Openssl::Ssl::Sslerror Ubuntu 12.04 Only

OpenSSL::SSL::SSLError Ubuntu 12.04 only

What is your current SSL_Cert_file environmental variable set to?
Try setting the SSL_Cert_file environmental variable to:

export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

If that doesn't work and you are using RVM maybe setting the path to: ~/.rvm/usr/ssl/cert.pem

Before you make any changes just note down what the path currently is so that you can set it back if needed.

OpenSSL::SSL::SSLError in UsersController#create (SSL_connect returned=1 errno=0 state=unknown state: unknown protocol)

It appears to be related to a known bug in ubuntu 12.04 when using openssl 1.0.1 as described in the last answer here:

OpenSSL::SSL::SSLError Ubuntu 12.04 only

You can find more information about the bug on Ubuntu's bug tracker https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/965371

Apparently, if you force the use of SSLv3, the error should disappear.

Ruby SSL error - sslv3 alert unexpected message

You might also want to check out if leotechnosoft.net is blocking port 25 when using SSL as some hosting providers sometimes block port 25 by default. When you're using SSL try with port 465 instead.

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

That sometimes happens if the default 'OpenSSL directory' is not set correctly with the native OpenSSL library. open-uri uses OpenSSL::X509::Store#set_default_paths in order to tell OpenSSL to look in the OpenSSL directory for the file that contains the trusted root certificates that OpenSSL trusts by default.

In your case, this lookup fails. You can make it succeed by setting an environment variable that overrides the default setting and tells OpenSSL to look in that directory instead:

export SSL_CERT_FILE=/etc/pki/tls/cert.pem

That's the default location for the root CA bundle on my Fedora 16 64 bit, other popular locations are /etc/ssl/ca-bundle.crt etc. In your case, the OpenSSL library used by RVM is located in $rvm_path/usr, so you should look around there for a suitable candidate for the default root CA file. After the environment variable is set correctly, the call to open-uri will succeed.

To make the environment variable permanent, use the usual ways such as defining the export in .bashrc, /etc/profile or whatever fits best in your situation.

OpenSSL can't establish SSL connection because unsupported protocol

www.abisource.com supports only TLS version 1.0, which is now broken (or at least weakened) and way obsolete. According to its headers it is Apache 2.2.15 (Fedora) which dates from 2010!

This therefore appears to be the same problem as OpenSSL v1.1.1 ssl_choose_client_version unsupported protocol except Ubuntu instead of Debian and wget (used by octool) instead of openvpn. Try the accepted anser there: edit /etc/ssl/openssl.cnf under [system_default_sect] to downgrade MinProtocol=TLSv1 and possibly CipherString=DEFAULT:@SECLEVEL=1 -- the server's DHE key is 1k, and I don't recall if that works at level 2, although its cert is absurdly RSA 4k!

UPDATE: Okay, I downloaded and installed Ubuntu 20.04 including source for libssl1.1 and looked at it, and they did NOT keep the Debian approach here, they changed it. Specifically, they didn't change the openssl.cnf file to require TLSv1.2, instead they compiled OpenSSL/libssl to make the default SECLEVEL 2 and to have SECLEVEL 2 force TLSv1.2 (which it doesn't upstream).

However, you can still fix it by adding the desired (weak) configuration to openssl.cnf:

• somewhere in the default section, i.e. before the first line beginning with [, add a line

  openssl_conf = openssl_configuration
  

  I like putting it at the very top, but that's just me.

• technically at any section boundary, but much-easiest at the end, add three new sections:

  [openssl_configuration]
  ssl_conf = ssl_configuration
  [ssl_configuration]
  system_default = tls_system_default
  [tls_system_default]
  CipherString = DEFAULT:@SECLEVEL=1
  

Note that since MinProtocol wasn't already there you don't need to add it (the code default is okay) but you can if you want.

Now it works:

$ wget https://www.abisource.com/
--2020-06-20 05:11:11--  https://www.abisource.com/
Resolving www.abisource.com (www.abisource.com)... 130.89.149.216
Connecting to www.abisource.com (www.abisource.com)|130.89.149.216|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7687 (7.5K) [text/html]
Saving to: ‘index.html’

index.html          100%[===================>]   7.51K  --.-KB/s    in 0.002s

2020-06-20 05:11:12 (3.90 MB/s) - ‘index.html’ saved [7687/7687]

This is, as you commented, a global change. You can change it for this specific operation by editting your copy of octool to add the option --ciphers=DEFAULT:@SECLEVEL=1 to the wget command(s). With the original openssl.cnf:

$ wget --ciphers=DEFAULT:@SECLEVEL=1 https://www.abisource.com/
--2020-06-20 05:15:21--  https://www.abisource.com/
Resolving www.abisource.com (www.abisource.com)... 130.89.149.216
Connecting to www.abisource.com (www.abisource.com)|130.89.149.216|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7687 (7.5K) [text/html]
Saving to: ‘index.html.1’

index.html.1        100%[===================>]   7.51K  --.-KB/s    in 0s

2020-06-20 05:15:22 (330 MB/s) - ‘index.html.1’ saved [7687/7687]

JRuby Net::HTTP Fails with OpenSSL::SSL::SSLError: Certificates does not conform to algorithm constraints

Found a solution outlined here:
http://sim.ivi.co/2011/07/java-se-7-release-security-enhancements.html

Short version:
Go into java_home/jre/lib/security/java.security
And change

jdk.certpath.disabledAlgorithms=MD2

to

jdk.certpath.disabledAlgorithms=

However, please be aware that this re-enables MD2 hashing, which has proven to not be secure.

See:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409

---

Related Topics