I am trying to use a webservice with ruby, but it seems to be an issue with it's SSL configuration and ruby 2:
>> require "open-uri"
=> true
>> open("https://w390w.gipuzkoa.net/WAS/HACI/HFAServiciosProveedoresWEB/services/FacturaSSPPWebServiceProxyPort") {|f| p f.content_type }
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure
I've tried with curl and openssl and it works:
curl https://w390w.gipuzkoa.net/WAS/HACI/HFAServiciosProveedoresWEB/services/FacturaSSPPWebServiceProxyPort
openssl s_client -connect w390w.gipuzkoa.net:443
it also works with ruby 1.9:
irb(main):001:0> require "open-uri"
=> true
irb(main):003:0> open("https://w390w.gipuzkoa.net/WAS/HACI/HFAServiciosProveedoresWEB/services/FacturaSSPPWebServiceProxyPort") {|f| p f.content_type }
"text/html"
with ruby 2, I've tried using TLS, without success
>> OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ssl_version] = :TLSv1
=> :TLSv1
>> open("https://w390w.gipuzkoa.net/WAS/HACI/HFAServiciosProveedoresWEB/services/FacturaSSPPWebServiceProxyPort") {|f| p f.content_type }
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert handshake failure
>> OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ssl_version] = :TLSv1_2
=> :TLSv1_2
>> open("https://w390w.gipuzkoa.net/WAS/HACI/HFAServiciosProveedoresWEB/services/FacturaSSPPWebServiceProxyPort") {|f| p f.content_type }
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=unknown state: wrong version number
checking server SSL configuration on https://www.ssllabs.com/ssltest/analyze.html?d=w390w.gipuzkoa.net it returns this error: "Assessment failed: Unexpected failure", since I can access several similar webservices with ruby 2, I guess they have something miss-configured.
any ideas how can I access this webservice with ruby 2?
That is quite a poor configuration for a server. Comodo's SSL Analyzer appears to be more lenient and shows the four supported cipher suites.
Also, the server supports TLSv1.0.
Now, I cannot find a resource online that indicates if these cipher suites were disabled by default in Ruby 2, but here's something you can try:
Enable the best of the ciphers using OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers] = "DES-CBC3-SHA"
Cipher name obtained from OpenSSL ciphers.
Attempting to connect now should display this error as the site's CA isn't trusted:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed
You can add this CA using ssl_ca_cert or bypass verification (not recommended) using ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE. E.g.,
open("https://w390w.gipuzkoa.net/WAS/HACI/HFAServiciosProveedoresWEB/services/FacturaSSPPWebServiceProxyPort", {ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE}) {|f| p f.content_type }
You can also give Net::HTTP a shot.
The server supports only very few ciphers, most of the completely insecure (export ciphers, DES-CBC-SHA) and the only at least a bit secure cipher (DES-CBC3-SHA) is considered insecure since Sweet32. Chances are high that because of this insecurity modern TLS stacks in the client will fail with the handshake.
Related
I am writing a simple SSL client for pentester lab bootcamp module 4. I enabled SSL for the virtualhost and enabled the module. The SSL client is written in Ruby and when running the script I get the following error:
Traceback (most recent call last):
6: from 4-http_ssl.rb:8:in <main>
5: from /usr/lib/ruby/2.5.0/net/http.rb:1458:in request
4: from /usr/lib/ruby/2.5.0/net/http.rb:909:in start
3: from /usr/lib/ruby/2.5.0/net/http.rb:920:in do_start
2: from /usr/lib/ruby/2.5.0/net/http.rb:985:in connect
1: from /usr/lib/ruby/2.5.0/net/protocol.rb:44:in ssl_socket_connect
/usr/lib/ruby/2.5.0/net/protocol.rb:44:in connect_nonblock: SSL_connect returned=1 errno=0
state=error: wrong version number (OpenSSL::SSL::SSLError)
Here is my script
require "net/https"
require "uri"
http = Net::HTTP.new("vulnerable", 443)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
response = http.request(Net::HTTP::Get.new("/"))
response.code
response.body
response.status
Can someone throw me a line here? I've checked the example and the server files but can't find the error. This seems like shouldn't be much trouble. Am I missing some configuration steps?
As pointed out by Steffen Ullrich, I tried to run
openssl> s_client
and got the following output:
Openssl> s_client -connect vulnerable:443
CONNECTED(00000003)
140093579711616:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
error in s_client
What steps should I follow? I understand the server is not accepting SSL connections because of missing CA certificates, how can I fix this I know I can create a custom CA certificate for my ssl client any leads on this? Thanks in advance
I'm writing a small ruby code, trying to connect to a RESTful web service with provided client certificate(pkcs12) from my CentOS machine.
I can use httpie to successfully connect to the web server with the certificate from windows machine. But somehow I can't make it happen on Linux machine.
I tried to put extracted cert.pem to /etc/pki/tls/certs and private key to /etc/pki/tls/private. Or I tried to create new cert store within the code, which doesn't work either, always got the following errors:
/usr/share/ruby/net/http.rb:918:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure (OpenSSL::SSL::SSLError)
=====ruby code======
!/usr/bin/env ruby
require 'net/http'
require 'uri'
require 'openssl'
begin
uri = URI.parse('https://api.test.com/rest/api/exports')
args = {:"Client ID"=>'111111', :"Client secret"=>'11111'}
uri.query = URI.encode_www_form(args)
httpHM = Net::HTTP.new(uri.host, 443)
httpHM.use_ssl = true
httpHM.ssl_version="SSLv3"
#cert_store = OpenSSL::X509::Store.new
#cert_store.add_file 'cert.pem'
#httpHM.cert_store=cert_store
request = Net::HTTP::Get.new(uri.request_uri)
#response = httpHM.request(request)
httpHM.start do |http|
response=http.request(request)
end
puts response.body
end
Thanks for your help!
I use Savon 2 ruby to make soap call.
My call code is :
cert_key_file = <cert_key_file>
cert_key_password = 'xxx'
client = Savon.client do |globals|
globals.log true
globals.wsdl "#{Rails.root}/wsdl/<-wsdl->"
globals.ssl_cert_file cert_key_file
globals.ssl_ca_cert_file cert_key_file
globals.ssl_cert_key_file cert_key_file
globals.ssl_cert_key_password cert_key_password
globals.ssl_verify_mode :none
globals.ssl_version :SSLv3
end
client.call(:function_to_call, message: function_to_call_body(data))
enter code here
the certificate was converted to pem from pfx file .
Using SoapUI with pfx and password the call works .
Using the Rails Application i have this error :
HTTPI::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure
Someone can help me?
Thanks
Carlo
Instead of
globals.ssl_version :SSLv3
try globals.ssl_version :TLSv1
Why we are getting this error when trying to make connection with Salesforce rest API through Faraday gem using ROR?
Faraday::Error::ConnectionFailed:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Faraday requires a valid root certificate to establish a connection.
If you're on a Windows machine, install the certificate with these instructions: https://gist.github.com/867550
For Mac, perform the following:
sudo port install curl-ca-bundle
Next, in your Faraday request, include this line immediately above where you actually send your request (e.g. https.request_get('/foo')):
https.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt'
This will tell the http object Faraday uses to include the certificate in its request. If your system spits out an error, you may have to adjust the inclusion based on the file's location in your system.
All in all, your request will look something like this:
require 'net/https'
https = Net::HTTP.new('encrypted.google.com', 443)
https.use_ssl = true
https.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt' if File.exists('/opt/local/share/curl/curl-ca-bundle.crt') # Mac OS X
https.request_get('/foo')
How can I get access to the peer_cert when making a SSL request?
I've updated my ruby ssl certs with rvm osx-ssl-certs update all
What I'm trying is
require 'httpclient'
c = HTTPClient.new
r = c.get( "https://gmail.com" )
puts r.peer_cert
But I keep getting either
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure
or
OpenSSL::SSL::SSLError: hostname "gmail.com" does not match the server certificate
What does the first error mean? Is there a way to get it to set the property version automatically?
I'm able to load up the data on the URL using HTTParty and Farday, but in that case I don't know here to access the actual SSL cert that was used.
You can't get the peer cert until you succesfully make the connection, and you're getting an error in succesfully making the connection. Have you upgraded to the latest httpclient? Many servers changed their SSL handshake configurations in response to recent vulnerabilties, and a new httpclient was released in response to same, which perhaps is neccesary to be compatible with new server configurations.