OpenSSL::SSL::SSLError Ubuntu 12.04 only
What is your current SSL_Cert_file environmental variable set to?
Try setting the SSL_Cert_file environmental variable to:
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
If that doesn't work and you are using RVM maybe setting the path to: ~/.rvm/usr/ssl/cert.pem
Before you make any changes just note down what the path currently is so that you can set it back if needed.
OpenSSL::SSL::SSLError in UsersController#create (SSL_connect returned=1 errno=0 state=unknown state: unknown protocol)
It appears to be related to a known bug in ubuntu 12.04 when using openssl 1.0.1 as described in the last answer here:
OpenSSL::SSL::SSLError Ubuntu 12.04 only
You can find more information about the bug on Ubuntu's bug tracker https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/965371
Apparently, if you force the use of SSLv3, the error should disappear.
Ruby SSL error - sslv3 alert unexpected message
You might also want to check out if leotechnosoft.net
is blocking port 25 when using SSL as some hosting providers sometimes block port 25 by default. When you're using SSL try with port 465 instead.
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
That sometimes happens if the default 'OpenSSL directory' is not set correctly with the native OpenSSL library. open-uri uses OpenSSL::X509::Store#set_default_paths
in order to tell OpenSSL to look in the OpenSSL directory for the file that contains the trusted root certificates that OpenSSL trusts by default.
In your case, this lookup fails. You can make it succeed by setting an environment variable that overrides the default setting and tells OpenSSL to look in that directory instead:
export SSL_CERT_FILE=/etc/pki/tls/cert.pem
That's the default location for the root CA bundle on my Fedora 16 64 bit, other popular locations are /etc/ssl/ca-bundle.crt etc. In your case, the OpenSSL library used by RVM is located in $rvm_path/usr, so you should look around there for a suitable candidate for the default root CA file. After the environment variable is set correctly, the call to open-uri will succeed.To make the environment variable permanent, use the usual ways such as defining the export in .bashrc, /etc/profile or whatever fits best in your situation.
OpenSSL can't establish SSL connection because unsupported protocol
www.abisource.com
supports only TLS version 1.0, which is now broken (or at least weakened) and way obsolete. According to its headers it is Apache 2.2.15 (Fedora)
which dates from 2010!
This therefore appears to be the same problem as OpenSSL v1.1.1 ssl_choose_client_version unsupported protocol except Ubuntu instead of Debian and wget (used by octool) instead of openvpn. Try the accepted anser there: edit /etc/ssl/openssl.cnf
under [system_default_sect] to downgrade MinProtocol=TLSv1 and possibly CipherString=DEFAULT:@SECLEVEL=1 -- the server's DHE key is 1k, and I don't recall if that works at level 2, although its cert is absurdly RSA 4k!
UPDATE: Okay, I downloaded and installed Ubuntu 20.04 including source for libssl1.1 and looked at it, and they did NOT keep the Debian approach here, they changed it. Specifically, they didn't change the openssl.cnf file to require TLSv1.2, instead they compiled OpenSSL/libssl to make the default SECLEVEL 2 and to have SECLEVEL 2 force TLSv1.2 (which it doesn't upstream).
However, you can still fix it by adding the desired (weak) configuration to openssl.cnf:
somewhere in the default section, i.e. before the first line beginning with
[
, add a line
I like putting it at the very top, but that's just me.openssl_conf = openssl_configuration
technically at any section boundary, but much-easiest at the end, add three new sections:
[openssl_configuration]
ssl_conf = ssl_configuration
[ssl_configuration]
system_default = tls_system_default
[tls_system_default]
CipherString = DEFAULT:@SECLEVEL=1
Now it works:
$ wget https://www.abisource.com/
--2020-06-20 05:11:11-- https://www.abisource.com/
Resolving www.abisource.com (www.abisource.com)... 130.89.149.216
Connecting to www.abisource.com (www.abisource.com)|130.89.149.216|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7687 (7.5K) [text/html]
Saving to: ‘index.html’
index.html 100%[===================>] 7.51K --.-KB/s in 0.002s
2020-06-20 05:11:12 (3.90 MB/s) - ‘index.html’ saved [7687/7687]
This is, as you commented, a global change. You can change it for this specific operation by editting your copy of octool to add the option --ciphers=DEFAULT:@SECLEVEL=1
to the wget
command(s). With the original openssl.cnf:$ wget --ciphers=DEFAULT:@SECLEVEL=1 https://www.abisource.com/
--2020-06-20 05:15:21-- https://www.abisource.com/
Resolving www.abisource.com (www.abisource.com)... 130.89.149.216
Connecting to www.abisource.com (www.abisource.com)|130.89.149.216|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7687 (7.5K) [text/html]
Saving to: ‘index.html.1’
index.html.1 100%[===================>] 7.51K --.-KB/s in 0s
2020-06-20 05:15:22 (330 MB/s) - ‘index.html.1’ saved [7687/7687]
JRuby Net::HTTP Fails with OpenSSL::SSL::SSLError: Certificates does not conform to algorithm constraints
Found a solution outlined here:
http://sim.ivi.co/2011/07/java-se-7-release-security-enhancements.html
Short version:
Go into java_home/jre/lib/security/java.security
And change
jdk.certpath.disabledAlgorithms=MD2
tojdk.certpath.disabledAlgorithms=
However, please be aware that this re-enables MD2 hashing, which has proven to not be secure.See:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
Related Topics
Skipping: Touch Associations When Saving an Activerecord Object
Sorting a Multidimensional Array in Ruby
Rails - Understanding Application.Js and Application.CSS
Difference Between @@ and @ in Ruby
Server Sent Events and Rails Streaming
What's The Best Way to Test Delayed_Job Chains with Rspec
Can't Install Debugger Gem - Rails - MAC Osx Mavericks
Accessing Microsoft Exchange Server from Ruby
Using Ruby with Mechanize to Log into a Website
Private Messages with Faye and Rails
Interpolation Within Single Quotes
Can You Specify The Http Method to Use with Sinatra's Redirect
How to Access HTML Request Parameters for a .Rhtml Page Served by Webrick
How to Deploy a Test App on Dreamhost Rails 3.0.4
Set Ruby 2.0 Keyword Arguments with Attr_Accessor on Initialize
Current Password Can't Be Blank When Updating Devise Account