Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS protocol / version support issue TLSv3 support needed #348

Open
Tectract opened this issue May 13, 2021 · 3 comments
Open

TLS protocol / version support issue TLSv3 support needed #348

Tectract opened this issue May 13, 2021 · 3 comments

Comments

@Tectract
Copy link

One of the servers I'm using is now returning this. Argh.

> error : SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: tlsv1 alert protocol version

I have some old code that uses em-http-request and I see code that looks like this:

    class NetHTTPClient < APIClient
      def initialize(api_key = '', api_secret = '', api_pass = '', options = {})
        super(api_key, api_secret, api_pass, options)
        @conn = Net::HTTP.new(@api_uri.host, @api_uri.port)
        @conn.use_ssl = true if @api_uri.scheme == 'https'
        @conn.cert_store = self.class.whitelisted_certificates
        @conn.ssl_version = :TLSv1
      end

      private

      def http
   _verb(method, path, body = nil)
        case method
        when 'GET' then req = Net::HTTP::Get.new(path)
        when 'POST' then req = Net::HTTP::Post.new(path)
        when 'DELETE' then req = Net::HTTP::Delete.new(path)
        else fail
        end

here : https://github.com/Tectract/gdax-client/blob/master/lib/coinbase/exchange/adapters/net_http.rb

@conn.ssl_version = :TLSv1

that line is surely a problem. How can I update to allow it to connect to the SSLV3 server? I believe this is related to SNI support...
@conn
Copy link

conn commented May 13, 2021

I'm terribly allergic to poodles! Is there any way to update the server to TLSv1.3 before I make a visit?

@Tectract
Copy link
Author

luckily I tracked down this issue, it was actually making a request through the newrelic_rpm gem, NET::http method, which appears deprecrated, lol. I was able to get it to connect to coinbase REST API again by updating this one line:

@conn.ssl_version = :TLSv1

to:

@conn.ssl_version = :TLSv1_2

Thankfully! All the new TLS NMI and version updates are causing havoc for old linux / rails / ruby implementations that used OpenSSL TLSv1. It's not the first time I have done battle with it, lol.

@Tectract
Copy link
Author

Tectract commented May 13, 2021
edited
Loading

Luckily my TLS stack for the webserver itself is upgraded and secured with TSL1.3. This is just a backend call to a third-party data provider, so as long as it works, I'm happy :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Tectract @conn