I been using httparty to communicate with a API for my rails application
The problem I'm having was when decided to run it on a different server.
we kept getting this error:
SSL_connect returned=1 errno=0 state=unknown state: tlsv1 alert protocol version
its running fine with no errors with my current environment so I'm not sure what I'm missing to make it run on my other server
my code:
require 'httparty'
require 'pp'
require 'openssl'
def self.get_token
include HTTParty
base_uri = self.base_url
base_uri = base_uri+'oauth/'+'token'
response = HTTParty.post(base_uri,verify:false,
:body =>{
:grant_type=>'password',
:client_id=>'3',
:client_secret=> 'eGSjPBZV70IsJwnyjNn7EYI6vci0bGrFbJkJNVof',
:password=>'Passw0rd!',
:username=>'myemail#gmail.com'
},)
token = response.parsed_response['access_token']
return token
end `
You are getting an alert/warning, not an error. This is possible due to the fact that the TLS version you are using is not recommended because of security issues.
According to HTTParty documentation, you can change the TLS version with the following code:
ssl_version :SSLv3
Try this v3 version or v2 version and see if it removes the warning message.
Related
I'm using Shrine RemoteUrl plugin in a Rails app to get some file (pdf) from a remote site.
This site have an old https certificate a i'm getting some errors like this:
{:media=>["download failed: SSL_connect returned=1 errno=0 state=error: dh key too small"]}
I can't modify the conf of the remote site so i think i need to bypass SSL verification.
But can't find a way to do it.
I'm trying to do this in the Shrine initializer file but i don't know how to pass the right options to Down::Http.
Down::Http backend implements downloads using the http.rb gem (and you can Disabling Certificate Verification with it)
Shrine.plugin :remote_url, max_size: 20*1024*1024, downloader: -> (url, max_size:, **options) do
Down::Http.download(url, max_size: max_size, **options) do |http|
http.follow(max_hops: 2).timeout(connect: 2, read: 2)
end
end
Any help much appreciated. Thanks!
Down::Http.download forwards all options to http.rb, so you can pass the same :ssl_context option:
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
Down::Http.download(url, max_size: max_size, ssl_context: ctx, **options) do |http|
http.follow(max_hops: 2).timeout(connect: 2, read: 2)
end
Currently running into an issue where my background workers which are communicating with elasticsearch via elasticsearch-client are running into SSL errors inside Faraday.
The error is this:
SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure
The configuration works fine some of the time (around ~50%) and it has never failed for me inside of a console sessions.
The trace of the command is this:
curl -X GET 'https://<host>/_alias/models_write?pretty
The client config is this
Thread.current[:chewy_client] ||= begin
client_configuration[:reload_on_failure] = true
client_configuration[:reload_connections] = 30
client_configuration[:sniffer_timeout] = 0.5
client_configuration[:transport_options] ||= {}
client_configuration[:transport_options][:ssl] = { :version => :TLSv1_2 }
client_configuration[:transport_options][:headers] = { content_type: 'application/json' }
client_configuration[:trace] = true
client_configuration[:logger] = Rails.logger
::Elasticsearch::Client.new(client_configuration) do |f|
f.request :aws_signers_v4,
credentials: AWS::Core::CredentialProviders::DefaultProvider.new,
service_name: 'es',
region: ENV['ES_REGION'] || 'us-west-2'
end
end
As you can see I explicitly set the ssl version to TSLv1_2, but still getting an SSLv3 error.
Thought maybe it was a race condition issue. So ran a script spawning about 10 processes with 50 threads each and calling the sidekiq perform method inside and still not able to reproduce.
I am using the managed AWS 2.3 Elasticsearch if that is at all relevant.
Any help or guidance in the right direction would be greatly appreciated, I would be happy to attach as much info as needed.
Figured it out. The problem was that the elasticsearch-ruby gem autoloads in an http adapter that it detects if one is not specified. The one used in my console was not the one getting auto loaded into sidekiq.
The sidekiq job was using the HTTPClient adapter which did not respect the SSL version option. Thus I was getting this error. After explicitly defining the faraday adapter it worked.
I am making a Ruby On Rails application and I am attempting to use the Google Plus API's for user sign in. To do this I am using Signet an OAuth helper library. I am looking at this code as an example of Signet with Google APIs.
Here is my code:
require "signet/oauth_2/client"
require "google/api_client"
oathClient = Signet::OAuth2::Client.new(
:authorization_uri => "https://accounts.google.com/o/oauth2/auth",
:token_credential_uri => "https://accounts.google.com/o/oauth2/token",
:client_id => Rails.application.secrets.gapi_client_id,
:client_secret => Rails.application.secrets.gapi_client_secret,
:redirect_uri => Rails.application.secrets.gapi_redirect_uri,
:scope => "https://www.googleapis.com/auth/plus.login")
gapi_client = Google::APIClient.new(
:application_name => "Branches",
:application_version => "0.0.1")
oathClient.code = request.body.read
oathClient.fetch_access_token!#Error on this line
gapi_client.authorization = oathClient
An error occurs on the second to last line:
oathClient.fetch_access_token!
This is the error:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
I have done some research and it seams like this is caused by the lack of certificate information. However none of the solution's shown address this issue when dealing with Signet.
OS: Windows 8 x64
RoR version: 4.1.1
Signet Version: 0.5.1
Google API Client Version: 0.6.2
Looks related to https://github.com/googleapis/google-api-ruby-client/issues/235, where the solutions were:
update openssl
if you're using a custom .pem file, set it with: export SSL_CERT_FILE=/path/to/custom/certificate/authority.pem
I am trying to parse an HTTPS XML feed via Nokogiri but I get this OpenSSL error:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
I can also see the SSL_CERT_FILE:
echo $SSL_CERT_FILE
/home/user/certs/cacert.pem
This is how I am trying to parse:
#feed = "https://example.com/feed1.xml"
doc = Nokogiri::XML(open(#feed)
I tried to bypass the OpenSSL verification, but I still get the same error:
doc = Nokogiri::XML(open(#feed,{ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE}))
Can anyone help?
This problem usually appears on Windows.
One quick solution is to pass ssl_verify_mode to open
require 'open-uri'
require 'openssl'
open(some_url, ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE)
Another quick one is overriding OpenSSL::SSL::VERIFY_PEER in the beginning of your script by doing
require 'openssl'
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
Those who want real solution can try method described on https://gist.github.com/fnichol/867550
So I've upgraded an app from rails 2.2 to 2.3.12 and my last remaining issue is the problem of facebook connect integration.
I am using the oauth2 gem for this and well I keep getting the following error
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):
I've tried to follow the descriptions on the oauth2 wiki page just to end up with anohter error that was solved by forking the project and adapting the code. read here.
I do not have the issue on my development server but only in production.
my client code looks as follows
def client
ca_file = File.join('/etc/ssl/cacert.pem')
#client ||= OAuth2::Client.new( 'app_id', 'app_secret', {
:site => {
:url=>'https://graph.facebook.com',
:ssl=>{
:verify => OpenSSL::SSL::VERIFY_PEER,
:ca_file => ca_file
}
},
:adapter => :NetHttp
})
#client
end
I've confirmed about a hundred times now that my cacert.pem file is there and that
the rights are ok.
Any ideas on where to begin debugging are welcome.
SOLVED
I moved this site on to a new server running Debian 6.0 (sqeeze) instead of 5.0 (etch) and this solved my problem. My take on this is that I got a newer version of OpenSSL:
Debian 6.0: OpenSSL 0.9.8o 01 Jun 2010
Debian 5.0: OpenSSL 0.9.8g 19 Oct 2007
I can't guarantee that this was the issue but since it's now working with no code changes. I assume it is.