2

This ruby code is supposed to connect to a secure channel:

connection = Net::HTTP.new "localhost", 8081
connection.use_ssl = true
connection.ssl_version = :TLSv1_2
# ...
connection.post path, data, h

I am having the following error:

usr/local/rvm/rubies/ruby-2.2.0/lib/ruby/2.2.0/net/http.rb:923:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

Client does have support for TLSv1.2, it looks:

ruby -ropenssl -e 'puts OpenSSL::SSL::SSLContext::METHODS' | grep 1_2
TLSv1_2
TLSv1_2_server
TLSv1_2_client

Also the server has support to TLSv1.2

openssl s_client -connect localhost:8081 | grep Protocol
Protocol  : TLSv1.2

Why is Net::HTTP trying to connect using state state=SSLv3?

ribamar
  • 1,435
  • 1
  • 16
  • 26
  • I don't know the answer to your question, but that isn't the cause of the error. RVM has [this](https://rvm.io/support/fixing-broken-ssl-certificates) about broken certificates – j-dexx Jun 30 '16 at 12:15
  • 2
    `state=SSLv3` is not reporting what you think; ignore it. Its related to the underlying state machine, and it does not indicate the negotiated TLS version. Here's something else, but its not precisely accurate: [What is the significance of the version field in a TLS 1.1+ ClientHello message](http://security.stackexchange.com/q/29314). Its not accurate because there is **no** *{min|max}* TLS version. Related, see [SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed](http://stackoverflow.com/q/4528101/608639) on Stack Overflow. – jww Jun 30 '16 at 12:37
  • `connection.verify_mode = OpenSSL::SSL::VERIFY_NONE` and I managed to connect to the server that only supports TLS => you're right @jww. @dexx, it wasn't that (I did try it), but maybe helpful for other people – ribamar Jun 30 '16 at 13:33
  • 1
    @ribamar - you should be able to test with `openssl s_client -connect : -tls1_2 -servername `. Or, use a [SSL Scanner](http://github.com/rbsec/sslscan) to see what the server supports. For `localhost` and `OpenSSL::SSL::VERIFY_NONE`, you should create a certificate with the proper names. For that, see [How to create a self-signed certificate with openssl?](http://stackoverflow.com/a/27931596/608639). – jww Jun 30 '16 at 13:39

0 Answers0