CODEWITHSUNDEEP
rubysslruby-2.3
Lluís
Lluís

Reputation: 1317

"sslv3 alert handshake failure" on ruby 2

I am trying to use a webservice with ruby, but it seems to be an issue with it's SSL configuration and ruby 2:

>> require "open-uri"
=> true
>> open("https://w390w.gipuzkoa.net/WAS/HACI/HFAServiciosProveedoresWEB/services/FacturaSSPPWebServiceProxyPort") {|f| p f.content_type }
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure

I've tried with curl and openssl and it works:

curl https://w390w.gipuzkoa.net/WAS/HACI/HFAServiciosProveedoresWEB/services/FacturaSSPPWebServiceProxyPort
openssl s_client -connect w390w.gipuzkoa.net:443

it also works with ruby 1.9:

irb(main):001:0> require "open-uri"
=> true
irb(main):003:0> open("https://w390w.gipuzkoa.net/WAS/HACI/HFAServiciosProveedoresWEB/services/FacturaSSPPWebServiceProxyPort") {|f| p f.content_type }
"text/html"

with ruby 2, I've tried using TLS, without success

>> OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ssl_version] = :TLSv1
=> :TLSv1
>> open("https://w390w.gipuzkoa.net/WAS/HACI/HFAServiciosProveedoresWEB/services/FacturaSSPPWebServiceProxyPort") {|f| p f.content_type }
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert handshake failure

>> OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ssl_version] = :TLSv1_2
=> :TLSv1_2
>> open("https://w390w.gipuzkoa.net/WAS/HACI/HFAServiciosProveedoresWEB/services/FacturaSSPPWebServiceProxyPort") {|f| p f.content_type }
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=unknown state: wrong version number

checking server SSL configuration on https://www.ssllabs.com/ssltest/analyze.html?d=w390w.gipuzkoa.net it returns this error: "Assessment failed: Unexpected failure", since I can access several similar webservices with ruby 2, I guess they have something miss-configured.

any ideas how can I access this webservice with ruby 2?

Upvotes: 3

Views: 4818

Answers (2)

Anand Bhat
Anand Bhat

Reputation: 5819

That is quite a poor configuration for a server. Comodo's SSL Analyzer appears to be more lenient and shows the four supported cipher suites. Cipher suites section from SSL Analyzer Also, the server supports TLSv1.0.

Now, I cannot find a resource online that indicates if these cipher suites were disabled by default in Ruby 2, but here's something you can try:

  1. Enable the best of the ciphers using OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers] = "DES-CBC3-SHA" Cipher name obtained from OpenSSL ciphers.

  2. Attempting to connect now should display this error as the site's CA isn't trusted:

    OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

  3. You can add this CA using ssl_ca_cert or bypass verification (not recommended) using ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE. E.g., 

    open("https://w390w.gipuzkoa.net/WAS/HACI/HFAServiciosProveedoresWEB/services/FacturaSSPPWebServiceProxyPort", {ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE}) {|f| p f.content_type }

You can also give Net::HTTP a shot.

Upvotes: 2

Steffen Ullrich
Steffen Ullrich

Reputation: 123521

The server supports only very few ciphers, most of the completely insecure (export ciphers, DES-CBC-SHA) and the only at least a bit secure cipher (DES-CBC3-SHA) is considered insecure since Sweet32. Chances are high that because of this insecurity modern TLS stacks in the client will fail with the handshake.

Upvotes: 2

Related Questions