This ruby code is supposed to connect to a secure channel:
connection = Net::HTTP.new "localhost", 8081
connection.use_ssl = true
connection.ssl_version = :TLSv1_2
# ...
connection.post path, data, h
I am having the following error:
usr/local/rvm/rubies/ruby-2.2.0/lib/ruby/2.2.0/net/http.rb:923:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
Client does have support for TLSv1.2, it looks:
ruby -ropenssl -e 'puts OpenSSL::SSL::SSLContext::METHODS' | grep 1_2
TLSv1_2
TLSv1_2_server
TLSv1_2_client
Also the server has support to TLSv1.2
openssl s_client -connect localhost:8081 | grep Protocol
Protocol : TLSv1.2
Why is Net::HTTP trying to connect using state state=SSLv3?
Related
I'm receiving the following SSL error on my rake rspec unit tests when I try to connect to the vault on my docker container using HTTPS:
OpenSSL::SSL::SSLError:
SSL_connect returned=1 errno=0 state=error: wrong version number
We're using docker to load a local instance of a hashicorp vault
Here's the command I run to generate the TLS Certificates
RUN openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -subj "$SUBJ" -out /vault/certificates/tls/vault.crt \
-keyout /vault/certificates/tls/vault.key
When I log into the docker container and run openssl version I get:
/ # openssl version
OpenSSL 1.1.1k 25 Mar 2021
When I try to connect to the docker container from my local prompt, I get:
$ openssl s_client -connect 'localhost:8200'
CONNECTED(000001F0)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1620224762
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
26612:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:827:
When I run this command in my local irb I get:
irb(main):001:0> require 'openssl'
=> true
irb(main):002:0> OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
=> {:min_version=>769, :verify_mode=>1, :verify_hostname=>true, :options=>2147614804}
irb(main):003:0>
This is my vault configurations:
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_cert_file = "/vault/certificates/tls/vault.crt"
tls_key_file = "/vault/certificates/tls/vault.key"
}
Also, i noticed in the docker logs we have two listeners now:
Listener 1: tcp (addr: "0.0.0.0:1234", cluster address: "0.0.0.0:1235", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Listener 2: tcp (addr: "[::]:8200", cluster address: "[::]:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "enabled")
And my docker vault server startup command is:
vault server -config=/vault/config -dev-root-token-id=myroot -dev-listen-address=0.0.0.0:1234 -dev &
And i noticed in the logs its still seeing an http connection...
Error writing data to pki/root/generate/internal: Put https://127.0.0.1:1234/v1/pki/root/generate/internal: http: server gave HTTP response to HTTPS client
Error writing data to pki/config/urls: Put https://127.0.0.1:1234/v1/pki/config/urls: http: server gave HTTP response to HTTPS client
Error writing data to pki/roles/localhost: Put https://127.0.0.1:1234/v1/pki/roles/localhost: http: server gave HTTP response to HTTPS client
Error writing data to pki/issue/localhost: Put https://127.0.0.1:1234/v1/pki/issue/localhost: http: server gave HTTP response to HTTPS client
I'm kind of lost right now on how to handle this.
I'm implementing a dtls-srtp handshake from client (openssl with VS C++), but it failed. The message flow on wireshark turned out like this:
Client Hello
Server Hello, Certificate (Fragment), Certificate (Fragment), Certificate (Fragment), Certificate (Reassembled), Certificate Request, Server Hello Done
Certificate (Fragment), Certificate (Fragment), Certificate (Fragment), Certificate (Reassembled), Client Key Exchange, Certificate Verify (Fragment)
Server Hello, Certificate[Reassembly error, protocol DTLS: New fragment overlaps old data (retransmission?)]
Client Hello
Server Hello, Certificate[Reassembly error, protocol DTLS: New fragment overlaps old data (retransmission?)]
Client Hello, Certificate[Reassembly error, protocol DTLS: New fragment overlaps old data (retransmission?)]
Server Hello, Certificate[Reassembly error, protocol DTLS: New fragment overlaps old data (retransmission?)]
Certificate Verify (Reassembled), Change Cipher Spec, Certificate[Reassembly error, protocol DTLS: New fragment overlaps old data (retransmission?)]
Alert (Level: Fatal, Description: Decrypt Error)
Does anyone has any idea what's going on here? Is it the problem of certificate/key, or did I miss any SSL option / parameter?
I tried to change the mtu value but it didn't work.
Modified: logs from client
*SSL_CB_HANDSHAKE_START unknown: before/connect initialization
SSL_CB_LOOP SSL_connect: before/connect initialization
SSL_CB_LOOP SSL_connect: SSLv3 write client hello A
SSL_CB_EXIT SSL_connect: SSLv3 read server hello A
SSL_CB_EXIT SSL_connect: SSLv3 read server hello A
-> connect err=-1 errRet=SSL_ERROR_WANT_READ
SSL_CB_LOOP SSL_connect: SSLv3 read server hello A
SSL_CB_LOOP SSL_connect: SSLv3 read server certificate A
SSL_CB_LOOP SSL_connect: SSLv3 read server certificate request A
SSL_CB_LOOP SSL_connect: SSLv3 read server done A
SSL_CB_LOOP SSL_connect: SSLv3 write client certificate A
SSL_CB_LOOP SSL_connect: SSLv3 write client key exchange A
SSL_CB_LOOP SSL_connect: SSLv3 write certificate verify A
SSL_CB_EXIT SSL_connect: error
-> connect err=-1 errRet=SSL_ERROR_SYSCALL*
I know there are lots of discussion regarding this error but sorry to say that I'm unable to find any working solution over there.
I'm developing a ecommerce site using ShareTribe.I'm trying to implement Paypal as payment gateway.So I'm using Activemerchant.
Everything works fine on development machine but when I deploy my rails app to production It throws
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed)
I'm initializing my Activemerchant as
config.after_initialize do
ActiveMerchant::Billing::Base.mode = :test
paypal_options = {
login: "bla bla",
password: "bla bla",
signature: "bla bla",
appid: "APP-80W284485P519543T"
}
::EXPRESS_GATEWAY = ActiveMerchant::Billing::PaypalExpressGateway.new(paypal_options)
end
Added HTTPS and Disabled SSLV3
After lots of googling I found that
SSLv3 was proven to be insecure with the POODLE vulnerability. You
should make sure that your system has the latest version of OpenSSL so
that you can use TLSv1.2.
So I disabled SSLV3 as shown below
openssl s_client -connect kickmarket.eu:443
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=www.kickmarket.eu
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...........................................
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=www.kickmarket.eu
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2038 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 4D23F4A942AAD4264BE96EB5F1E62204269D882A64ACFBD2D139CD2F10A449A0
Session-ID-ctx:
Master-Key: 1E381DAA3BA90FE3609606716E7E9A2EB2E2F671E9F3C4005D8EBAE009103A7AB771FB2AC8B45F169F43CBD0AD352E06
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
..................................
Start Time: 1446132175
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
But after restarting nginx I got the same problem.Is there Any way to fix this issue.
Any suggestion will be appreciated.
This is most likely due to the upgrade to SHA256 certification. Please review the following documentation:
https://devblog.paypal.com/paypal-ssl-certificate-changes/
The primary cause for this is the rvm installed ruby does look into the wrong directory for certificates whereas the OSX-ruby will look into the correct one.
What you wanna do is NOT TO USE any of the precompiled rubies and rather have ruby compiled on your local machine, like so:
rvm install 2.2.0 --disable-binary
You can read detailed explanation https://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html
I've been trying to install RVM all day and I've been hung up this entire time by curl, which refuses to connect to https://github.com.
Here is my current error: curl: (35) error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm
Here is the log output when I use the verbose flag:
* About to connect() to github.com port 443 (#0)
* Trying 192.30.252.130...
* Adding handle: conn: 0x100805400
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x100805400) send_pipe: 1, recv_pipe: 0
* Connected to github.com (192.30.252.130) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /System/Library/OpenSSL/certs/cacert.pem
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm
* Closing connection 0
I'm on a 2011 MacBook Pro running Mavericks (10.9.2). Brew says that my curl and my openssl are up to-date.
Originally, curl was telling me that github didn't have the proper SSL certificate, but I managed to finally get around that with this command: export CURL_CA_BUNDLE="/System/Library/OpenSSL/certs/cacert.pem"
Any help would be greatly appreciated!
I had the same error; I tried the "-k" option and it worked.
I figured it out. Turns out, my environment wasn't using the system curl, it was using Anaconda's version of curl, which was outdated and not linked to OSX's keychain. I simply used conda
remove curl to get rid of it and everything seems to be working fine now.
i am writing a ruby script to send email using 'mail' gem.
and my smtp settings on my local machine:
mailer_options:
address: smtp.gmail.com
port: 587
domain: gmail.com
user_name: example#gmail.com
password: example_password
authentication: :login
enable_starttls_auto: true
ssl: true
when i try to send the email with the above smtp settings i get the following exception:---
/opt/rbenv/versions/2.0.0-p247/lib/ruby/2.0.0/net/smtp.rb:585:in 'connect': SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol (OpenSSL::SSL::SSLError)
i tried installing ssl certificate by command
openssl s_client -connect gmail.com:443
but it does not help, thanks for any comments and answer.
Port 587 starts out plain text, and then "upgrades" to ssl via starttls if you want smtp from the start to use ssl, then you need to use port 465.
so either of these should fix your issue.
Remove enable_starttls_auto and set the port to 465
or
Remove ssl: true and rely on starttls to upgrade your connection to ssl