[英]connect: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
[英]OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed) while connecting to Paypal
我知道有關此錯誤的討論很多,但是很抱歉我無法在那找到任何可行的解決方案。
我正在使用ShareTribe開發一個電子商務網站。我正在嘗試將Paypal實現為支付網關 。所以我正在使用Activemerchant 。
在開發機器上一切正常,但是當我將Rails應用程序部署到生產環境時會拋出異常
OpenSSL :: SSL :: SSLError(返回的SSL_connect = 1 errno = 0狀態= SSLv3讀取服務器證書B:證書驗證失敗)
我正在將Activemerchant初始化為
config.after_initialize do
ActiveMerchant::Billing::Base.mode = :test
paypal_options = {
login: "bla bla",
password: "bla bla",
signature: "bla bla",
appid: "APP-80W284485P519543T"
}
::EXPRESS_GATEWAY = ActiveMerchant::Billing::PaypalExpressGateway.new(paypal_options)
end
經過大量的搜尋后,我發現
事實證明,SSLv3具有POODLE漏洞是不安全的。 您應該確保系統具有最新版本的OpenSSL,以便可以使用TLSv1.2。
所以我禁用了SSLV3,如下所示
openssl s_client -connect kickmarket.eu:443
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=www.kickmarket.eu
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...........................................
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=www.kickmarket.eu
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2038 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 4D23F4A942AAD4264BE96EB5F1E62204269D882A64ACFBD2D139CD2F10A449A0
Session-ID-ctx:
Master-Key: 1E381DAA3BA90FE3609606716E7E9A2EB2E2F671E9F3C4005D8EBAE009103A7AB771FB2AC8B45F169F43CBD0AD352E06
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
..................................
Start Time: 1446132175
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
但是重啟nginx之后我遇到了同樣的問題,是否有任何方法可以解決這個問題。 任何建議將不勝感激。
這很可能是由於升級到SHA256認證所致。 請查看以下文檔:
造成這種情況的主要原因是,安裝了rvm的ruby確實在錯誤的證書目錄中進行了查找,而OSX-ruby會在正確的目錄中進行查找。
您想要做的是不使用任何預編譯的紅寶石,而是在本地計算機上編譯紅寶石,如下所示:
rvm install 2.2.0 --disable-binary
您可以閱讀詳細說明https://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.