OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A
This is a problem at the server site. It looks like the server is exclusively accepting TLS 1.2 and does not show the usual behavior when the client requests something lesser (like downgrading or sending SSL alert) but instead just closes the connection.
TLS 1.2 is not supported by OpenSSL 0.9.8 and additionally your code enforces SSLv3. You get TLS 1.2 only when upgrading to OpenSSL 1.0.1.
Some browsers will also fail to connect to this server, even if they have ways to work around such broken servers. But while Firefox will only try to downgrade the connection to lesser SSL version (which often helps) Chrome manages to connect with TLS 1.2.
Edit: I've analyzed the issue further and now I cannot get a connection with TLS1.2 anymore but I can get a connection with TLS1.0 or SSL3.0, but only if the ciphers is hard coded to RC4-SHA. I've tried others like AES128-SHA or DES-CBC3-SHA and they don't work.
So while it looks like a really messed up system explicitly setting
http.ssl_version = 'TLSv1' -- or SSLv3, but TLSv1 is better
http.ssl_cipher = 'rc4-sha'
should work. I'm not a ruby user so the exact syntax might differ, but I've tested with OpenSSL s_client.
SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A - Faraday::Error::ConnectionFailed
Thanks to @mislav who give the hint to change SSL version
.
I had to change this because my partner has its application built using asp.net and uses this version of SSL. More info at https://mislav.net/2013/07/ruby-openssl/
So the final code is as follows:
Rails.application.config.middleware.use OmniAuth::Builder do
client_id = 'my_client_id'
client_secret = 'secret'
ssl_options = {}
ssl_options[:version] = :TLSv1
ssl = {}
ssl[:ssl] = ssl_options
provider :partner, client_id, client_secret,
client_options: { connection_opts: ssl} ,
setup: ->(env){
req = Rack::Request.new(env)
token_url = "https://#{req.params.fetch('shop')}"
env['omniauth.strategy'].options[:client_options][:token_url] = token_url
}
end
SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A (OpenSSL::SSL::SSLError)
Figured out the issue. I had an older version of ruby (2.0.0) I upgraded to 2.1.2 and works like magic. Not sure what ruby 2.0.0 has that makes openssl throw that Error. Very useless error message in my opinion.
SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
Well it turns out the root cause on this one was ms exchange was misconfigured. I would love to have learned more about ssl errors and how to troublshoot them, but I just didnt get much info on this.
I did try to just troublshoot this using open ssl, fyi, you can do:
OpenSSL> s_client -connect myserver:993
When it was broken, I received this error:
CONNECTED(00000003)
26831:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
Once we fixed I got a cert and handshake message etc.
Here is what my exchange admin said he did: "I just went to the IMAP protocol and went to the access tab. Then the certificates button. From there I chose to replace the cert and chose the new cert."
Excon::Error::Socket: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A (OpenSSL::SSL::SSLError)
It works when I switch from windows to Linux.
Ruby: SSL_connect SYSCALL returned=5 errno=0 state=unknown state (OpenSSL::SSL::SSLError)
This looks like exactly the same problem I've answered in https://stackoverflow.com/a/29611892/3081018. Same problem: the server can only do TLS 1.0 and only supports DES-CBC3-SHA as cipher. This cipher is no longer enabled by default in recent ruby versions. To connect with this cipher try to specify the cipher explicitly in your code:
http.ssl_version = :TLSv1
http.ciphers = ['DES-CBC3-SHA']
Related Topics
How to Programmatically Check If a Certificate Has Been Revoked
Is It Necessary to Close Stringio in Ruby
How to Read a Gzip File Line by Line
Sorting an Array by Two Values
Sort a List of Objects by Using Their Attributes in Ruby
Alter $Path in Vim/Macvim So as to Find the Right Ruby Binary
How to Know the Current Rake Task
Ruby: What Is the Order of Keys/Values Returned by Hash.Keys and Hash.Values Methods
Rails 3 Actionmail Openssl::Ssl::Sslerror
Ruby Variable as Same Object (Pointers)
Making a Module Inherit from Another Module in Ruby
The Program 'Rails' Can Be Found in the Following Packages - Issue with Some App and Rvm
Split Seeds.Rb into Multiple Sections
Rake Db:Migrate Is Being Aborted Due to Rake Version Difference
Need Help Maximizing 3 Factors in Multiple, Similar Objects and Ordering Appropriately
Ruby Elegant Way to Return Min/Max If Value Outside Range
Devise Not Displaying Error Messge During an Authentication Failure