Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Ruby: SSL_connect SYSCALL returned=5 errno=0 state=unknown state (OpenSSL::SSL::SSLError)

Tags:

ruby

openssl

Variants of this error have been posted all over the place but none of the solutions seem to work for me.

I'm running ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-linux] and OpenSSL 1.0.1k 8 Jan 2015.

Running the following:

require 'net/http'
require 'openssl'

url = 'https://ntpnow.com/'
uri   = URI.parse(url)
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.ssl_version = :TLSv1
http.get(uri.path)

Dumps this trace:

/usr/local/lib/ruby/2.2.0/net/http.rb:923:in `connect': SSL_connect SYSCALL returned=5 errno=0 state=unknown state (OpenSSL::SSL::SSLError)
    from /usr/local/lib/ruby/2.2.0/net/http.rb:923:in `block in connect'
    from /usr/local/lib/ruby/2.2.0/timeout.rb:74:in `timeout'
    from /usr/local/lib/ruby/2.2.0/net/http.rb:923:in `connect'
    from /usr/local/lib/ruby/2.2.0/net/http.rb:863:in `do_start'
    from /usr/local/lib/ruby/2.2.0/net/http.rb:852:in `start'
    from /usr/local/lib/ruby/2.2.0/net/http.rb:1375:in `request'
    from /usr/local/lib/ruby/2.2.0/net/http.rb:1133:in `get'
    from bin/ntpnow_test.rb:9:in `<main>'

Navigating to the site from a browser shows the certificate appears to be fine. Curl also does not produce any errors.

Additionally, when I try with Ruby 1.9.3 it seems to work. However, I'm not inclined to downgrade Ruby versions if I can find a solution.

Can you please tell me what exactly changed that is causing this problem?

UPDATE:

Steffen's answer and explanation below is correct. For future reference, here is how to diagnose this problem.

  1. First determine which ciphers the server supports. Run the command nmap --script ssl-enum-ciphers ntpnow.com. Find the section that lists the supported ciphers.
  2. Determine the cipher key you will have to pass as part of http.ciphers. Run openssl ciphers. This will spit out a : delimited list of ciphers. Find the one that matches the result from step 1.
like image 208
prajo Avatar asked Nov 06 '15 18:11

prajo


2 Answers

This looks like exactly the same problem I've answered in https://stackoverflow.com/a/29611892/3081018. Same problem: the server can only do TLS 1.0 and only supports DES-CBC3-SHA as cipher. This cipher is no longer enabled by default in recent ruby versions. To connect with this cipher try to specify the cipher explicitly in your code:

http.ssl_version = :TLSv1
http.ciphers = ['DES-CBC3-SHA']
like image 69
Steffen Ullrich Avatar answered Nov 06 '22 15:11

Steffen Ullrich


I use Mechanize, and I was looking for a patch instead of a configuration of the http client instance. This is how I managed to do it:

OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers] += ':DES-CBC3-SHA'
like image 3
barbolo Avatar answered Nov 06 '22 14:11

barbolo