OpenSSL::SSL::SSLError with SSLv3

[sush]

I've been using this cool gem in production for a while but it suddenly stopped to work and raise the following exception: Faraday::Error::ConnectionFailed: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure every time the callback url is called.

The only way to get rid of it was to to remove the force use of SSLv3 in the options.

Any idea why it suddenly stopped to work?

Thanks!

[jrreed]

I think this is because of the POODLE security issue that Google announced today.

I haven't seen any announcement from facebook that they have stopped accepting SSLv3, but it certainly looks that way. If you try to their servers you'll see that you can hit them with TLSv1 and SSLv3, but not SSLv3: curl --tlsv1 -v https://graph.facebook.com/app SUCCEEDS curl --sslv2 -v https://graph.facebook.com/app SUCCEEDS curl --sslv3 -v https://graph.facebook.com/app FAILS

We've put in a workaround to override the client options in our omniauth initializers so that it uses TLSv1.

[hmayer00]

To follow up, in our devise initializer we now have:

config.omniauth :facebook_access_token, <app_id>, <app_secret>, :client_options => { :ssl => { :version => "TLSv1" } }

That seemed to fix it for us.

As far as the gem itself, facebook-access-token:19 (linked above) needs to change to be "TLSv1" (I think?). @SoapSeller, Is there a reason for it to be using SSLv3 in the first place?

[sush]

Thanks @jrreed for the quick response, makes sense :)

I now force the use of TLSv1_2.

[SoapSeller]

I've merged PR #12 that change the default to SSLv23, and pushed a new version (0.1.15) with it. Please let me know if you still having issues with it.

@hmayer-rp, It was long time ago, but IIRC when I've written this I had an issue with my linux machine refusing to connect to facebook with the default setting, and forcing SSLv3 seemed like an OK solution.

[hmayer00]

Thanks for the quick work @SoapSeller. Regarding TLSv1_2, I think that TLSv1.2 isn't currently an option in ruby 1.9. So we stuck with TLSv1. I'm a n00b on this stuff, so i'm not really qualified to comment on the choice between SSLv23 and TLSv1. But I think that since we're talking about server-server communication, and facebook has cut support for SSLv3, moving forward to TLSv1 is probably the better and longer-lived solution.

One could also try not specifying an ssl version at all. I'm not sure what the ramifications of that would be, but I assume it would just use whatever OpenSSL wanted to use (which is i believe configurable at the application level).

[SoapSeller]

@hmayer-rp, you're welcome.

The SO answer you've linked to state that if we are setting ssl to SSLv23 and both our client(ruby) and server(facebook) support TLS1.2 it will use it. In other words, the newest version of SSL that both side support will be used.

SSLv23 is currently the default in OpenSSL, so I will remove it as per your suggestion. (And yes, it will still be available to configure at the app level, like in your earlier example).

[hmayer00]

Ah, okay, I totally misread that (also, i think the name SSLv23 is pretty misleading...). So thanks for pointing out that that's definitely the one to use - we'll remove our TLSv1 specification as soon as the new version is out.

[SoapSeller]

FIY, I've removed the ssl version setting and pushed a new version out(0.1.6).