0

I'm trying to make an API request in a Ruby app, on MacOSX.

When I try something like this:

RestClient.get("https://api.foursquare.com/v2/venues/explore?near=NYC&query=McDonalds")

I get this (same when it's http):

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure
from /Users/sasha/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/net/http.rb:920:in `connect'

(If I try (open("https://...")), I get this:

OpenURI::HTTPError: 400 Bad Request
from /Users/sasha/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/open-uri.rb:353:in `open_http'

I took a look at some SO discussions about this, and in particular this one led me to believe it was an issue with my OpenSSL not finding the right cert.pem file. I'm using Homebrew, and my Homebrew OpenSSL is installed in /usr/local/bin. The original Mac version of OpenSSL is at /usr/bin, I think.

I followed the suggestions to set a global ENV variable SSL_CERT_FILE to the path to my cert.pem file as installed by Homebrew - /usr/local/etc/openssl/cert.pem, - and when I echo that variable, it is set correctly, but when I re-open a Ruby console and try again, I get the same error. Thoughts on what I'm doing wrong? I don't know much about OpenSSL, and I'm totally flummoxed by this one, given that it seems to be finding my certificate correctly.

EDIT

When I run which openssl, it shows the Mac version -- /usr/bin/openssl. This makes sense, given Homebrew's install notes:

A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in
  /usr/local/etc/openssl/certs

and run
  /usr/local/opt/openssl/bin/c_rehash

This formula is keg-only, which means it was not symlinked into /usr/local.

Mac OS X already provides this software and installing another version in
parallel can cause all kinds of trouble.

The OpenSSL provided by OS X is too old for some software.

Generally there are no consequences of this for you. If you build your
own software and it requires this formula, you'll need to add to your
build variables:

    LDFLAGS:  -L/usr/local/opt/openssl/lib
    CPPFLAGS: -I/usr/local/opt/openssl/include

Is that the problem? I'm including the wrong cert.pem file given my version of OpenSSL?

Community
  • 1
  • 1
Sasha
  • 6,224
  • 10
  • 55
  • 102

1 Answers1

1

state=SSLv3 read server hello A: sslv3 alert handshake failure

That is usually not a problem of a bad or missing certificate, but that the server does not like what the client sends, like unsupported SSL version or no appropriate ciphers offered by the client. I get this error with this host if I try to connect with SSL3.0 instead of TLS1.0 or higher, so please make sure that you don't use SSL3.0 anymore.

If this does not help make a packet capture of the traffic and post it to cloudshark.org so that one can have a look about the traffic details.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Thanks! I don't really know much about SSL. How do I check whether I'm using SSL3.0 or TLS1.0+? My OpenSSL installed by Homebrew is up to date? Any suggested tools for making a packet capture of traffic? – Sasha Oct 18 '14 at 20:21
  • For traffic capture use wireshark or tcpdump. Which SSL version you are using depends on your openssl version you have and any settings you did to restrict the version. – Steffen Ullrich Oct 19 '14 at 07:18