ruby on rails - OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=unknown state: unknown protocol

Question

I've followed many posts regarding this issue and non of them helped. I'm trying to connect using simplest irb commands:

require 'open-uri'
open ('https://aristo4stu3.bgu.ac.il')

The weird thing is that for any other https uri I tried, it worked fine (i.e. https://google.com).

For debugging purposes, I even tried to disable SSL verification using:

OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

which didn't seemed to help either.

My setup is (on AWS):

$ rvm -v

rvm 1.21.3 (stable) by Wayne E. Seguin <[email protected]>, Michal Papis <[email protected]> [https://rvm.io/]

$ ruby -v
ruby 2.0.0p247 (2013-06-27 revision 41674) [x86_64-linux]

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 13.04
Release:    13.04
Codename:   raring

Complete log:

2.0.0-p247 :001 > require 'open-uri'
 => true 
2.0.0-p247 :002 > open('https://aristo4stu3.bgu.ac.il')
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=unknown state: (null)
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `connect'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `block in connect'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/timeout.rb:52:in `timeout'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `connect'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:862:in `do_start'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:851:in `start'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:313:in `open_http'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:708:in `buffer_open'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:210:in `block in open_loop'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:208:in `catch'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:208:in `open_loop'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:149:in `open_uri'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:688:in `open'
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/open-uri.rb:34:in `open'
    from (irb):2
    from /home/ubuntu/.rvm/rubies/ruby-2.0.0-p247/bin/irb:16:in `<main>'

Answer 1

The problem appears to be that your target site, aristo4stu3.bgu.ac.il, is picky about SSL/TLS handshaking. I got two different results with the following OpenSSL command with different versions of OpenSSL:

openssl s_client -connect aristo4stu3.bgu.ac.il:443

This does connect with the stock OpenSSL 0.9.8x on OS X 10.7.5. However, it does not connect using OpenSSL 1.0.1e - in that case the server just closes the connection (by sending a Close Notify alert) immediately after receiving the Client Hello.

I captured packets with Wireshark, and the difference between what these two versions send is that 0.9.8x is sending an SSLv2 Client Hello advertising support through TLS 1.0, while 1.0.1e is sending a TLSv1 Client Hello advertising support through TLS 1.2.

If I tell 1.0.1e not to use TLS:

openssl s_client -connect aristo4stu3.bgu.ac.il:443 -no_tls1

This connects successfully with an SSLv3 Client Hello advertising support through SSL 3.0.

Incidentally, my local ruby does make a successful connection with open-uri to your site:

$ irb
>> require 'open-uri'
=> true
>> open('https://aristo4stu3.bgu.ac.il')
=> #<StringIO:0x10271fa90>
>> require 'openssl'
=> false
>> OpenSSL::OPENSSL_VERSION
=> "OpenSSL 0.9.8r 8 Feb 2011"
>>

So the indicated approaches seem to be:

1. Upgrade the server to handle more Client Hello variants, or
2. Install a ruby that uses an older OpenSSL library, or
3. Change your program to send a different Client Hello.

It does not appear that the open-uri module has an option to set the SSL/TLS version used to communicate. If you can't modify the server you may need to use a different module or library to establish the connection, or perhaps find a way to patch the openssl module so it uses a different Client Hello.