-
Notifications
You must be signed in to change notification settings - Fork 290
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL connection issues #202
Comments
HTTPS uses TLS to provide security like authentiticy and encryption. Versions of TLS before 1999 were called SSL. The server you try to connect to only supports TLSv1 and above but not SSLv3 anymore. SSLv3 has several security vulnerabilities and will therefore be disabled on more and more servers. Sadly, instead of using the best supported TLS version (which for recent Ruby versions is at least TLSv1), httpclient by default is set to use only SSLv3. I think this is a big problem and needs to be adressed. In the meantime you can manually override this: c = HTTPClient.new
c.ssl_config.ssl_version = :TLSv1
c.get("https://www.qbd.com.au/") You can find out which versions are supported by your Ruby implementation by calling this command:
You should use the highest version available. |
Thank you very much! |
Thanks @dkam and @aef, the fix for this is incorporated in httpclient/2.4.0 by 1753454 (by @aef) Now POODLE Attacks on SSLv3 comes: https://www.imperialviolet.org/2014/10/14/poodle.html Solution:
c = HTTPClient.new
c.ssl_config.ssl_version = :SSLv23 |
To disable SSLv3 completely, add this instead of SSLv23 c.ssl_config.options |= OpenSSL::SSL::OP_NO_SSLv3 |
This is a security patch. With the latest version of httpclient, if you use this gem in an app already using httpclient, you will still be able to apply the security patch referenced here: nahi/httpclient#202 (comment)
This is a security patch. With the latest version of httpclient, if you use this gem in an app already using httpclient, you will still be able to apply the security patch referenced here: nahi/httpclient#202 (comment) Also removed Gemfile.lock and added the file to .gitignore. It is not good to check in Gemfile.lock into version control, since it enforces precision that does not exist in the gem command, which is used to install gems in practice. See http://yehudakatz.com/2010/12/16/clarifying-the-roles-of-the-gemspec-and-gemfile/
This is a security patch. With the latest version of httpclient, if you use this gem in an app already using httpclient, you will still be able to apply the security patch referenced here: nahi/httpclient#202 (comment) Also removed Gemfile.lock and added the file to .gitignore. It is not good to check in Gemfile.lock into version control, since it enforces precision that does not exist in the gem command, which is used to install gems in practice. See http://yehudakatz.com/2010/12/16/clarifying-the-roles-of-the-gemspec-and-gemfile/
On branch: master
On MacOS 10.9.2 and Ubuntu 12.04 using RBenv installed Ruby 2.1.1, I can't connect via https to a specific host with HTTPClient - however both Curl and open-uri can.
Opening with either open-uri or the locally install Curl works fine, which I suspect means the local CA files are ok?
The text was updated successfully, but these errors were encountered: