SSL_connect返回= 1 errno = 0状态= SSLv3读取服务器问候A：错误的版本号（OpenSSL :: SSL :: SSLError）

Question

When I ran https.ssl_version = :TLSv1_2

I got the error

ruby/2.1.0/net/http.rb:920:in `connect': 
SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: 
wrong version number (OpenSSL::SSL::SSLError)

Whe I changed to https.ssl_version = :SSLv3

ruby/2.1.0/net/http.rb:920:in `connect': 
SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A 
(OpenSSL::SSL::SSLError)

But I can do it without any error by rest client

resp = RestClient.post(server_url, content, header)

The ssl connection is make me confused so much.

The problem both on macos and ubuntu 14.04

UPDATE

Check my SSL parameters

Under default Ruby by irb

irb(main):001:0> require 'openssl'
=> true
irb(main):002:0>  OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
=> {:ssl_version=>"SSLv23", :verify_mode=>1, :ciphers=>"ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW", :options=>-2147482625}

Under Rails

{
    :ssl_version => "SSLv23",
    :verify_mode => 1,
        :ciphers => "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW",
        :options => -2147482625
}
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>

Brute force to try all kind of SSL version within Rails

I changed the method by `OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ssl_version]=method`

:TLSv1
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:TLSv1_server
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:TLSv1_client
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:TLSv1_2
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:TLSv1_2_server
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:TLSv1_2_client
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:TLSv1_1
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:TLSv1_1_server
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:TLSv1_1_client
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:SSLv3
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:SSLv3_server
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:SSLv3_client
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:SSLv23
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:SSLv23_server
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:SSLv23_client
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:TLSv1
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:TLSv1_server
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:TLSv1_client
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:TLSv1_2
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:TLSv1_2_server
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:TLSv1_2_client
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:TLSv1_1
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:TLSv1_1_server
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:TLSv1_1_client
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:SSLv3
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:SSLv3_server
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:SSLv3_client
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:SSLv23
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:SSLv23_server
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>
:SSLv23_client
#<OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A>

Answer 1

If you set the ssl_version to TLSv1_2 and the server does not support that version then you will see this error (same for SSLv3 ).

My guess is that RestClient probably just uses Ruby's default SSLv23 . If that version is supported by the server it might just work.

Check the default for your Ruby version like this:

require 'openssl'
OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
# => {
# =>     :ssl_version => "SSLv23",
# =>     :verify_mode => 1,
# =>     :ciphers     => "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW",
# =>     :options     => -2147482625
# => }

If https.ssl_version = :TLSv1_2 does not work then I would try other versions.

You can get a list of all available versions in your Ruby with:

OpenSSL::SSL::SSLContext::METHODS

I would start with:

https.ssl_version = 'SSLv23'

Or you may want to ask the owner of the server which versions are supported.

Answer 2

 When I ran https.ssl_version = :TLSv1_2
 ...
 https.ssl_version = :SSLv3

Any peer supporting only TLS1.0 or TLS1.1 will not work with both of these tests, because the offered version is either too high or too low. It is better to leave the default to SSLv23 handshake but explicitly disable SSLv3.

To do this you need to fiddle with the options and add SSL_OP_NO_SSLv3 , see https://stackoverflow.com/a/24237525/3081018