Errno::ECONNRESET: Connection reset by peer - SSL_connect

dsteadman commented 11 years ago

Running 1.9.3 and Rails 3.2.14

I've been getting

Errno::ECONNRESET: Connection reset by peer - SSL_connect

I've tried this on multiple dev machines, made sure it wasn't an issue with openssl, all to no avail. Anyone experience the same / have a suggestion for what could be causing it?

Thanks

dsteadman commented 11 years ago

I ran a test against their API (https://www.ssllabs.com/ssltest/analyze.html?d=swsim.stamps.com) and it seems that it's failing with TLS 1.2 and SSLv2. Does anyone have experience forcing a different TLS / SSL version with this gem? It seems like a solution would be to force SSLv3 and TLS 1.0.

mattsears commented 11 years ago

Hey @dsteadman. Sorry, I have not come across this issue before with stamps. I've tried it locally, but not getting the same error. I remember having OpenSSL and RVM issues with my Ruby version a while back. I'm not sure if it’s the same issue you're having though.

kayluhb commented 11 years ago

I'm also seeing this issue when testing on ubuntu with rvm 1.22.3, ruby-2.0.0, and rails 3.2.14. @mattsears what were the issues you were having? Is there a way to explicitly configure the gem to use different TLS / SSL?

kayluhb commented 11 years ago

I also just tried with a fresh rails project (ruby 1.9.3, rails 3.2.14) and I'm getting the same issues.

My stamps settings look like this (with the correct integration id and u/p)

Stamps.configure do |config|
  config.integration_id = 'integration-id'
  config.username       = 'username'
  config.password       = 'password'
# Tried with and without the namespace.
#  config.namespace      = 'http://stamps.com/xml/namespace/2012/05/swsim/swsimv29'
  config.endpoint       = 'https://swsim.testing.stamps.com/swsim/swsimv29.asmx'
  config.test_mode      = true
  config.raise_errors   = true
end

Gems look like this:

$ gem list

*** LOCAL GEMS ***

actionmailer (3.2.14)
actionpack (3.2.14)
activemodel (3.2.14)
activerecord (3.2.14)
activeresource (3.2.14)
activesupport (3.2.14)
akami (1.2.0)
arel (3.0.2)
builder (3.0.4)
bundler (1.3.5)
bundler-unload (1.0.1)
coffee-rails (3.2.2)
coffee-script (2.2.0)
coffee-script-source (1.6.3)
erubis (2.7.0)
execjs (2.0.1)
gyoku (1.1.0)
hashie (1.0.0)
hike (1.2.3)
httpi (2.1.0)
i18n (0.6.5)
journey (1.0.4)
jquery-rails (3.0.4)
json (1.8.0)
mail (2.5.4)
mime-types (1.25)
multi_json (1.8.0)
nokogiri (1.5.10)
nori (2.3.0)
pg (0.16.0)
polyglot (0.3.3)
rack (1.4.5)
rack-cache (1.2)
rack-ssl (1.3.3)
rack-test (0.6.2)
rails (3.2.14)
railties (3.2.14)
rake (10.1.0)
rdoc (3.12.2)
rubygems-bundler (1.2.1)
rubyntlm (0.3.4)
rvm (1.11.3.8)
sass (3.2.10)
sass-rails (3.2.6)
savon (2.3.0)
sprockets (2.2.2)
stamps (0.3.1)
thor (0.18.1)
tilt (1.4.1)
treetop (1.4.15)
tzinfo (0.3.37)
uglifier (2.2.1)
wasabi (3.2.0)

thanks for any insight.

v-fedorov commented 10 years ago

If anyone is still having this issue, I was able to resolve it by downgrading rvm to a version that includes openssl 0.9.8

curl -L https://get.rvm.io | bash -s -- --version 1.14.7 rvm pkg install openssl rvm install 1.9.3-p194 --with-openssl-dir=~/.rvm/usr

Noticed this looking around dsteadmans link (https://www.ssllabs.com/ssltest/analyze.html?d=swsim.stamps.com) and openssl 1.0.1 fails with handshake simulation.

dsteadman commented 10 years ago

Thank you for your reponse, @v-fedorov. That solution worked for me too.

dmgarland commented 10 years ago

I think the issue is related to the Stamps API only negotiating with clients running SSLv3. If you try their health endpoint using curl, I can only get it to work from our staging box using the --sslv3 switch:

curl https://swsim.testing.stamps.com/label/health.aspx --sslv3

I also get the same result if I try openssl s_client without forcing SSLv3. This worked for me:

openssl s_client -host swsim.testing.stamps.com -ssl3 -showcerts -port 443

Without forcing these options, the client is supposed to figure out the best protocol version to use and everything should just work^TM. It seems that with our server setup that isn't happening. As I don't have control over setting this in my case, the workaround was to force SSLv3 at the Savon level. In my branch, I ended up configuring Savon and telling it the version and where the main ca_cert file is (the presence of which forces the underlying HTTPI adapter to use SSL).

  client = Savon.client do |globals|
     globals.endpoint self.endpoint
     globals.namespace self.namespace
     globals.namespaces("xmlns:tns" => self.namespace)
     globals.log false
     globals.logger Logger.new(STDOUT)
     globals.raise_errors false
     globals.headers({ "SoapAction" => formatted_soap_action(web_method) })
     globals.element_form_default :qualified
     globals.namespace_identifier :tns
     globals.ssl_version :SSLv3
     globals.ssl_ca_cert_file '/etc/ssl/certs/ca-certificates.crt'
  end

If anyone can suggest a better way of forcing SSLv3, or avoid declaring the ssl_ca_cert_file (without verify none!) in a more platform independent way, please let me know.

thebucknerlife commented 10 years ago

Any progress on this bug? I'm still having issues to no avail. I'm also a novice at web technologies so I'm stumbling through the SSLv3 and SSL certs issues.

onibaka commented 10 years ago

I recommend updating rvm.io using the following command

\curl -L https://get.rvm.io | bash -s stable

It has worked for me.

zhizouxiao commented 9 years ago

I'm in China, I get the same problem because of the GFW(Great FireWall).

MarioSteinitz commented 9 years ago

I was looking for a while already, to get this nasty bug fixed while running most recent versions of Ruby and gem on Ubuntu 14.04. Then I read zhizouxiaos comment. Sitting in China as well, I should have tried with a VPN earlier. Made my day. Thanks for giving this hint!