Reputation: 6466
OpenSSL::SSL::SSLError Handshake Failure with Homebrew OpenSSL
I'm trying to make an API request in a Ruby app, on MacOSX.
When I try something like this:
RestClient.get("https://api.foursquare.com/v2/venues/explore?near=NYC&query=McDonalds")
I get this (same when it's http):
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure
from /Users/sasha/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/net/http.rb:920:in `connect'
(If I try (open("https://...")), I get this:
OpenURI::HTTPError: 400 Bad Request
from /Users/sasha/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/open-uri.rb:353:in `open_http'
I took a look at some SO discussions about this, and in particular this one led me to believe it was an issue with my OpenSSL not finding the right cert.pem file. I'm using Homebrew, and my Homebrew OpenSSL is installed in /usr/local/bin. The original Mac version of OpenSSL is at /usr/bin, I think.
I followed the suggestions to set a global ENV variable SSL_CERT_FILE to the path to my cert.pem file as installed by Homebrew - /usr/local/etc/openssl/cert.pem, - and when I echo that variable, it is set correctly, but when I re-open a Ruby console and try again, I get the same error. Thoughts on what I'm doing wrong? I don't know much about OpenSSL, and I'm totally flummoxed by this one, given that it seems to be finding my certificate correctly.
EDIT
When I run which openssl, it shows the Mac version -- /usr/bin/openssl. This makes sense, given Homebrew's install notes:
A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in
/usr/local/etc/openssl/certs
and run
/usr/local/opt/openssl/bin/c_rehash
This formula is keg-only, which means it was not symlinked into /usr/local.
Mac OS X already provides this software and installing another version in
parallel can cause all kinds of trouble.
The OpenSSL provided by OS X is too old for some software.
Generally there are no consequences of this for you. If you build your
own software and it requires this formula, you'll need to add to your
build variables:
LDFLAGS: -L/usr/local/opt/openssl/lib
CPPFLAGS: -I/usr/local/opt/openssl/include
Is that the problem? I'm including the wrong cert.pem file given my version of OpenSSL?
Upvotes: 0
Views: 2156
Answers (1)
Reputation: 123320
state=SSLv3 read server hello A: sslv3 alert handshake failure
That is usually not a problem of a bad or missing certificate, but that the server does not like what the client sends, like unsupported SSL version or no appropriate ciphers offered by the client. I get this error with this host if I try to connect with SSL3.0 instead of TLS1.0 or higher, so please make sure that you don't use SSL3.0 anymore.
If this does not help make a packet capture of the traffic and post it to cloudshark.org so that one can have a look about the traffic details.
Upvotes: 1
Related Questions
- OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
- Dreaded OpenSSL::SSL::SSLError on Rubygems when using HTTPS source
- OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A
- How to fix 'OpenSSL::SSL::SSLError' error in Ruby?
- Ruby: SSL_connect SYSCALL returned=5 errno=0 state=unknown state (OpenSSL::SSL::SSLError)
- OpenSSL::SSL::SSLError: SSL_connect error on Ruby 2.2.1
- Why do I get OpenSSL::SSL::SSLError when installing Rails?
- OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
- Problem with openssl with ubuntu and ruby
- OpenSSL::SSL::SSLError on Rails 3