在 ruby 1.9 中使用 mechanize（甚至 Net::HTTP）会返回“OpenSSL::SSL::SSLError” - 如何强制使用 SSLv3？

发布于 2025-01-02 10:26:44 字数 4660 浏览 1 评论 0 原文

在过去的两天里，我想我已经浏览了所有关于与 Net::HTTP 有关的 SSL 错误的可用（可通过 Google 搜索）的帖子： OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A

我首先尝试做的是连接到 EtherPad< /code> 服务器 (https://test.titanpad.com)，登录并使用 rubygems & 下载 zip 存档机械化;然而，不幸的是，由于所述 SSL-Error，我什至没有达到这一点。在尝试从 mechanize 对象内调试问题（通过在脚本中手动设置 cert、ca_file、cert_store、verify_mode 等）后，我更接近实际问题，尝试只需使用 Net::HTTP 连接到 https://test.titanpad.com :(

在这个例子中，我首先连接到 https://encrypted.google.com 以确保 SSL < em>应该可以解决；连接到 EtherPad 服务器的尝试从第 6 行开始）

irb(main):001:0> require 'net/https'
=> true
irb(main):002:0> google = Net::HTTP.new('encrypted.google.com', 443)
=> #<Net::HTTP encrypted.google.com:443 open=false>
irb(main):003:0> google.use_ssl = true
=> true
irb(main):004:0> google.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt' if File.exists?('/opt/local/share/curl/curl-ca-bundle.crt')
=> "/opt/local/share/curl/curl-ca-bundle.crt"
irb(main):005:0> google.request_get('/')
=> #<Net::HTTPOK 200 OK readbody=true>

irb(main):006:0> etherpad = Net::HTTP.new('test.titanpad.com', 443)
=> #<Net::HTTP test.titanpad.com:443 open=false>
irb(main):007:0> etherpad.use_ssl = true
=> true
irb(main):008:0> etherpad.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt' if File.exists?('/opt/local/share/curl/curl-ca-bundle.crt')
=> "/opt/local/share/curl/curl-ca-bundle.crt"
irb(main):009:0> etherpad.request_get('/')
OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:799:in `connect'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:799:in `block in connect'
    from /opt/local/lib/ruby1.9/1.9.1/timeout.rb:54:in `timeout'
    from /opt/local/lib/ruby1.9/1.9.1/timeout.rb:99:in `timeout'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:799:in `connect'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:755:in `do_start'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:744:in `start'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:1284:in `request'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:1195:in `request_get'
    from (irb):9
    from /opt/local/bin/irb:12:in `<main>'

即使使用 verify_mode OpenSSL::SSL::VERIFY_NONE，OpenSSL 也会退出：

irb(main):010:0> etherpad.verify_mode = OpenSSL::SSL::VERIFY_NONE
=> 0
irb(main):011:0> etherpad.request_get('/')
OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:799:in `connect'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:799:in `block in connect'
    from /opt/local/lib/ruby1.9/1.9.1/timeout.rb:54:in `timeout'
    from /opt/local/lib/ruby1.9/1.9.1/timeout.rb:99:in `timeout'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:799:in `connect'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:755:in `do_start'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:744:in `start'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:1284:in `request'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:1195:in `request_get'
    from (irb):11
    from /opt/local/bin/irb:12:in `<main>'

进一步尝试后有了 openssl 本身，它就变成了在这种情况下，真正的麻烦在于，必须强制使用 SSLv3 才能与 titanpad.com 后面的 Jetty 6.1.20 服务器 进行握手：

irb(main):001:0> require 'net/https'
=> true
irb(main):002:0> etherpad = Net::HTTP.new('test.titanpad.com', 443)
=> #<Net::HTTP test.titanpad.com:443 open=false>
irb(main):003:0> etherpad.use_ssl = true
=> true
irb(main):004:0> etherpad.ssl_version = "SSLv3"
=> "SSLv3"
irb(main):005:0> etherpad.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt' if File.exists?('/opt/local/share/curl/curl-ca-bundle.crt')
=> "/opt/local/share/curl/curl-ca-bundle.crt"
irb(main):006:0> etherpad.request_get('/')
=> #<Net::HTTPFound 302 Found readbody=true>

现在，虽然这在使用 Net::HTTP，没有这样的选项可以设置要在Mechanize中使用的SSL版本...因此我真的很高兴如果有人可以向我指出我如何可以通过所说的 gem oO 强制实施 SSLv3

再次感谢！

系统：Mac OSX 10.6.8 ruby 1.9.3p0（2011-10-30 修订版 33570）[x86_64-darwin10] rubygems 与 mechanize 一起安装：domain_name (0.5.2)、mechanize (2.1.1)、net-http-digest_auth (1.2)、net-http-persistent (2.4.1)、nokogiri (1.5.0)、ntlm-http ( 0.1.1)、unf (0.0.4)、unf_ext (0.0.4)、网络机器人(0.0.13)

原文

For the past 2 days, I think I've been through every single available (google'able) post about this SSL-Error in connection with Net::HTTP:
OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A

What I tried doing in the first place, was connecting to a EtherPad server (https://test.titanpad.com), signing in, and downloading a zip-archive via using rubygems & mechanize; however, unfortunately I don't even get up to that point due to said SSL-Error. After trying to debug the issue from within a mechanize object (f.e. by setting cert, ca_file, cert_store, verify_mode, etc. manually in the script), I went one level closer to the actual issue, trying to connect to https://test.titanpad.com by simply using Net::HTTP:

(in this example, I first connected to https://encrypted.google.com to make sure, SSL should work out; the attempt to connect to the EtherPad server starts from line 6)

irb(main):001:0> require 'net/https'
=> true
irb(main):002:0> google = Net::HTTP.new('encrypted.google.com', 443)
=> #<Net::HTTP encrypted.google.com:443 open=false>
irb(main):003:0> google.use_ssl = true
=> true
irb(main):004:0> google.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt' if File.exists?('/opt/local/share/curl/curl-ca-bundle.crt')
=> "/opt/local/share/curl/curl-ca-bundle.crt"
irb(main):005:0> google.request_get('/')
=> #<Net::HTTPOK 200 OK readbody=true>

irb(main):006:0> etherpad = Net::HTTP.new('test.titanpad.com', 443)
=> #<Net::HTTP test.titanpad.com:443 open=false>
irb(main):007:0> etherpad.use_ssl = true
=> true
irb(main):008:0> etherpad.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt' if File.exists?('/opt/local/share/curl/curl-ca-bundle.crt')
=> "/opt/local/share/curl/curl-ca-bundle.crt"
irb(main):009:0> etherpad.request_get('/')
OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:799:in `connect'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:799:in `block in connect'
    from /opt/local/lib/ruby1.9/1.9.1/timeout.rb:54:in `timeout'
    from /opt/local/lib/ruby1.9/1.9.1/timeout.rb:99:in `timeout'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:799:in `connect'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:755:in `do_start'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:744:in `start'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:1284:in `request'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:1195:in `request_get'
    from (irb):9
    from /opt/local/bin/irb:12:in `<main>'

Even when using verify_mode OpenSSL::SSL::VERIFY_NONE, OpenSSL bails out:

irb(main):010:0> etherpad.verify_mode = OpenSSL::SSL::VERIFY_NONE
=> 0
irb(main):011:0> etherpad.request_get('/')
OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:799:in `connect'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:799:in `block in connect'
    from /opt/local/lib/ruby1.9/1.9.1/timeout.rb:54:in `timeout'
    from /opt/local/lib/ruby1.9/1.9.1/timeout.rb:99:in `timeout'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:799:in `connect'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:755:in `do_start'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:744:in `start'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:1284:in `request'
    from /opt/local/lib/ruby1.9/1.9.1/net/http.rb:1195:in `request_get'
    from (irb):11
    from /opt/local/bin/irb:12:in `<main>'

After further playing around with openssl itself, it turns out the real trouble in this case is that the use of SSLv3 has to be forced for the handshake with the Jetty 6.1.20 server behind titanpad.com to work:

irb(main):001:0> require 'net/https'
=> true
irb(main):002:0> etherpad = Net::HTTP.new('test.titanpad.com', 443)
=> #<Net::HTTP test.titanpad.com:443 open=false>
irb(main):003:0> etherpad.use_ssl = true
=> true
irb(main):004:0> etherpad.ssl_version = "SSLv3"
=> "SSLv3"
irb(main):005:0> etherpad.ca_file = '/opt/local/share/curl/curl-ca-bundle.crt' if File.exists?('/opt/local/share/curl/curl-ca-bundle.crt')
=> "/opt/local/share/curl/curl-ca-bundle.crt"
irb(main):006:0> etherpad.request_get('/')
=> #<Net::HTTPFound 302 Found readbody=true>

Now while this obviously works when using Net::HTTP, there is no such option as to set the SSL version to use in Mechanize... and I'd therefore be really glad if someone could point out to me as to how I could enforce SSLv3 via said gem o.O

Thanks again!

System: Mac OSX 10.6.8
ruby 1.9.3p0 (2011-10-30 revision 33570) [x86_64-darwin10]
rubygems installed with mechanize: domain_name (0.5.2), mechanize (2.1.1), net-http-digest_auth (1.2), net-http-persistent (2.4.1), nokogiri (1.5.0), ntlm-http (0.1.1), unf (0.0.4), unf_ext (0.0.4), webrobots (0.0.13)

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

巾帼英雄 2025-01-09 10:26:44

已通过将 ssl_version 功能从 Net::HTTP（通过 net-http-persistent）移植到 Mechanize v. 2.1.2 来修复（请参阅 https://github.com/tenderlove/mechanize/commit/4a228899855e0676ab69c2bf548170c8717465d8）。