Closed resistorsoftware closed 2 years ago
flavorjones
commented
2 years ago @resistorsoftware When you say "level", do you mean "ssl version"? If so then please take a look at https://www.rubydoc.info/gems/mechanize/2.5/Mechanize#ssl_version-instance_method
resistorsoftware
commented
2 years ago Ah sorry! The exact terminology in play is this:
The default Ubuntu 20.04 openssl configuration now sets a minimum TLS protocol version of v1.2. This means that TLS v1.0 and v1.1 are no longer supported by clients using OpenSSL to make outbound requests. This may manifest in the form of OpenSSL “no protocols available” errors if clients hardcode older protocol versions, or if servers do not support TLS v1.2 or higher. For apps using Python, an “[SSL] internal error” error may be shown instead of the “no protocols available” error.
In addition, the default OpenSSL security level (SECLEVEL), was changed from level 1 to level 2. This prevents OpenSSL from using insecure ciphers/keys and may result in “sslv3 alert handshake failure”, “wrong signature type” or “dh key too small” errors when connecting to servers that are running outdated/buggy software, or that have insecure configurations.
So I am curious if I can tell operate the latest greatest Mechanize with a workaround suitable for this where due to SECLEVEL being 2, I get the dh key too small error.
flavorjones
commented
2 years ago OK, thanks for explaining. Mechanize uses net-http-persistent to manage its network connections, so my recommendation is to start there. If Net::HTTP::Persistent supports it, then we can introduce a flag to Mechanize to support it.
Side note: I don't see a feature like this in net-http-persistent. I don't even see it in Net::HTTP. Since these libraries are wrapping openssl it may be worth your while to determine if there's something environmental you can do.
Some quick googling indicates you may be able to do this by modifying your openssl config file: https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level but obviously I've got no experience with any of this.
I'm going to close this, since I don't think there's anything we can do in Mechanize right now, but if you have more questions please ask!
When Mechanize makes an external call to HTTPS, it uses OpenSSL. When hosting on Heroku, the older stacks use Level 1 security and connections to misconfigured HTTPS sites work fine.
When on a heroku-20 stack, the OpenSSL is level 2, and hence fails on misconfigured sites. It is not usually possible to contact these sites and ask them to fix their broken SSL. Is there a way to deploy Mechanize with the Level 1 as the operational connection for SSL?