Shopify + Ubuntu 12.04LTS + Faraday issue = OK to use older OpenSSL?

Question

I'm using Ubuntu 12.04LTS Desktop to develop a Shopify App (using the shopify_app gem), and I ran into this problem when processing the callback URL.

Faraday::Error::ConnectionFailed (Connection reset by peer - SSL_connect)

Looking at the shopify-app-discuss group here and here, it seems that the problem is with Ubuntu 12.04 and its OpenSSL. I tried to install the most up-to-date OpenSSL, but nothing. One alternative that I found was to use a different, older OpenSSL, one that RVM provides.

$ rvm remove 1.9.3 (or whatever version of ruby you are using)
$ rvm pkg install openssl
$ rvm install 1.9.3 --with-openssl-dir=$rvm_path/usr

And now the Shopify App is working fine. It can connect to the API. (This tip may help other Ubuntu 12.04 users!)

So, my question is: Is this the best solution? I'm a little bit concerned about the older OpenSSL version. It might have some security issues. Is it safe to develop the app with this?

And when I deploy the app (e.g. Heroku), is there going to be a security issue with an older OpenSSL?

Thanks in advance!

Answer 1

The other suggestions didn't work for us. Specifically we needed to force :SSLv3 instead of :TLSv1. (For both the stock Ubuntu 12.04.01 Ruby 1.9.3 and the one that we use from the Passenger PPM.)

Also, there needs to be a check for @ssl_options being defined. I copied the one from the ActiveResource Implementation.

We dropped this in config/initializers/shopify_ssl.rb and everything is peachy:

require 'active_resource/connection'

class ActiveResource::Connection
  def apply_ssl_options_with_ssl_version(http)
    apply_ssl_options_without_ssl_version(http)
    return http unless defined?(@ssl_options)
    http.ssl_version = @ssl_options[:ssl_version] if @ssl_options[:ssl_version]
    http
  end
  alias_method_chain :apply_ssl_options, :ssl_version
end

ShopifyAPI::Base.ssl_options = { :ssl_version => :SSLv3 }

Answer 2

Whilst latest version of OpenSSL is a holy matrimony of not-yet-discovered security holes, I'd say that you should use the library that works for you at that particular moment. There's no software without security holes, and unless you can influence server-side to upgrade to something compatible with latest SSL versions I'm afraid your options are limited.