1

I have the following code: 

 http = Net::HTTP.new(parsed_url.host, 443)
 http.use_ssl = true
 http.verify_mode = OpenSSL::SSL::VERIFY_NONE
 protocol = "https"

In a single day thousands of calls are made. The server receiving the request has disabled SSLv3 because of the Poodle Vulnerability. The actual http call is wrapped in a timeout block that waits for 8 seconds for a response from the server. This code executes the request successfully 99% of the time, however occasionally a timeout occurs. After working with the Amazon support team, it was determined that all the calls which timed-out, were made using SSLv3, which caused a handshake error. All the successful calls used TLSv1.1 or TLSv1.2.

Can anyone shed some light, on the what might cause ruby to occasionally use SSLv3 in its attempts ? For additional context, this ruby code is being used with Nginx / Phusion Passenger, and being run on an Amazon Ec2 instance.

bkahler
  • 365
  • 4
  • 18
  • 1
    The explanation does not make much sense: a handshake error will not cause a timeout but instead close the connection immediately. But typical problems for infrequent timeouts are the attempt to use non-blocking SSL sockets with select, see for example https://bugs.ruby-lang.org/issues/8875. It might be, that Net::HTTP is doing something like this internally. – Steffen Ullrich Jan 07 '15 at 19:19
  • Thanks for the comment. I have updated the explanation a bit. The http call is wrapped in a 8 second timeout block. – bkahler Jan 07 '15 at 19:45
  • *`http.verify_mode = OpenSSL::SSL::VERIFY_NONE`* - ice picks in my eyes. See this Ruby question on how to avoid `OpenSSL::SSL::VERIFY_NONE`: [SSLError: hostname “W.X.Y.Z” does not match the server certificate](http://stackoverflow.com/q/27795484/608639) – jww Jan 07 '15 at 20:03

0 Answers0