OpenSSL connection issues

[dkam]

On MacOS 10.9.2 and Ubuntu 12.04 using RBenv installed Ruby 2.1.1, I can't connect via https to a specific host with HTTPClient - however both Curl and open-uri can.

c = HTTPClient.new
c.get("https://www.qbd.com.au/")
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure

Opening with either open-uri or the locally install Curl works fine, which I suspect means the local CA files are ok?

[aef]

HTTPS uses TLS to provide security like authentiticy and encryption. Versions of TLS before 1999 were called SSL. The server you try to connect to only supports TLSv1 and above but not SSLv3 anymore. SSLv3 has several security vulnerabilities and will therefore be disabled on more and more servers. Sadly, instead of using the best supported TLS version (which for recent Ruby versions is at least TLSv1), httpclient by default is set to use only SSLv3. I think this is a big problem and needs to be adressed. In the meantime you can manually override this:

c = HTTPClient.new
c.ssl_config.ssl_version = :TLSv1
c.get("https://www.qbd.com.au/")

You can find out which versions are supported by your Ruby implementation by calling this command:

ruby -ropenssl -rpp -e "pp OpenSSL::SSL::SSLContext::METHODS"

You should use the highest version available.

[dkam]

Thank you very much!

[nahi]

Thanks @dkam and @aef, the fix for this is incorporated in httpclient/2.4.0 by 1753454 (by @aef)

Now POODLE Attacks on SSLv3 comes: https://www.imperialviolet.org/2014/10/14/poodle.html
SSL/TLS servers quickly disabling SSLv3 (It's protocol vulnerability and no server side fix is possible so far) so httpclient <= 2.3.4.1 would cause SSL handshake errors like "SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure"

Solution:

• Upgrade to httpclient/2.4.0
• Set ssl_config.ssl_version to SSLv23

c = HTTPClient.new
c.ssl_config.ssl_version = :SSLv23

[nahi]

To disable SSLv3 completely, add this instead of SSLv23

c.ssl_config.options |= OpenSSL::SSL::OP_NO_SSLv3