Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A

Tags:

ruby

openssl

ruby-on-rails

net-http

The code below yields the following error: OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A

require 'net/https'
uri = URI.parse("https://<server>.com")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.ssl_version = 'SSLv3'
http.get(uri.request_uri)

Any idea why? I tried everything mentioned in all other questions, still no luck.

  • Ruby 1.9.3p484 (2013-11-22 revision 43786) [x86_64-darwin13.3.0]
  • OpenSSL 0.9.8y 5 Feb 2013

Update I

Tried the following:

  • Ruby 2.0.0p353 (2013-11-22 revision 43784) [x86_64-darwin13.3.0]
  • OpenSSL 1.0.1i 6 Aug 2014

Update II

  • Forced ssl_version to :TLSv1_2

Still no luck.

Update III

Alright, here's the final code - thanks to Steffen (see answer below):

require 'net/https'
uri = URI.parse("https://<server>.com")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.ssl_version = :TLSv1
http.ciphers = ['RC4-SHA']
http.get(uri.request_uri)

I doubt that my question will be relevant to anyone else since it was related to a remote misconfigured server.

like image 484
Hesham Avatar asked Sep 12 '14 18:09

Hesham

1 Answers

This is a problem at the server site. It looks like the server is exclusively accepting TLS 1.2 and does not show the usual behavior when the client requests something lesser (like downgrading or sending SSL alert) but instead just closes the connection.

TLS 1.2 is not supported by OpenSSL 0.9.8 and additionally your code enforces SSLv3. You get TLS 1.2 only when upgrading to OpenSSL 1.0.1.

Some browsers will also fail to connect to this server, even if they have ways to work around such broken servers. But while Firefox will only try to downgrade the connection to lesser SSL version (which often helps) Chrome manages to connect with TLS 1.2.

Edit: I've analyzed the issue further and now I cannot get a connection with TLS1.2 anymore but I can get a connection with TLS1.0 or SSL3.0, but only if the ciphers is hard coded to RC4-SHA. I've tried others like AES128-SHA or DES-CBC3-SHA and they don't work. So while it looks like a really messed up system explicitly setting 

http.ssl_version = 'TLSv1'       -- or SSLv3, but TLSv1 is better
http.ssl_cipher = 'rc4-sha'

should work. I'm not a ruby user so the exact syntax might differ, but I've tested with OpenSSL s_client.

like image 197
Steffen Ullrich Avatar answered Nov 03 '22 11:11

Steffen Ullrich
Sign in to Comment

Related questions

Getting a user country name from originating IP address with Ruby on Rails
jQuery ajax request not triggering JS response from rails controller?
FactoryGirl + Faker - same data being generated for every object in db seed data
RSpec > Is there a way to run all tests with one command?
Running multiple instances of Rails Server
RSpec set session object
String, decimal, or float datatype for price field?
How to get list of controllers and actions in ruby on rails?
Avoid sign-in after confirmation link click using devise gem?
Using Amazon SES with Rails ActionMailer
How to parse a yaml file into ruby hashs and/or arrays?
Rails and OS X: How to install rmagick?
I'm getting "found character that cannot start any token while scanning for the next token"
how to avoid duplicates in a has_many :through relationship?
Rails 3: How to display properly text from "textarea"?
submit a rails remote form with javascript
"SSL_read: cert already in hash table" when sending mail asynchronously
How to improve memory sharing between unicorn processes with Ruby 2.0 on Linux
Rails ArgumentError: invalid %-encoding
What is the equivalent of a Python docstring in Ruby?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!