't know about these specific libraries. I did find a closely related question, though, that has some suggestions: http://stackoverflow.com/questions/6821051/ruby-ssl-error-sslv3-alert-unexpected-message. – rhashimoto Jun 28 '13 at 19:38
  • @Rizon When I visit your target site with Chrome, as one of the comments suggests, I get the same response when I click on the lock icon: `The connection had to be retried using an older version of the TLS or SSL protocol. This typically means that the server is using very old software and may have other security issues.` This supports the finding that you need to use a library (or write your own) that will do that retry or use the older protocol to begin with. – rhashimoto Jun 28 '13 at 20:39
  • yeah I guess you're right. BTW, running the code on Heroku and it works fine! I guess they're running the older version of openssl... – Rizon Jun 28 '13 at 21:47
4

I found a good writeup of the problem & solution here. http://blog.55minutes.com/2012/05/tls-error-with-ruby-client-and-tomcat-server/

TLDR code snippet that resolves the problem.

http = Net::HTTP.new(host, port)
http.use_ssl = true
http.ssl_version = :SSLv3
http.start { ... }
Hopsoft
  • 103
  • 2
  • 6
    just to put it out there - this solution is not production safe, SSLv3 has well known security holes. – Nuriel May 13 '15 at 08:51
4

If you're on Mac and it's an OSX certificate issue (which was the case for me), you can fix it by running:

rvm osx-ssl-certs update all

See https://rvm.io/support/fixing-broken-ssl-certificates

pcv
  • 2,121
  • 21
  • 25
3

I received the same message and it simply turned out I had http.use_ssl = true set on a non SSL connection.

user1756254
  • 369
  • 4
  • 6