SSL_connect returned = 1 errno = 0 state = SSLv3 read server certificate B: certificate verification is completed ONLY WHEN PROXING

Question

SSL_connect returned = 1 errno = 0 state = SSLv3 read server certificate B: certificate verification is completed ONLY WHEN PROXING

This message almost duplicates a number of other messages, including Rails 4 and Ruby 2 Net / HTTP SSL Request: OpenSSL :: SSL :: SSLError: SSL_connect returns = 1 errno = 0 state = SSLv2 / v3 read server hi A: unknown protocol and SSL_connect returned = 1 errno = 0 state = SSLv3 read server certificate B: certificate verification failed , but with one key difference: the error "certificate verification failed" occurs only when proxying via SSL proxy ( Charles ) and only in the latest Ruby version.

In particular, this (non-proxied) code works:

  uri = URI.parse('https://www.ibm.com')
  http = Net::HTTP.new(uri.host, uri.port, nil)
  http.use_ssl = true
  http.start { |agent| agent.get(uri.path) }

and this (proxied) code fails with the error "Certificate Verification Error":

  uri = URI.parse('https://www.ibm.com')
  http = Net::HTTP.new(uri.host, uri.port, "localhost", 8888)
  http.use_ssl = true
  http.start { |agent| agent.get(uri.path) }

puzzle

The error appears ONLY when passing through a proxy in current versions of Ruby / OpenSSL. In particular:

There is no error in the absence of a proxy server, which makes me think that the local certificates are valid.
When passing through a proxy server with Firefox or curl -v https://www.ibm.com/there are no errors, which makes me think that Charles certificates are valid.
There is no proxy server error in an earlier version of Ruby / OpenSSL (see below for two environments).

All this makes me suspect a real Ruby error, not a problem with my certificates, but I would be happy if it were shown differently.

current environment

I am observing an error in this environment:

$ system_profiler SPSoftwareDataType | grep "System Version"
    System Version: OS X 10.8.5 (12F45)
$ ruby --version ; openssl version ; gem list | grep http
ruby 2.0.0p247 (2013-06-27) [x86_64-darwin12.4.0]
OpenSSL 1.0.1e 11 Feb 2013
http-cookie (1.0.2)
http_router (0.10.2)
net-http-digest_auth (1.4)
net-http-persistent (2.9)
ntlm-http (0.1.1)

previous Wednesday

The error does not appear with a slightly outdated version of ruby / OpenSSL:

$ ruby --version ; openssl version ; gem list | grep http
ruby 2.0.0p0 (2013-02-24 revision 39474) [x86_64-darwin10.8.0]
OpenSSL 0.9.8y 5 Feb 2013
http_router (0.11.0, 0.10.2)
httpauth (0.2.0)
net-http-digest_auth (1.2.1)
net-http-persistent (2.8)
ntlm-http (0.1.1)

+4

ruby ssl openssl charles net-http

fearless_fool 19 . '13 7:57

2

, , ENV var. , :

http.verify_mode = OpenSSL::SSL::VERIFY_NONE

0

pguardiario 20 . '13 2:02

radiospiel · Accepted Answer · 2014-01-05T22:11:49+0000

, , " https://www.ibm.com", , ( ), "www.ibm.com" . ,

http.verify_mode = OpenSSL::SSL::VERIFY_NONE

, ruby, "net/https" .

SSL_connect returned = 1 errno = 0 state = SSLv3 read server certificate B: certificate verification is completed ONLY WHEN PROXING

puzzle

current environment

previous Wednesday

More articles: