Ssl_Connect Syscall Returned=5 Errno=0 State=Sslv2/V3 Read Server Hello A

OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A

This is a problem at the server site. It looks like the server is exclusively accepting TLS 1.2 and does not show the usual behavior when the client requests something lesser (like downgrading or sending SSL alert) but instead just closes the connection.

TLS 1.2 is not supported by OpenSSL 0.9.8 and additionally your code enforces SSLv3. You get TLS 1.2 only when upgrading to OpenSSL 1.0.1.

Some browsers will also fail to connect to this server, even if they have ways to work around such broken servers. But while Firefox will only try to downgrade the connection to lesser SSL version (which often helps) Chrome manages to connect with TLS 1.2.

Edit: I've analyzed the issue further and now I cannot get a connection with TLS1.2 anymore but I can get a connection with TLS1.0 or SSL3.0, but only if the ciphers is hard coded to RC4-SHA. I've tried others like AES128-SHA or DES-CBC3-SHA and they don't work.
So while it looks like a really messed up system explicitly setting

http.ssl_version = 'TLSv1'       -- or SSLv3, but TLSv1 is better
http.ssl_cipher = 'rc4-sha'

should work. I'm not a ruby user so the exact syntax might differ, but I've tested with OpenSSL s_client.

SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A - Faraday::Error::ConnectionFailed

Thanks to @mislav who give the hint to change SSL version.

I had to change this because my partner has its application built using asp.net and uses this version of SSL. More info at https://mislav.net/2013/07/ruby-openssl/

So the final code is as follows:

Rails.application.config.middleware.use OmniAuth::Builder do
  client_id = 'my_client_id'
  client_secret = 'secret'

  ssl_options = {}
  ssl_options[:version] = :TLSv1

  ssl = {}
  ssl[:ssl] =  ssl_options

  provider :partner, client_id, client_secret,
    client_options: { connection_opts: ssl} ,
    setup: ->(env){
    req = Rack::Request.new(env)
    token_url = "https://#{req.params.fetch('shop')}"
    env['omniauth.strategy'].options[:client_options][:token_url] = token_url
  }
end

SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A (OpenSSL::SSL::SSLError)

Figured out the issue. I had an older version of ruby (2.0.0) I upgraded to 2.1.2 and works like magic. Not sure what ruby 2.0.0 has that makes openssl throw that Error. Very useless error message in my opinion.

SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A

Well it turns out the root cause on this one was ms exchange was misconfigured. I would love to have learned more about ssl errors and how to troublshoot them, but I just didnt get much info on this.

I did try to just troublshoot this using open ssl, fyi, you can do:
OpenSSL> s_client -connect myserver:993

When it was broken, I received this error:
CONNECTED(00000003)
26831:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:

Once we fixed I got a cert and handshake message etc.

Here is what my exchange admin said he did: "I just went to the IMAP protocol and went to the access tab. Then the certificates button. From there I chose to replace the cert and chose the new cert."

Excon::Error::Socket: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A (OpenSSL::SSL::SSLError)

It works when I switch from windows to Linux.

Ruby: SSL_connect SYSCALL returned=5 errno=0 state=unknown state (OpenSSL::SSL::SSLError)

This looks like exactly the same problem I've answered in https://stackoverflow.com/a/29611892/3081018. Same problem: the server can only do TLS 1.0 and only supports DES-CBC3-SHA as cipher. This cipher is no longer enabled by default in recent ruby versions. To connect with this cipher try to specify the cipher explicitly in your code:

http.ssl_version = :TLSv1
http.ciphers = ['DES-CBC3-SHA']

---

Related Topics