I'm trying to make an API request in a Ruby app, on MacOSX.
When I try something like this:
RestClient.get("https://api.foursquare.com/v2/venues/explore?near=NYC&query=McDonalds")
I get this (same when it's http):
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure
from /Users/sasha/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/net/http.rb:920:in `connect'
(If I try (open("https://...")), I get this:
OpenURI::HTTPError: 400 Bad Request
from /Users/sasha/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/open-uri.rb:353:in `open_http'
I took a look at some SO discussions about this, and in particular this one led me to believe it was an issue with my OpenSSL not finding the right cert.pem file. I'm using Homebrew, and my Homebrew OpenSSL is installed in /usr/local/bin. The original Mac version of OpenSSL is at /usr/bin, I think.
I followed the suggestions to set a global ENV variable SSL_CERT_FILE to the path to my cert.pem file as installed by Homebrew - /usr/local/etc/openssl/cert.pem, - and when I echo that variable, it is set correctly, but when I re-open a Ruby console and try again, I get the same error. Thoughts on what I'm doing wrong? I don't know much about OpenSSL, and I'm totally flummoxed by this one, given that it seems to be finding my certificate correctly.
EDIT
When I run which openssl, it shows the Mac version -- /usr/bin/openssl. This makes sense, given Homebrew's install notes:
A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in
/usr/local/etc/openssl/certs
and run
/usr/local/opt/openssl/bin/c_rehash
This formula is keg-only, which means it was not symlinked into /usr/local.
Mac OS X already provides this software and installing another version in
parallel can cause all kinds of trouble.
The OpenSSL provided by OS X is too old for some software.
Generally there are no consequences of this for you. If you build your
own software and it requires this formula, you'll need to add to your
build variables:
LDFLAGS: -L/usr/local/opt/openssl/lib
CPPFLAGS: -I/usr/local/opt/openssl/include
Is that the problem? I'm including the wrong cert.pem file given my version of OpenSSL?
state=SSLv3 read server hello A: sslv3 alert handshake failure
That is usually not a problem of a bad or missing certificate, but that the server does not like what the client sends, like unsupported SSL version or no appropriate ciphers offered by the client.
I get this error with this host if I try to connect with SSL3.0 instead of TLS1.0 or higher, so please make sure that you don't use SSL3.0 anymore.
If this does not help make a packet capture of the traffic and post it to cloudshark.org so that one can have a look about the traffic details.
Related
Using Delphy 10.4:
I am trying to start a IdTCPServer with IdServerIOHandlerSSLOpenSSL.
Under Linux, I get a "EIdOSSLCouldNotLoadSSLLibrary; Could not load SSL library."
Under Windows, this works fine.
In the SSL directory, I now have both the Windows DLL's, and the .so files which I generated by compiling the "openssl-1.1.1j" .
So the SSL directory contains libeay32.dll, ssleay32.dll, libcrypto.so, libssl.so.
Why does it not accept it under Linux?
First, you can't use Windows DLLs on Linux. You need Linux binaries, and on Linux TIdSSLIOHandlerSocketOpenSSL will be looking for libssl.so.x.x.x[l] and libcrypto.so.x.x.x[l] (where x.x.x is the version 1.0.2 or lower, and [l] is an optional letter a..z, or libssl.so/libcrypto.so symlinks that map to such versions).
Second, TIdSSLIOHandlerSocketOpenSSL, and by extension TIdServerIOHandlerSSLOpenSSL, does not support OpenSSL 1.1.x, only OpenSSL 1.0.2 and earlier, as you can see above.
To use OpenSSL 1.1.x, you need to use a different IOHandler. One is currently in a pull request awaiting review, and so has not been merged into Indy's main code yet, but you can try it and see if it works for you:
#299 Added new OpenSSL IO Handler for OpenSSL 1.1.1
I'm having an annoying issue with my AppInstaller file giving an error when trying to install an MSIXBundle file from a HTTPS URI:
App installation failed with error message: error 0x8007000D: Opening the package from location {package_name}.dev.msixbundle failed. (0x8007000d)
MSIXBundle Install Failure
The AppInstaller file looks like this:
<?xml version="1.0" encoding="utf-8"?>
<AppInstaller Uri="https://{domain}/{package_name}.dev.appinstaller" Version="1.0.0.0" xmlns="http://schemas.microsoft.com/appx/appinstaller/2018">
<MainBundle Name="{package_name}" Version="0.6.220.0" Publisher="CN={publisher}" Uri="https://{domain}/{package_name}.dev.msixbundle" />
<UpdateSettings>
<OnLaunch HoursBetweenUpdateChecks="0" ShowPrompt="true" />
</UpdateSettings>
</AppInstaller>
If I download the AppInstaller and MSIXBundle files locally and change the HTTPS protocol to be FILE:/// within the AppInstaller file, then it works fine. I can keep the AppInstaller Uri in the file to FILE:/// and set the MainBundle Uri to HTTPS and then it fails as well.
I've noticed that this only started happening on the latest 2 version of Windows 10 (i.e 2004 and 20H2). If I restart my PC, then the HTTPS protocol works fine and I can install the package by referencing the hosted AppInstaller file. But when I update the AppInstaller to indicate a new version of the Package has been released, I get the above mentioned error again during the update process. I've I uninstall the package completely and try to install it again, I get the error as well.
I've been unable to find a reliable solution for this issue, so I was hoping some clever people out there might be able to help or at least point me in an alternative route if the AppInstaller is too buggy on the latest versions of Windows 10.
Although the post is a bit older, I'd like to share my experience with a similar behavior.
I got the error code when hosting the installer files using a self signed certificate (SSL not code sign) for the server.
After installing the root certificate to 'Trusted Root Certificates' of the local computer (installing for current user did not fixed the error), the installer worked as expected.
I'm not sure if this was your problem, since the installation worked after restarting the computer. For me the appinstaller never worked as long as I had the certificate not installed.
When I attempt to start my Rails server, I receive an error that reads:
OpenSSL::X509::StoreError: setting default path failed: Invalid keystore format
I suspect that my machine's keystore has somehow become corrupted. Does anyone know how I might go about resolving this issue?
I was trying to install cucumber gem for Ruby.
Although there were few topics somewhat related to this, I can't find exact question with exact answer. When on Windows I try to run the command gem install cucumber and the console returned:
ERROR: Unable to download data from https://rubygems.org/ -
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verify failed
(https://s3.amazonaws.com/production.s3.rubygems.org/specs.4.8.gz)
Then, I googled for a solution and found some suggestions to remove source in here. I ran gem sources -r and it has been removed.
But did that not only in cucumber. Now I'm even unable to add source.
I had the same issue a while back after moving to ruby 2.0.0
Follow the following steps to solve it
1)Visit the url http://curl.haxx.se/ca/cacert.pem save the contents as a .pem file(Do not save it as a text file.Make sure the extension is .pem)
2)Copy the file to any path in your local eg: C:\ruby200\ca_cert.pem (in my case)
3)Now add an Environment variable with Variable SSL_CERT_FILE and value "C:\ruby200\ca_cert.pem"(without quotes)(path is in my case.Replace with appropriate path) (Environment variables can be added by navigating to Computer -> Advanced Settings -> Environment Variables)
4)Close all your command prompts and restart them.Things should work fine now
This issue occurs due to changes in rubygems.org infrastructure.
Please follow the link below:
https://gist.github.com/luislavena/f064211759ee0f806c88
Hope it will help you.
I'm working on an MDM NodeJS server for iOS. On the Apple docs, the following ruby code is given :
p7sign = OpenSSL::PKCS7::PKCS7.new(req.body)
store = OpenSSL::X509::Store.new
p7sign.verify(nil, store, nil, OpenSSL::PKCS7::NOVERIFY)
signers = p7sign.signers
What would be the equivalent in NodeJS?
The idea is to access p7sign.data that contains an xml plist.
Is this possible using either crypto or an external node lib (ursa, etc)?
A good option would be to use child_process to invoke openssl directly. I do that to validate iOS .mobileprovision files.
$ openssl smime -verify -in FILE -inform der
The openssl command needs to be the apple-provided (not from ports or homebrew) so that it can find signing certificates and CA's in the keychain.
I haven't tried this myself, but the node-forge library contains an implementation of many cryptographic algorithms.
https://npmjs.org/package/node-forge#pkcs7