Ruby SSL error - sslv3 alert unexpected message

Question

I'm trying to connect to the server https://www.xpiron.com/schedule in a ruby script. However, when I try connecting:

require 'open-uri'
doc = open('https://www.xpiron.com/schedule')

I get the following error message:

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A:  sslv3 alert unexpected message         
    from /usr/local/lib/ruby/1.9.1/net/http.rb:678:in `connect'
    from /usr/local/lib/ruby/1.9.1/net/http.rb:678:in `block in connect'
    from /usr/local/lib/ruby/1.9.1/timeout.rb:44:in `timeout'
    from /usr/local/lib/ruby/1.9.1/timeout.rb:87:in `timeout'
    from /usr/local/lib/ruby/1.9.1/net/http.rb:678:in `connect'
    from /usr/local/lib/ruby/1.9.1/net/http.rb:637:in `do_start'
    from /usr/local/lib/ruby/1.9.1/net/http.rb:626:in `start'
    from /usr/local/lib/ruby/1.9.1/net/http.rb:1168:in `request'
    from /usr/local/lib/ruby/1.9.1/net/http.rb:888:in `get'
    from (irb):32
    from /usr/local/bin/irb:12:in `<main>'

I'm running Ruby 1.9.2p180. It seems to work on some other machines, so it could be a configuration problem with OpenSSL or Ruby. I tried reinstalling all the SSL libraries, and rebuilding Ruby from scratch, but nothing seems to work. Has anyone encountered this problem?

Update

On the non-working machine, the openssl version is 0.9.8o 01 Jun 2010

On the working machine, it's 0.9.8k 25 Mar 2009

So the more recent one seems to be breaking.

Furthermore, if I use a different HTTP client (Patron, based on libcurl), it works:

require 'patron'

sess = Patron::Session.new
sess.timeout = 5
url = 'https://www.xpiron.com/schedule'
resp = sess.get(url)
puts "#{resp.body}"

So this appears to be an issue with Ruby's OpenSSL bindings.

Answer 1

Just to answer my own question.

The problem seems to be with how Ruby negotiates SSL connections. There's an error in Xpiron's TLS mechanism, and it throws an error instead of retrying to other SSL versions.

If you force the SSL version to 3.0, it works:

require 'net/http'
url = URI.parse('https://www.xpiron.com/schedule')
req = Net::HTTP::Get.new(url.path)
sock = Net::HTTP.new(url.host, 443)
sock.use_ssl = true
sock.ssl_version="SSLv3"
sock.start do |http|
    response = http.request(req)
end

I also created an issue on Ruby's bug tracker.

Answer 2

I think it's because of the https URL. There's a mean, completely insecure hack for bypassing this, but please google for it at your own risk. I will rather show you the secure way of doing it, using Net::HTTP:

require 'net/http'

url = URI.parse('https://www.xpiron.com/schedule')
req = Net::HTTP::Get.new(url.path)
sock = Net::HTTP.new(url.host, 443)
sock.use_ssl = true
store = OpenSSL::X509::Store.new
store.add_cert OpenSSL::X509::Certificate.new(File.new('addtrust_ca.pem'))
store.add_cert OpenSSL::X509::Certificate.new(File.new('utn.pem'))
store.add_cert OpenSSL::X509::Certificate.new(File.new('user_first_ca.pem'))
store.add_cert OpenSSL::X509::Certificate.new(File.new('xpiron.pem'))
sock.cert_store = store
sock.start do |http|
  response = http.request(req)
end

You may obtain the certificate files by entering your URL in the browser (e.g. Firefox), and then clicking on the icon left of the URL/More Information/View Certificate/Details -> there click on each certificate in the chain and export it as a PEM file under the names I used above. Put these files in the same directory as the script referencing them. That should do the magic. But I noticed that a cookie is required to login to that page, so it might require a bit more effort of modifying your request appropriately.