How to use TLS 1.2 in Ruby Http requests?

2,634 views
Skip to first unread message

Loganathan Sellappa

unread,
Feb 17, 2017, 6:11:40 AM2/17/17
to bangal...@googlegroups.com
H
ello,

I'm trying to access third party api using TLS 1.2, but getting SSL error
(request uses  uses SSLv3 instead of TLS)
.

Can someone let me know the proper way to send request with TLS protocol?


    ua = Net::HTTP.new(SERVER, 443)
    ua.instance_eval {
      @ssl_context = OpenSSL::SSL::SSLContext.new
      options = OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3
      if OpenSSL::SSL.const_defined?('OP_NO_COMPRESSION')
        options |= OpenSSL::SSL::OP_NO_COMPRESSION
      end
      @ssl_context.set_params({options: options})
    }
   # ua.instance_eval { @ssl_context = OpenSSL::SSL::SSLContext.new(:TLSv1_2) }
    ua.use_ssl = true

    # Checks presence of CA certificate
    if File.directory?(RootCA)
      ua.ca_path = RootCA
      ua.verify_mode = OpenSSL::SSL::VERIFY_PEER
      ua.verify_depth = 3
    else
      puts "Invalid CA certificates directory. Exiting..."
      exit
    end
Error:

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
    from /home/cp/.rbenv/versions/2.3.0/lib/ruby/2.3.0/net/http.rb:933:in `connect_nonblock'
    from /home/cp/.rbenv/versions/2.3.0/lib/ruby/2.3.0/net/http.rb:933:in `connect'
    from /home/cp/.rbenv/versions/2.3.0/lib/ruby/2.3.0/net/http.rb:863:in `do_start'
    from /home/cp/.rbenv/versions/2.3.0/lib/ruby/2.3.0/net/http.rb:852:in `start'
    from /home/cp/.rbenv/versions/2.3.0/lib/ruby/2.3.0/net/http.rb:1398:in `request'
    from /home/cp/.rbenv/versions/2.3.0/lib/ruby/2.3.0/net/http.rb:1421:in `send_entity'
    from /home/cp/.rbenv/versions/2.3.0/lib/ruby/2.3.0/net/http.rb:1209:in `post'

regards,
Loganathan

Satish Kota

unread,
Feb 17, 2017, 7:19:22 AM2/17/17
to bangal...@googlegroups.com

Loganathan,

 

The SSLv3 error that you actually see is actually misleading, You might want to check the following

 

1.       Check your NGINX configuration file

a.       See if the ca certificate is configured correctly

b.      Check what protocols have you set i.e. search for keyword ssl_protocols and check if TLS 1.0, 1.1 and 1.2 has been configured

2.       Check the code

a.       Many times you get this error when your NET HTTP request is not correctly handled. See if your code is similar to below

begin

                        uri = URI(urlstring)

                        args = { :arg1=>v1,:arg2=>v2}

                        uri.query = URI.encode_www_form(args)

                        resp = Net::HTTP.get_response(uri)

                rescue Exception => ex

                end

 

see if that works

 

Regards

Satish Kota

--
You received this message because you are subscribed to the Google Groups "BANGALORE RUG-Ruby Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bangalorerug...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Loganathan Sellappa

unread,
Feb 17, 2017, 8:17:16 AM2/17/17
to bangal...@googlegroups.com
Thanks Sathish, I'm trying this api from irb so I think this is nothing to do with Apache/Nginx configurations and the requests are handled properly, I've checked with api vendor and they accept only request with TLS1/1.2. My assumption is that something(Cipher) has to be updated on Openssl.
  

regards,
Loganathan

To unsubscribe from this group and stop receiving emails from it, send an email to bangalorerug+unsubscribe@googlegroups.com.


For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "BANGALORE RUG-Ruby Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bangalorerug+unsubscribe@googlegroups.com.

Satish Kota

unread,
Feb 17, 2017, 9:27:57 AM2/17/17
to bangal...@googlegroups.com

No cipher and all… too many confusions on the internet…. Give first preference to right NGINX settings and then the right way of calling the request…if both donot solve then think about cipher

 

Note: we just solved this issue yesterday morning after wasting 2.5 days on it…

 

Regards

Satish Kota


regards,
Loganathan

 

To unsubscribe from this group and stop receiving emails from it, send an email to bangalorerug...@googlegroups.com.


For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "BANGALORE RUG-Ruby Users Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to bangalorerug...@googlegroups.com.


For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "BANGALORE RUG-Ruby Users Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to bangalorerug...@googlegroups.com.

Loganathan Sellappa

unread,
Feb 17, 2017, 10:34:57 AM2/17/17
to bangal...@googlegroups.com
I'm using apache, right now upgrading my os packages and I will update apache settings as you addressed.

regards,
Loganathan
regards,
Loganathan

Sent from handheld device.

Loganathan Sellappa

unread,
Mar 2, 2017, 1:58:29 AM3/2/17
to bangal...@googlegroups.com
Hi All,

The issue has been resolved after updating the OpenSSL and reinstalling ruby with OpenSSL. Thanks for the support :)

regards,
Loganathan

On Fri, Feb 17, 2017 at 9:04 PM, Loganathan Sellappa <logana...@gmail.com> wrote:
I'm using apache, right now upgrading my os packages and I will update apache settings as you addressed.

regards,
Loganathan


regards,
Loganathan

 

To unsubscribe from this group and stop receiving emails from it, send an email to bangalorerug+unsubscribe@googlegroups.com.


For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "BANGALORE RUG-Ruby Users Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to bangalorerug+unsubscribe@googlegroups.com.


For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "BANGALORE RUG-Ruby Users Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to bangalorerug+unsubscribe@googlegroups.com.


For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "BANGALORE RUG-Ruby Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bangalorerug+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages