Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Excon 0.16.1 breaks TLS1 support #154
Excon 0.16.1 included commit aa07fea which specifies SSLv3, but this breaks servers that only provide TLS:
ERROR: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure (OpenSSL::SSL::SSLError)
Normally openssl would negotiate and choose TLS if it's available (unless told not to) and fail back to SSLv3 or others if necessary. Specifying SSLv3 limits it to only SSLv3.
The commit doesn't explain why SSLv3 is now being enforced - any thoughts?
If I had to guess, I'm suspecting it's a workaround for this openssl behaviour change re tls1.1 and tls1.2 renegotiation: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/965371 - sucks to break support for TLS1 servers in excon to avoid a problem with broken tls1.1 and tls1.2 servers though!
@johnl - it was originally done in an effort to work toward fixing some https proxy related issues (this didn't end up fixing the problem). Do you think think the right behavior is to not pass a value then? Maybe we should just allow an option to be specified, but otherwise allow it to be non-specific? If I understand you correctly anyway I believe that is the behavior that is desired, right?
Previous versions of excon do work with our TLS1-only server, so I presume when you don't pass a value it negotiates (i.e: supports both TLS and SSL). So I think the right default behaviour is not to pass a value.
You could allow an option to be specified if people need to change the behaviour, but I'm not sure who needs to do this. I'd probably just revert to not passing anything so it negotiates and wait til someone pops up asking to be able to explicitly set it :)