• Announcements

    • Shane D.

      Evernote Business Beta - Spaces   12/20/2017

      We're very excited to announce the public beta of an upcoming rework for Evernote Business! To learn more, go Here
    • Shane D.

      2018 Evernote Webinars   01/04/2018

      To kick off the new year, we're excited to announce our  updated schedule for our series of webinars! Please check the events calendar to see which one works best for you!
    • Shane D.

      Upcoming Forum Change Announcement   02/14/2018

      Hi All! You may be seeing some changes with overall organization and layout of the discussion forums. You can learn more by going to the 'Upcoming Forum Change Announcement' in the 'Community Announcements' sub-forum!  
SethH

SSL handshake problems

Recommended Posts

Hi everybody, over the past couple of weeks we've seen several reports of trouble establishing HTTPS connections to our API endpoints. The problem is related to a recent update to OpenSSL: http://rt.openssl.org/Ticket/Display.html?id=2802&user=guest&pass=guest

Systems and applications that rely on OpenSSL for HTTPS support may see the SSL handshake fail when attempting to connect to our servers. The problem is that the client is requesting TLS v1.2 and our servers aren't properly negotiating down to a mutually supported protocol version.

We're working with our SSL accelerator vendor to resolve the apparent server-side problem. In the meantime, you should be able to work around this problem by configuring your app to force TLS v1.0 or SSL v3.

Share this post


Link to post

Hi Seth, I think I ran into this problem. But I don't quite get what you mean with configuring the app to use TLS v1.0

I'm currently using your evernote-sdk-ruby library with the latest commit together with ruby 1.9.2p290 on OSX. Deploying on heroku later for staging and production.

The problem I'm struggling with is the thrift part of the evernote library (error output below) (for API key agentcmos-8675)


[2012-06-21 11:01:42] ERROR NoMethodError: undefined method `length' for nil:NilClass
/Users/philippkueng/Documents/Programming/Ruby/sharelephant-worker/evernote-sdk-ruby/lib/thrift/transport/base_transport.rb:88:in `read_all'

It works in the sandbox seamlessly. Also, I have another key (agentcmos-5516) I'm using and this other one works both in the sandbox and in production without any issues.

The question is what's needed to force the evernote-sdk into using TLS v1.0?

Thanks for your help.

UPDATE -----

The production key also isn't working on heroku staging however the sandbox key is, just so there's no confusion there.

Share this post


Link to post

Hi, Evernote server does not suppot TLSv1.1 and v1.2.

On the other hand, OpenSSL v1.0.x now support TLS v1.1/1.2 and WINE also support it automaticaly.

Evernote client use WinInet.dll that behave if TLSv1.2 negotiation fails then try SSL3/TLS1.0 again.

This does not make problem on Windows.

A solution is to disable TLSv1.1/1.2 on WINE.

A patch is as follows:

https://gist.github.com/3394551

Share this post


Link to post

This fixes it for me on python by overloading the ssl.wrap_socket function to force the "ssl_version" value to TLSv1.

Do an "import ssl" and run this bit of code before doing your first connect.

=======

orig_ssl_wrap = ssl.wrap_socket

def my_ssl_wrap( socket, keyfile=None, certfile=None, server_side=False, cert_reqs=0, ssl_version=2, ca_certs=None, do_handshake_on_connect=True, suppress_ragged_eofs=True, ciphers=None ):

ssl_version = ssl.PROTOCOL_TLSv1

return orig_ssl_wrap( socket, keyfile, certfile, server_side, cert_reqs, ssl_version, ca_certs, do_handshake_on_connect, suppress_ragged_eofs, ciphers )

ssl.wrap_socket = my_ssl_wrap

Share this post


Link to post

UPDATE

Our SSL endpoints have been updated to support TLS 1.2, so this issue should be resolved. Please let us know if you're still having problems.

Share this post


Link to post