SethH

SSL handshake problems

7 posts in this topic

Hi everybody, over the past couple of weeks we've seen several reports of trouble establishing HTTPS connections to our API endpoints. The problem is related to a recent update to OpenSSL: http://rt.openssl.org/Ticket/Display.html?id=2802&user=guest&pass=guest

Systems and applications that rely on OpenSSL for HTTPS support may see the SSL handshake fail when attempting to connect to our servers. The problem is that the client is requesting TLS v1.2 and our servers aren't properly negotiating down to a mutually supported protocol version.

We're working with our SSL accelerator vendor to resolve the apparent server-side problem. In the meantime, you should be able to work around this problem by configuring your app to force TLS v1.0 or SSL v3.

Share this post


Link to post

Hi Seth, I think I ran into this problem. But I don't quite get what you mean with configuring the app to use TLS v1.0

I'm currently using your evernote-sdk-ruby library with the latest commit together with ruby 1.9.2p290 on OSX. Deploying on heroku later for staging and production.

The problem I'm struggling with is the thrift part of the evernote library (error output below) (for API key agentcmos-8675)


[2012-06-21 11:01:42] ERROR NoMethodError: undefined method `length' for nil:NilClass
/Users/philippkueng/Documents/Programming/Ruby/sharelephant-worker/evernote-sdk-ruby/lib/thrift/transport/base_transport.rb:88:in `read_all'

It works in the sandbox seamlessly. Also, I have another key (agentcmos-5516) I'm using and this other one works both in the sandbox and in production without any issues.

The question is what's needed to force the evernote-sdk into using TLS v1.0?

Thanks for your help.

UPDATE -----

The production key also isn't working on heroku staging however the sandbox key is, just so there's no confusion there.

Share this post


Link to post

Hi, Evernote server does not suppot TLSv1.1 and v1.2.

On the other hand, OpenSSL v1.0.x now support TLS v1.1/1.2 and WINE also support it automaticaly.

Evernote client use WinInet.dll that behave if TLSv1.2 negotiation fails then try SSL3/TLS1.0 again.

This does not make problem on Windows.

A solution is to disable TLSv1.1/1.2 on WINE.

A patch is as follows:

https://gist.github.com/3394551

Share this post


Link to post

What's the status on this issue?

+1 to fix this soon (or to fix the PHP SDK to use something else than fopen())!

Cheers!

Share this post


Link to post

This fixes it for me on python by overloading the ssl.wrap_socket function to force the "ssl_version" value to TLSv1.

Do an "import ssl" and run this bit of code before doing your first connect.

=======

orig_ssl_wrap = ssl.wrap_socket

def my_ssl_wrap( socket, keyfile=None, certfile=None, server_side=False, cert_reqs=0, ssl_version=2, ca_certs=None, do_handshake_on_connect=True, suppress_ragged_eofs=True, ciphers=None ):

ssl_version = ssl.PROTOCOL_TLSv1

return orig_ssl_wrap( socket, keyfile, certfile, server_side, cert_reqs, ssl_version, ca_certs, do_handshake_on_connect, suppress_ragged_eofs, ciphers )

ssl.wrap_socket = my_ssl_wrap

Share this post


Link to post

UPDATE

Our SSL endpoints have been updated to support TLS 1.2, so this issue should be resolved. Please let us know if you're still having problems.

Share this post


Link to post

Is this SSL handshaks an issue that could occur again even with v6.0.5 Mac? thanks

Share this post


Link to post