"sslv3 alert handshake failure" on ruby 2

Question

I am trying to use a webservice with ruby, but it seems to be an issue with it's SSL configuration and ruby 2:

>> require "open-uri"
=> true
>> open("https://w390w.gipuzkoa.net/WAS/HACI/HFAServiciosProveedoresWEB/services/FacturaSSPPWebServiceProxyPort") {|f| p f.content_type }
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure

I've tried with curl and openssl and it works:

curl https://w390w.gipuzkoa.net/WAS/HACI/HFAServiciosProveedoresWEB/services/FacturaSSPPWebServiceProxyPort
openssl s_client -connect w390w.gipuzkoa.net:443

it also works with ruby 1.9:

irb(main):001:0> require "open-uri"
=> true
irb(main):003:0> open("https://w390w.gipuzkoa.net/WAS/HACI/HFAServiciosProveedoresWEB/services/FacturaSSPPWebServiceProxyPort") {|f| p f.content_type }
"text/html"

with ruby 2, I've tried using TLS, without success

>> OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ssl_version] = :TLSv1
=> :TLSv1
>> open("https://w390w.gipuzkoa.net/WAS/HACI/HFAServiciosProveedoresWEB/services/FacturaSSPPWebServiceProxyPort") {|f| p f.content_type }
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert handshake failure

>> OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ssl_version] = :TLSv1_2
=> :TLSv1_2
>> open("https://w390w.gipuzkoa.net/WAS/HACI/HFAServiciosProveedoresWEB/services/FacturaSSPPWebServiceProxyPort") {|f| p f.content_type }
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=unknown state: wrong version number

checking server SSL configuration on https://www.ssllabs.com/ssltest/analyze.html?d=w390w.gipuzkoa.net it returns this error: "Assessment failed: Unexpected failure", since I can access several similar webservices with ruby 2, I guess they have something miss-configured.

any ideas how can I access this webservice with ruby 2?

Steffen Ullrich · Answer 1 · 2016-09-29T09:31:21.543

2

The server supports only very few ciphers, most of the completely insecure (export ciphers, DES-CBC-SHA) and the only at least a bit secure cipher (DES-CBC3-SHA) is considered insecure since Sweet32. Chances are high that because of this insecurity modern TLS stacks in the client will fail with the handshake.

edited Sep 29 '16 at 09:31

answered Sep 29 '16 at 09:15

Steffen Ullrich

114,247
10
131
172

score 2 · Accepted Answer · answered Sep 29 '16 at 12:27

That is quite a poor configuration for a server. Comodo's SSL Analyzer appears to be more lenient and shows the four supported cipher suites. Also, the server supports TLSv1.0.

Now, I cannot find a resource online that indicates if these cipher suites were disabled by default in Ruby 2, but here's something you can try:

Enable the best of the ciphers using OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers] = "DES-CBC3-SHA" Cipher name obtained from OpenSSL ciphers.
Attempting to connect now should display this error as the site's CA isn't trusted:

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

You can add this CA using ssl_ca_cert or bypass verification (not recommended) using ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE. E.g.,

open("https://w390w.gipuzkoa.net/WAS/HACI/HFAServiciosProveedoresWEB/services/FacturaSSPPWebServiceProxyPort", {ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE}) {|f| p f.content_type }

You can also give Net::HTTP a shot.

thanks! with `DES-CBC3-SHA` it works, and thanks for the ciphers list, it's hard to find, a link on the ruby doc would be very useful! — Lluís, Sep 30 '16 at 07:19
https://www.openssl.org/docs/man1.0.2/apps/ciphers.html or `man ciphers` — Lluís, Dec 28 '17 at 13:14

"sslv3 alert handshake failure" on ruby 2

2 Answers2