Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP::Client e.g.(ECDH, RESET, EOF) SSL Problems #7643

Closed
ghost opened this issue Apr 7, 2019 · 8 comments
Closed

HTTP::Client e.g.(ECDH, RESET, EOF) SSL Problems #7643

ghost opened this issue Apr 7, 2019 · 8 comments

Comments

@ghost
Copy link

ghost commented Apr 7, 2019
edited by ghost
Loading

Summary

Hi, I am using HTTP::Client has encountered some SSL problems.
I read some similar issues, but still can't work.
I don't know much about SSL. | Reference: #5010, #5723, ...

Problems

require "http/client"

uri = URI.parse("https://cn2-bid.adsrvr.cn")
HTTP::Client.get(uri)
# => SSL routines:SSL3_GET_KEY_EXCHANGE:unable to find ecdh parameters | Solved

uri = URI.parse("https://tls-v1-2.badssl.com:1012")
HTTP::Client.get(uri)
# => socket: Connection reset by peer | Solved

uri = URI.parse("https://securemetrics.apple.com")
HTTP::Client.get(uri)
# => SSL_connect: Unexpected EOF | Solved

Tried

I tried these, but they can't work.

context.add_options OpenSSL::SSL::Options::ALL
context.verify_mode = OpenSSL::SSL::VerifyMode::NONE

OpenSSL Information

$ openssl version
OpenSSL 1.0.2q  20 Nov 2018

$ which openssl
/usr/bin/openssl

$ openssl help
openssl:Error: 'help' is an invalid command.

Standard commands
asn1parse         ca                ciphers           cms               
crl               crl2pkcs7         dgst              dh                
dhparam           dsa               dsaparam          ec                
ecparam           enc               engine            errstr            
gendh             gendsa            genpkey           genrsa            
nseq              ocsp              passwd            pkcs12            
pkcs7             pkcs8             pkey              pkeyparam         
pkeyutl           prime             rand              req               
rsa               rsautl            s_client          s_server          
s_time            sess_id           smime             speed             
spkac             srp               ts                verify            
version           x509              

Message Digest commands (see the `dgst' command for more details)
md4               md5               mdc2              rmd160            
sha               sha1              

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb       
aes-256-cbc       aes-256-ecb       base64            bf                
bf-cbc            bf-cfb            bf-ecb            bf-ofb            
camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  camellia-192-ecb  
camellia-256-cbc  camellia-256-ecb  cast              cast-cbc          
cast5-cbc         cast5-cfb         cast5-ecb         cast5-ofb         
des               des-cbc           des-cfb           des-ecb           
des-ede           des-ede-cbc       des-ede-cfb       des-ede-ofb       
des-ede3          des-ede3-cbc      des-ede3-cfb      des-ede3-ofb      
des-ofb           des3              desx              idea              
idea-cbc          idea-cfb          idea-ecb          idea-ofb          
rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc           
rc2-cfb           rc2-ecb           rc2-ofb           rc4               
rc4-40            seed              seed-cbc          seed-cfb          
seed-ecb          seed-ofb

SSLScan Information

$ sslscan https://cn2-bid.adsrvr.cn
Version: 1.11.12-static
OpenSSL 1.0.2f  28 Jan 2016

Connected to 39.105.128.254

Testing SSL server cn2-bid.adsrvr.cn on port 443 using SNI name cn2-bid.adsrvr.cn

  TLS Fallback SCSV:
Server does not support TLS Fallback SCSV

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384     DHE 2048 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 2048 bits
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384       Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA            DHE 2048 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA            DHE 2048 bits
Accepted  TLSv1.2  256 bits  AES256-GCM-SHA384            
Accepted  TLSv1.2  128 bits  AES128-GCM-SHA256            
Accepted  TLSv1.2  256 bits  AES256-SHA256                
Accepted  TLSv1.2  128 bits  AES128-SHA256                
Accepted  TLSv1.2  256 bits  AES256-SHA                   
Accepted  TLSv1.2  128 bits  AES128-SHA                   
Accepted  TLSv1.2  112 bits  DES-CBC3-SHA                 
Accepted  TLSv1.2  128 bits  RC4-SHA                      
Accepted  TLSv1.2  128 bits  RC4-MD5                      
Preferred TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  256 bits  DHE-RSA-AES256-SHA            DHE 2048 bits
Accepted  TLSv1.1  128 bits  DHE-RSA-AES128-SHA            DHE 2048 bits
Accepted  TLSv1.1  256 bits  AES256-SHA                   
Accepted  TLSv1.1  128 bits  AES128-SHA                   
Accepted  TLSv1.1  112 bits  DES-CBC3-SHA                 
Accepted  TLSv1.1  128 bits  RC4-SHA                      
Accepted  TLSv1.1  128 bits  RC4-MD5                      
Preferred TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  256 bits  DHE-RSA-AES256-SHA            DHE 2048 bits
Accepted  TLSv1.0  128 bits  DHE-RSA-AES128-SHA            DHE 2048 bits
Accepted  TLSv1.0  256 bits  AES256-SHA                   
Accepted  TLSv1.0  128 bits  AES128-SHA                   
Accepted  TLSv1.0  112 bits  DES-CBC3-SHA                 
Accepted  TLSv1.0  128 bits  RC4-SHA                      
Accepted  TLSv1.0  128 bits  RC4-MD5                      

  SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength:    2048

Subject:  *.adsrvr.cn
Altnames: DNS:*.adsrvr.cn, DNS:adsrvr.cn
Issuer:   GeoTrust RSA CA 2018

Not valid before: Feb 18 00:00:00 2019 GMT
Not valid after:  Feb 17 12:00:00 2021 GMT

-

$ sslscan https://tls-v1-2.badssl.com
Version: 1.11.12-static
OpenSSL 1.0.2f  28 Jan 2016

Connected to 104.154.89.105

Testing SSL server tls-v1-2.badssl.com on port 443 using SNI name tls-v1-2.badssl.com

  TLS Fallback SCSV:
Server supports TLS Fallback SCSV

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 2048 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384     DHE 2048 bits
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384       Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA256         DHE 2048 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA            DHE 2048 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA256         DHE 2048 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA            DHE 2048 bits
Accepted  TLSv1.2  112 bits  ECDHE-RSA-DES-CBC3-SHA        Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  AES128-GCM-SHA256            
Accepted  TLSv1.2  256 bits  AES256-GCM-SHA384            
Accepted  TLSv1.2  128 bits  AES128-SHA256                
Accepted  TLSv1.2  256 bits  AES256-SHA256                
Accepted  TLSv1.2  128 bits  AES128-SHA                   
Accepted  TLSv1.2  256 bits  AES256-SHA                   
Accepted  TLSv1.2  112 bits  DES-CBC3-SHA                 
Accepted  TLSv1.2  256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 2048 bits
Accepted  TLSv1.2  256 bits  CAMELLIA256-SHA              
Accepted  TLSv1.2  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 2048 bits
Accepted  TLSv1.2  128 bits  CAMELLIA128-SHA              
Preferred TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  128 bits  DHE-RSA-AES128-SHA            DHE 2048 bits
Accepted  TLSv1.1  256 bits  DHE-RSA-AES256-SHA            DHE 2048 bits
Accepted  TLSv1.1  112 bits  ECDHE-RSA-DES-CBC3-SHA        Curve P-256 DHE 256
Accepted  TLSv1.1  128 bits  AES128-SHA                   
Accepted  TLSv1.1  256 bits  AES256-SHA                   
Accepted  TLSv1.1  112 bits  DES-CBC3-SHA                 
Accepted  TLSv1.1  256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 2048 bits
Accepted  TLSv1.1  256 bits  CAMELLIA256-SHA              
Accepted  TLSv1.1  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 2048 bits
Accepted  TLSv1.1  128 bits  CAMELLIA128-SHA              
Preferred TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  128 bits  DHE-RSA-AES128-SHA            DHE 2048 bits
Accepted  TLSv1.0  256 bits  DHE-RSA-AES256-SHA            DHE 2048 bits
Accepted  TLSv1.0  112 bits  ECDHE-RSA-DES-CBC3-SHA        Curve P-256 DHE 256
Accepted  TLSv1.0  128 bits  AES128-SHA                   
Accepted  TLSv1.0  256 bits  AES256-SHA                   
Accepted  TLSv1.0  112 bits  DES-CBC3-SHA                 
Accepted  TLSv1.0  256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 2048 bits
Accepted  TLSv1.0  256 bits  CAMELLIA256-SHA              
Accepted  TLSv1.0  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 2048 bits
Accepted  TLSv1.0  128 bits  CAMELLIA128-SHA              

  SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength:    2048

Subject:  *.badssl.com
Altnames: DNS:*.badssl.com, DNS:badssl.com
Issuer:   DigiCert SHA2 Secure Server CA

Not valid before: Mar 18 00:00:00 2017 GMT
Not valid after:  Mar 25 12:00:00 2020 GMT

-

$ sslscan https://securemetrics.apple.com
Version: 1.11.12-static
OpenSSL 1.0.2f  28 Jan 2016

Connected to 13.229.174.113

Testing SSL server securemetrics.apple.com on port 443 using SNI name securemetrics.apple.com

  TLS Fallback SCSV:
Server supports TLS Fallback SCSV

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
ERROR: Could not open a connection to host securemetrics.apple.com (13.229.174.113) on port 443.
ERROR: Could not connect. | (Maybe there is a problem with my network?)

Curl Verbose

$ curl -v "https://cn2-bid.adsrvr.cn"
* Rebuilt URL to: https://cn2-bid.adsrvr.cn/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 1087 (#0)
* Establish HTTP proxy tunnel to cn2-bid.adsrvr.cn:443
> CONNECT cn2-bid.adsrvr.cn:443 HTTP/1.1
> Host: cn2-bid.adsrvr.cn:443
> User-Agent: curl/7.54.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
< 
* Proxy replied OK to CONNECT request
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: *.adsrvr.cn
* Server certificate: GeoTrust RSA CA 2018
* Server certificate: DigiCert Global Root CA
> GET / HTTP/1.1
> Host: cn2-bid.adsrvr.cn
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< Content-Type: text/html
< Server: Microsoft-IIS/10.0
< X-Powered-By: ASP.NET
< Date: Sun, 07 Apr 2019 11:24:09 GMT
< Content-Length: 1233
< 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;} 
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;} 
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} 
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>403 - Forbidden: Access is denied.</h2>
  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
 </fieldset></div>
</div>
</body>
</html>
* Connection #0 to host 127.0.0.1 left intact

-

$ curl -v "https://tls-v1-2.badssl.com:1012"
* Rebuilt URL to: https://tls-v1-2.badssl.com:1012/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 1087 (#0)
* Establish HTTP proxy tunnel to tls-v1-2.badssl.com:1012
> CONNECT tls-v1-2.badssl.com:1012 HTTP/1.1
> Host: tls-v1-2.badssl.com:1012
> User-Agent: curl/7.54.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
< 
* Proxy replied OK to CONNECT request
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: *.badssl.com
* Server certificate: DigiCert SHA2 Secure Server CA
* Server certificate: DigiCert Global Root CA
> GET / HTTP/1.1
> Host: tls-v1-2.badssl.com:1012
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/1.10.3 (Ubuntu)
< Date: Sun, 07 Apr 2019 11:25:18 GMT
< Content-Type: text/html
< Content-Length: 477
< Last-Modified: Wed, 15 Aug 2018 15:22:02 GMT
< Connection: keep-alive
< ETag: "5b74451a-1dd"
< Cache-Control: no-store
< Accept-Ranges: bytes
< 
<!DOCTYPE html>
<html>
<head>
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="shortcut icon" href="/icons/favicon-green.ico"/>
  <link rel="apple-touch-icon" href="/icons/icon-green.png"/>
  <title>tls-v1-2.badssl.com</title>
  <link rel="stylesheet" href="/style.css">
  <style>body { background: green; }</style>
</head>
<body>
<div id="content">
  <h1 style="font-size: 12vw;">
    tls-v1-2.<br>badssl.com
  </h1>
</div>

</body>
</html>
* Connection #0 to host 127.0.0.1 left intact

-

$ curl -v "https://securemetrics.apple.com"
* Rebuilt URL to: https://securemetrics.apple.com/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 1087 (#0)
* Establish HTTP proxy tunnel to securemetrics.apple.com:443
> CONNECT securemetrics.apple.com:443 HTTP/1.1
> Host: securemetrics.apple.com:443
> User-Agent: curl/7.54.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
< 
* Proxy replied OK to CONNECT request
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: securemetrics.apple.com
* Server certificate: DigiCert Global CA G2
* Server certificate: DigiCert Global Root G2
> GET / HTTP/1.1
> Host: securemetrics.apple.com
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Content-Type: text/html
< Date: Sun, 07 Apr 2019 11:26:02 GMT
< Server: Omniture DC
< xserver: www496
< Content-Length: 0
< Connection: keep-alive
< 
* Connection #0 to host 127.0.0.1 left intact
@ghost ghost changed the title Question: HTTP::Client e.g.(ECDH, RESET, EOF) SSL Problem Question: HTTP::Client e.g.(ECDH, RESET, EOF) SSL Problems Apr 7, 2019
@ghost
Copy link
Author

ghost commented Apr 7, 2019
edited by ghost
Loading

Update

I solved the first problem with #5266 | SSL3_GET_KEY_EXCHANGE.

  • OpenSSL::SSL::Context::Client.insecure | Do not use, danger

But it doesn't work for Connection reset by peer | Unexpected EOF.

@ghost
Copy link
Author

ghost commented Apr 8, 2019
edited by ghost
Loading

Update

But it can work in ruby irb.

$ irb -v
irb 1.0.0 (2018-12-18)

-

$ irb
irb(main):001:0> require "net/http"
=> true
irb(main):001:0> require "openssl"
=> true
irb(main):002:0> OpenSSL::OPENSSL_VERSION
=> "OpenSSL 1.0.2q  20 Nov 2018"
irb(main):002:0> uri = URI('https://cn2-bid.adsrvr.cn')
=> #<URI::HTTPS https://cn2-bid.adsrvr.cn>
irb(main):003:0> Net::HTTP.get(uri)
=> "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n<head>\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\"/>\r\n<title>403 - Forbidden: Access is denied.</title>\r\n<style type=\"text/css\">\r\n<!--\r\nbody{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}\r\nfieldset{padding:0 15px 10px 15px;} \r\nh1{font-size:2.4em;margin:0;color:#FFF;}\r\nh2{font-size:1.7em;margin:0;color:#CC0000;} \r\nh3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} \r\n#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:\"trebuchet MS\", Verdana, sans-serif;color:#FFF;\r\nbackground-color:#555555;}\r\n#content{margin:0 0 0 2%;position:relative;}\r\n.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}\r\n-->\r\n</style>\r\n</head>\r\n<body>\r\n<div id=\"header\"><h1>Server Error</h1></div>\r\n<div id=\"content\">\r\n <div class=\"content-container\"><fieldset>\r\n  <h2>403 - Forbidden: Access is denied.</h2>\r\n  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>\r\n </fieldset></div>\r\n</div>\r\n</body>\r\n</html>\r\n"
irb(main):004:0> uri = URI('https://tls-v1-2.badssl.com:1012')
=> #<URI::HTTPS https://tls-v1-2.badssl.com:1012>
irb(main):005:0> Net::HTTP.get(uri)
=> "<!DOCTYPE html>\n<html>\n<head>\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <link rel=\"shortcut icon\" href=\"/icons/favicon-green.ico\"/>\n  <link rel=\"apple-touch-icon\" href=\"/icons/icon-green.png\"/>\n  <title>tls-v1-2.badssl.com</title>\n  <link rel=\"stylesheet\" href=\"/style.css\">\n  <style>body { background: green; }</style>\n</head>\n<body>\n<div id=\"content\">\n  <h1 style=\"font-size: 12vw;\">\n    tls-v1-2.<br>badssl.com\n  </h1>\n</div>\n\n</body>\n</html>\n"
irb(main):006:0> uri = URI('https://securemetrics.apple.com')
=> #<URI::HTTPS https://securemetrics.apple.com>
irb(main):007:0> Net::HTTP.get(uri)
=> ""

@ghost ghost changed the title Question: HTTP::Client e.g.(ECDH, RESET, EOF) SSL Problems HTTP::Client e.g.(ECDH, RESET, EOF) SSL Problems Apr 8, 2019
@ghost
Copy link
Author

ghost commented Apr 8, 2019
edited by ghost
Loading

Update

Wow | I found my OpenSSL version in Crystal to be 0.9.8...
I try to solve it.

$ icr -v
icr version 0.6.0
Author: Potapov Sergey
Homepage: https://github.com/crystal-community/icr

$ icr
icr(0.27.2) > require "openssl"
 => ok
icr(0.27.2) > LibSSL::OPENSSL_VERSION
 => "0.9.8"

@ghost
Copy link
Author

ghost commented Apr 8, 2019
edited by ghost
Loading

Update

I found some link information for crystal build.
I try to solve it (I found some clues).

$ echo "require \"openssl\"" > openssl.cr
$ crystal build openssl.cr --release
$ otool -L ./openssl
./openssl:
	/usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current version 0.9.8)
	/usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current version 0.9.8)
	/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.8)
	/usr/lib/libpcre.0.dylib (compatibility version 1.0.0, current version 1.1.0)
	/usr/local/opt/bdw-gc/lib/libgc.1.dylib (compatibility version 6.0.0, current version 6.2.0)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1238.60.2)
	/usr/local/opt/libevent/lib/libevent-2.1.6.dylib (compatibility version 7.0.0, current version 7.2.0)
	/usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0)

$ cd /usr/lib/ && ls -l -a | grep 'libssl'
-rwxr-xr-x    1 root  wheel    396912  7 15  2017 libssl.0.9.7.dylib
-rwxr-xr-x    1 root  wheel    646160  7 15  2017 libssl.0.9.8.dylib
-rw-r--r--    1 root  wheel    942880  7 15  2017 libssl.35.dylib
-rw-r--r--    1 root  wheel    882656  7 15  2017 libssl.39.dylib
lrwxr-xr-x    1 root  wheel        18 12 16 00:04 libssl.dylib -> libssl.0.9.8.dylib

@ghost
Copy link
Author

ghost commented Apr 8, 2019
edited by ghost
Loading

Update

Some link solutions for (libssl, libcrypto).

libSSL Link

$ cd /usr/local/include && rm openssl
$ ln -s /usr/local/Cellar/openssl/1.0.2q/include/openssl /usr/local/include

$ sudo ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib /usr/lib
Password:

$ cd /usr/lib && ls -l -a | grep 'libssl'
-rwxr-xr-x    1 root  wheel    396912  7 15  2017 libssl.0.9.7.dylib
-rwxr-xr-x    1 root  wheel    646160  7 15  2017 libssl.0.9.8.dylib
lrwxr-xr-x    1 root  wheel        45  4  8 21:16 libssl.1.0.0.dylib -> /usr/local/opt/openssl/lib/libssl.1.0.0.dylib
-rw-r--r--    1 root  wheel    942880  7 15  2017 libssl.35.dylib
-rw-r--r--    1 root  wheel    882656  7 15  2017 libssl.39.dylib
lrwxr-xr-x    1 root  wheel        18 12 16 00:04 libssl.dylib -> libssl.0.9.8.dylib

$ sudo rm libssl.dylib

$ ls -l -a | grep libssl
-rwxr-xr-x    1 root  wheel    396912  7 15  2017 libssl.0.9.7.dylib
-rwxr-xr-x    1 root  wheel    646160  7 15  2017 libssl.0.9.8.dylib
lrwxr-xr-x    1 root  wheel        45  4  8 21:16 libssl.1.0.0.dylib -> /usr/local/opt/openssl/lib/libssl.1.0.0.dylib
-rw-r--r--    1 root  wheel    942880  7 15  2017 libssl.35.dylib
-rw-r--r--    1 root  wheel    882656  7 15  2017 libssl.39.dylib

$ sudo ln -s libssl.1.0.0.dylib libssl.dylib

$ ls -l -a | grep libssl
-rwxr-xr-x    1 root  wheel    396912  7 15  2017 libssl.0.9.7.dylib
-rwxr-xr-x    1 root  wheel    646160  7 15  2017 libssl.0.9.8.dylib
lrwxr-xr-x    1 root  wheel        45  4  8 21:16 libssl.1.0.0.dylib -> /usr/local/opt/openssl/lib/libssl.1.0.0.dylib
-rw-r--r--    1 root  wheel    942880  7 15  2017 libssl.35.dylib
-rw-r--r--    1 root  wheel    882656  7 15  2017 libssl.39.dylib
lrwxr-xr-x    1 root  wheel        18  4  8 21:19 libssl.dylib -> libssl.1.0.0.dylib

libCrypto Link

$ cd /usr/lib && ls -l -a | grep 'crypto'
-rwxr-xr-x    1 root  wheel   2043552  7 15  2017 libcrypto.0.9.7.dylib
-rwxr-xr-x    1 root  wheel   2679312  7 15  2017 libcrypto.0.9.8.dylib
-rw-r--r--    1 root  wheel   4209728  7 15  2017 libcrypto.35.dylib
-rw-r--r--    1 root  wheel   4181040  7 15  2017 libcrypto.38.dylib
lrwxr-xr-x    1 root  wheel        21 12 16 00:04 libcrypto.dylib -> libcrypto.0.9.8.dylib
lrwxr-xr-x    1 root  wheel        54 12 16 00:04 libk5crypto.dylib -> /System/Library/Frameworks/Kerberos.framework/Kerberos

$ sudo ln -s /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/lib

$ cd /usr/lib && ls -l -a | grep 'crypto'
-rwxr-xr-x    1 root  wheel   2043552  7 15  2017 libcrypto.0.9.7.dylib
-rwxr-xr-x    1 root  wheel   2679312  7 15  2017 libcrypto.0.9.8.dylib
lrwxr-xr-x    1 root  wheel        48  4  8 21:39 libcrypto.1.0.0.dylib -> /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib
-rw-r--r--    1 root  wheel   4209728  7 15  2017 libcrypto.35.dylib
-rw-r--r--    1 root  wheel   4181040  7 15  2017 libcrypto.38.dylib
lrwxr-xr-x    1 root  wheel        21 12 16 00:04 libcrypto.dylib -> libcrypto.0.9.8.dylib
lrwxr-xr-x    1 root  wheel        54 12 16 00:04 libk5crypto.dylib -> /System/Library/Frameworks/Kerberos.framework/Kerberos

$ sudo rm libcrypto.dylib

$ ls -l -a | grep 'crypto'
-rwxr-xr-x    1 root  wheel   2043552  7 15  2017 libcrypto.0.9.7.dylib
-rwxr-xr-x    1 root  wheel   2679312  7 15  2017 libcrypto.0.9.8.dylib
lrwxr-xr-x    1 root  wheel        48  4  8 21:39 libcrypto.1.0.0.dylib -> /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib
-rw-r--r--    1 root  wheel   4209728  7 15  2017 libcrypto.35.dylib
-rw-r--r--    1 root  wheel   4181040  7 15  2017 libcrypto.38.dylib
lrwxr-xr-x    1 root  wheel        54 12 16 00:04 libk5crypto.dylib -> /System/Library/Frameworks/Kerberos.framework/Kerberos

$ sudo ln -s libcrypto.1.0.0.dylib libcrypto.dylib

$ ls -l -a | grep 'crypto'
-rwxr-xr-x    1 root  wheel   2043552  7 15  2017 libcrypto.0.9.7.dylib
-rwxr-xr-x    1 root  wheel   2679312  7 15  2017 libcrypto.0.9.8.dylib
lrwxr-xr-x    1 root  wheel        48  4  8 21:39 libcrypto.1.0.0.dylib -> /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib
-rw-r--r--    1 root  wheel   4209728  7 15  2017 libcrypto.35.dylib
-rw-r--r--    1 root  wheel   4181040  7 15  2017 libcrypto.38.dylib
lrwxr-xr-x    1 root  wheel        21  4  8 21:42 libcrypto.dylib -> libcrypto.1.0.0.dylib
lrwxr-xr-x    1 root  wheel        54 12 16 00:04 libk5crypto.dylib -> /System/Library/Frameworks/Kerberos.framework/Kerberos

@ghost
Copy link
Author

ghost commented Apr 8, 2019

Update

Ok, It worked for crystal build link information.
But the version information is still 0.9.8.

$ rm -f ./openssl*
$ echo "require \"openssl\"; puts LibSSL::OPENSSL_VERSION" > openssl.cr
$ crystal build openssl.cr --release
$ otool -L ./openssl
./openssl:
	/usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
	/usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
	/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.8)
	/usr/lib/libpcre.0.dylib (compatibility version 1.0.0, current version 1.1.0)
	/usr/local/opt/bdw-gc/lib/libgc.1.dylib (compatibility version 6.0.0, current version 6.2.0)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1238.60.2)
	/usr/local/opt/libevent/lib/libevent-2.1.6.dylib (compatibility version 7.0.0, current version 7.2.0)
	/usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0)
$ ./openssl # => 0.9.8 (wtf?)

@jhass
Copy link
Member

jhass commented Apr 8, 2019

Should be enough to brew install pkg-config and export PKG_CONFIG_PATH="/usr/local/opt/openssl/lib/pkgconfig"

@ghost
Copy link
Author

ghost commented Apr 8, 2019
edited by ghost
Loading

Update

With the help of @jhass, I solved the last problem (libssl::OPENSSL_VERSION).
So far, All ssl problems have been resolved.

Screenshot(Before @jhass reply)

螢幕截圖 2019-04-08 22 11 42

Finally

If anyone is experiencing this problem, please try my solution.

  • Monday, April 8, 2019

@ghost ghost closed this as completed Apr 8, 2019
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jhass