Ruby open-uri error : SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A

Question

I am noticing an ssl handshake error when i am using open-uri module of ruby in Debian:Squeeze but it is working fine on Debian:Wheezy and Debian:Jessie

Here is what i am noticing:

Debian Squeeze

root@0fdf024c8c42:/# cat /etc/issue
Debian GNU/Linux 6.0 \n \l

root@0fdf024c8c42:/# irb
irb(main):001:0> require 'open-uri'
=> true
irb(main):002:0> open("https://www.openssl.org")
OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
    from /usr/lib/ruby/1.9.1/net/http.rb:799:in `connect'
    from /usr/lib/ruby/1.9.1/net/http.rb:799:in `block in connect'
    from /usr/lib/ruby/1.9.1/timeout.rb:54:in `timeout'
    from /usr/lib/ruby/1.9.1/timeout.rb:99:in `timeout'
    from /usr/lib/ruby/1.9.1/net/http.rb:799:in `connect'
    from /usr/lib/ruby/1.9.1/net/http.rb:755:in `do_start'
    from /usr/lib/ruby/1.9.1/net/http.rb:744:in `start'
    from /usr/lib/ruby/1.9.1/open-uri.rb:306:in `open_http'
    from /usr/lib/ruby/1.9.1/open-uri.rb:775:in `buffer_open'
    from /usr/lib/ruby/1.9.1/open-uri.rb:203:in `block in open_loop'
    from /usr/lib/ruby/1.9.1/open-uri.rb:201:in `catch'
    from /usr/lib/ruby/1.9.1/open-uri.rb:201:in `open_loop'
    from /usr/lib/ruby/1.9.1/open-uri.rb:146:in `open_uri'
    from /usr/lib/ruby/1.9.1/open-uri.rb:677:in `open'
    from /usr/lib/ruby/1.9.1/open-uri.rb:33:in `open'
    from (irb):2
    from /usr/bin/irb:12:in `<main>'irb(main):003:0>

Debian Wheezy

root@d6d7e1af56d0:/# cat /etc/issue
Debian GNU/Linux 7 \n \l

root@d6d7e1af56d0:/# irb
irb(main):001:0> require 'open-uri'
=> true
irb(main):002:0> open("https://www.openssl.org")
=> #<StringIO:0x000000022aaec0>

Debian Jessie

root@405c251f32df:/# cat /etc/issue
Debian GNU/Linux 8 \n \l

root@405c251f32df:/# irb2.1
irb(main):001:0> require 'open-uri'
=> true
irb(main):002:0> open("https://www.openssl.org")
=> #<StringIO:0x00000001e45b78 @base_uri=#<URI::HTTPS:0x00000001e45ec0 URL:https://www.openssl.org>, @meta={"date"=>"Wed, 26 Aug 2015 11:56:57 GMT", "server"=>"Apache/2.4.7 (Ubuntu)", "strict-transport-security"=>"max-age=31536000; includeSubDomains", "accept-ranges"=>"bytes", "vary"=>"Accept-Encoding", "content-length"=>"2456", "content-type"=>"text/html; charset=UTF-8"}, @metas={"date"=>["Wed, 26 Aug 2015 11:56:57 GMT"], "server"=>["Apache/2.4.7 (Ubuntu)"], "strict-transport-security"=>["max-age=31536000; includeSubDomains"], "accept-ranges"=>["bytes"], "vary"=>["Accept-Encoding"], "content-length"=>["2456"], "content-type"=>["text/html; charset=UTF-8"]}, @status=["200", "OK"]>

I know this has nothing to do with ruby version because I tried updating the ruby version but it didn't help.

Answer 1

Does the Squeeze machine have the ca-certificates package installed? Without that, there's no trusted set of root certificates which can be used to validate that a presented certificate is valid.

Assuming that ca-certificates is installed correctly, you may be having problems with TLS protocol compatibility. Squeeze, being rather old, has a version of OpenSSL that isn't quite up to par with modern standards. Some sites, like www.openssl.org, which you tested, may configure their TLS stack in such a way that it limits compatibility with older TLS stacks, such as the one that comes with squeeze.

On a test system, I'm getting the same results as you when attempting to open("https://www.openssl.org"), but connecting to some other sites works Just Fine. This ssllabs report indicates that www.openssl.org does not support TLS 1.0, which is what a connection from Squeeze is reporting as the highest version it supports. So, in this particular case, that's the problem you're having -- simple TLS version incompatibility.