search

igrigorik / em-http-request

Asynchronous HTTP Client (EventMachine + Ruby)
1.22k stars 220 forks source link

TLS protocol / version support issue TLSv3 support needed #348

Open Tectract opened 3 years ago

Tectract commented 3 years ago

One of the servers I'm using is now returning this. Argh. 

> error : SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: tlsv1 alert protocol version

I have some old code that uses em-http-request and I see code that looks like this:

    class NetHTTPClient < APIClient
      def initialize(api_key = '', api_secret = '', api_pass = '', options = {})
        super(api_key, api_secret, api_pass, options)
        @conn = Net::HTTP.new(@api_uri.host, @api_uri.port)
        @conn.use_ssl = true if @api_uri.scheme == 'https'
        @conn.cert_store = self.class.whitelisted_certificates
        @conn.ssl_version = :TLSv1
      end

      private

      def http
   _verb(method, path, body = nil)
        case method
        when 'GET' then req = Net::HTTP::Get.new(path)
        when 'POST' then req = Net::HTTP::Post.new(path)
        when 'DELETE' then req = Net::HTTP::Delete.new(path)
        else fail
        end

here : https://github.com/Tectract/gdax-client/blob/master/lib/coinbase/exchange/adapters/net_http.rb

@conn.ssl_version = :TLSv1

that line is surely a problem. How can I update to allow it to connect to the SSLV3 server? I believe this is related to SNI support...

conn commented 3 years ago

I'm terribly allergic to poodles! Is there any way to update the server to TLSv1.3 before I make a visit?

Tectract commented 3 years ago

luckily I tracked down this issue, it was actually making a request through the newrelic_rpm gem, NET::http method, which appears deprecrated, lol. I was able to get it to connect to coinbase REST API again by updating this one line:

@conn.ssl_version = :TLSv1

to:

@conn.ssl_version = :TLSv1_2

Thankfully! All the new TLS NMI and version updates are causing havoc for old linux / rails / ruby implementations that used OpenSSL TLSv1. It's not the first time I have done battle with it, lol.

Tectract commented 3 years ago

Luckily my TLS stack for the webserver itself is upgraded and secured with TSL1.3. This is just a backend call to a third-party data provider, so as long as it works, I'm happy :)