Jump to content

Welcome! You're currently a Guest.

If you'd like to join in the Discussion, or access additional features in our forums, please sign in with your Evernote Account here. Have an Evernote Account but forgot your password? Reset it! Don't have an account yet? Create One! You'll need to set your Display Name before your first post.

Photo

SSL handshake problems

ssl

  • Please log in to reply
5 replies to this topic

#1 SethH

SethH

  • Title: Evernote Employee
  • Group: Evernote Employee
  • 684 posts

Posted 15 June 2012 - 12:51 AM

Hi everybody, over the past couple of weeks we've seen several reports of trouble establishing HTTPS connections to our API endpoints. The problem is related to a recent update to OpenSSL: http://rt.openssl.or...uest&pass=guest

Systems and applications that rely on OpenSSL for HTTPS support may see the SSL handshake fail when attempting to connect to our servers. The problem is that the client is requesting TLS v1.2 and our servers aren't properly negotiating down to a mutually supported protocol version.

We're working with our SSL accelerator vendor to resolve the apparent server-side problem. In the meantime, you should be able to work around this problem by configuring your app to force TLS v1.0 or SSL v3.

#2 philippkueng

philippkueng

  • Pip
  • Title: Member
  • Group: Members
  • 2 posts

Posted 21 June 2012 - 09:12 AM

Hi Seth, I think I ran into this problem. But I don't quite get what you mean with configuring the app to use TLS v1.0

I'm currently using your evernote-sdk-ruby library with the latest commit together with ruby 1.9.2p290 on OSX. Deploying on heroku later for staging and production.

The problem I'm struggling with is the thrift part of the evernote library (error output below) (for API key agentcmos-8675)

[2012-06-21 11:01:42] ERROR NoMethodError: undefined method `length' for nil:NilClass
/Users/philippkueng/Documents/Programming/Ruby/sharelephant-worker/evernote-sdk-ruby/lib/thrift/transport/base_transport.rb:88:in `read_all'

It works in the sandbox seamlessly. Also, I have another key (agentcmos-5516) I'm using and this other one works both in the sandbox and in production without any issues.

The question is what's needed to force the evernote-sdk into using TLS v1.0?

Thanks for your help.


UPDATE -----

The production key also isn't working on heroku staging however the sandbox key is, just so there's no confusion there.

#3 Hiroshi Miura

Hiroshi Miura

  • Pip
  • Title: Member
  • Group: Members
  • 5 posts

Posted 19 August 2012 - 12:43 PM

Hi, Evernote server does not suppot TLSv1.1 and v1.2.
On the other hand, OpenSSL v1.0.x now support TLS v1.1/1.2 and WINE also support it automaticaly.

Evernote client use WinInet.dll that behave if TLSv1.2 negotiation fails then try SSL3/TLS1.0 again.
This does not make problem on Windows.

A solution is to disable TLSv1.1/1.2 on WINE.

A patch is as follows:
https://gist.github.com/3394551

#4 FMCorz

FMCorz

  • Pip
  • Title: Member
  • Group: Members
  • 1 posts

Posted 25 September 2012 - 02:08 AM

What's the status on this issue?

+1 to fix this soon (or to fix the PHP SDK to use something else than fopen())!

Cheers!

#5 Andrew May

Andrew May

  • Pip
  • Title: Member
  • Group: Members
  • 1 posts

Posted 19 October 2012 - 04:56 AM

This fixes it for me on python by overloading the ssl.wrap_socket function to force the "ssl_version" value to TLSv1.

Do an "import ssl" and run this bit of code before doing your first connect.
=======
orig_ssl_wrap = ssl.wrap_socket
def my_ssl_wrap( socket, keyfile=None, certfile=None, server_side=False, cert_reqs=0, ssl_version=2, ca_certs=None, do_handshake_on_connect=True, suppress_ragged_eofs=True, ciphers=None ):
ssl_version = ssl.PROTOCOL_TLSv1
return orig_ssl_wrap( socket, keyfile, certfile, server_side, cert_reqs, ssl_version, ca_certs, do_handshake_on_connect, suppress_ragged_eofs, ciphers )

ssl.wrap_socket = my_ssl_wrap

#6 SethH

SethH

  • Title: Evernote Employee
  • Group: Evernote Employee
  • 684 posts

Posted 29 November 2012 - 04:01 AM

UPDATE
Our SSL endpoints have been updated to support TLS 1.2, so this issue should be resolved. Please let us know if you're still having problems.





Also tagged with one or more of these keywords: ssl

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Clip to Evernote