Login/Register
OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A
Asked Answered
Solved ruby-on-railsrubyopensslnet-http
U

3

46

The code below yields the following error: OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A

require 'net/https'
uri = URI.parse("https://<server>.com")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.ssl_version = 'SSLv3'
http.get(uri.request_uri)

Any idea why? I tried everything mentioned in all other questions, still no luck.

  • Ruby 1.9.3p484 (2013-11-22 revision 43786) [x86_64-darwin13.3.0]
  • OpenSSL 0.9.8y 5 Feb 2013

Update I

Tried the following:

  • Ruby 2.0.0p353 (2013-11-22 revision 43784) [x86_64-darwin13.3.0]
  • OpenSSL 1.0.1i 6 Aug 2014

Update II

  • Forced ssl_version to :TLSv1_2

Still no luck.

Update III

Alright, here's the final code - thanks to Steffen (see answer below):

require 'net/https'
uri = URI.parse("https://<server>.com")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.ssl_version = :TLSv1
http.ciphers = ['RC4-SHA']
http.get(uri.request_uri)

I doubt that my question will be relevant to anyone else since it was related to a remote misconfigured server.

Ulund answered 12/9, 2014 at 18:4 Comment(4)
it was useful for me :)Karimakarin
Also on /r/asknetsec reddit.com/r/AskNetsec/comments/64ulgg/…Gonococcus
one reason could be simply a network disconnection. took me 5 hours to find out :|Readymix
What worked for me is to reduce the number of threads.Slickenside
M
43

This is a problem at the server site. It looks like the server is exclusively accepting TLS 1.2 and does not show the usual behavior when the client requests something lesser (like downgrading or sending SSL alert) but instead just closes the connection.

TLS 1.2 is not supported by OpenSSL 0.9.8 and additionally your code enforces SSLv3. You get TLS 1.2 only when upgrading to OpenSSL 1.0.1.

Some browsers will also fail to connect to this server, even if they have ways to work around such broken servers. But while Firefox will only try to downgrade the connection to lesser SSL version (which often helps) Chrome manages to connect with TLS 1.2.

Edit: I've analyzed the issue further and now I cannot get a connection with TLS1.2 anymore but I can get a connection with TLS1.0 or SSL3.0, but only if the ciphers is hard coded to RC4-SHA. I've tried others like AES128-SHA or DES-CBC3-SHA and they don't work. So while it looks like a really messed up system explicitly setting 

http.ssl_version = 'TLSv1'       -- or SSLv3, but TLSv1 is better
http.ssl_cipher = 'rc4-sha'

should work. I'm not a ruby user so the exact syntax might differ, but I've tested with OpenSSL s_client.

Moneylender answered 13/9, 2014 at 3:6 Comment(6)
Hey, thanks for your response! I updated the question above with more info based on your feedback.Ulund
See edit - looks like you can succeed by forcing RC4-SHA as cipher.Moneylender
IT WORKED! Thanks so much for your help! Here's what I did: http.ssl_version = :TLSv1 and http.ciphers = ['RC4-SHA']. Thanks again!Ulund
where do I put this?Adrenocorticotropic
where do I put this? I'm also facing same issue using ruby2.5 and openssl version 1.0.2Gilda
@Ulund where do i put this http.ssl_version = :TLSv1 and http.ciphers = ['RC4-SHA']?Peng
G
0

Solution is to upgrade to openssl 1.0.2g-1​ubuntu4.6 (from 1.0.1f-1​ubuntu2.21) (e.g. from cedar-14 to heroku-16 stack).

heroku stack:set heroku-16 -a your-app

And in app.json:

{
  ...
  "stack": "heroku-16",
  ...
}
Gonococcus answered 12/4, 2017 at 0:26 Comment(2)
Now I get SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A less often, but still happensGonococcus
Same issue with meTexas
T
0

in my case, the problem was the MTU size!

Technetium answered 5/2, 2021 at 13:30 Comment(1)
How did you fix that?Ragamuffin

© 2022 - 2024 — McMap. All rights reserved.