Use Client Cert and TLS_RSA_WITH_AES_256_CBC_SHA and other cipher suites
I am working on an SSL Handshake with a server that requires TLSv1 and above.
They ciphers they support are:
TLS_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
My current connection looks something like this:
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.cert = OpenSSL::X509::Certificate.new(File.read("my.cer"))
http.ca_file = 'their_root.cer'
http.ciphers = ['need-to-figure-out']
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.ssl_version = :TLSv1_2
request = Net::HTTP::Post.new(uri.request_uri)
request.body = my_xml
response = http.request(request)
I need to figure out if Ruby supports these ciphers, since I can't find them in the listed ciphers using the puts OpenSSL::Cipher.ciphers method, yet they are required in order to make this connection.
Also, does anyone know what I can change http.ssl_version = :TLSv1_2 to, to make it also allow TLSv3?
EDIT:
Thanks for all your comments. The cipher that works is
proxy_request.ciphers = ["AES256-SHA:AES128-SHA:DES-CBC3-SHA"]
And it shows up in Wireshark like
So thank you very much for that. I'm noticing that I am giving a client "Hello", but I never see a Server Hello in Wireshark, which coincides with the infamous error i'm getting
OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A
/Users/me/.rbenv/versions/2.1.6/lib/ruby/2.1.0/net/http.rb:927:in `connect'
Based on my wireshark, does anyone have any Idea what I am doing wrong?
You can see my script more fully in this question. Thanks in advance API Request - OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A
They ciphers they support are:
TLS_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA
And:
http.ciphers = ['need-to-figure-out']
You can map the IANA cipher suite names like TLS_RSA_WITH_AES_128_CBC_SHA, to OpenSSL cipher string names, like AES128-SHA, using the openssl ciphers man page. Its a simple lookup - just search the page for the IANA registry name and you will land on OpenSSL's name eventually.
I believe the cipher string you should use is:
http.ciphers = ["AES256-SHA:AES128-SHA:DES-CBC3-SHA"]
... does anyone know what I can change
http.ssl_version = :TLSv1_2... to make it also allow TLSv3?
For this in OpenSSL, you need to set context options. In Ruby, you need to set OpenSSL::SSL::SSL_OP_NO_SSLv2 throughOpenSSL::SSL::SSL_OP_NO_TLSv1_1. That will leave TLS 1.2 and TLS 1.3 (when TLS 1.3 becomes available). Also see How to set TLS context options in Ruby (like OpenSSL::SSL::SSL_OP_NO_SSLv2).
The TLS_RSA_WITH_* schemes are RSA key transport schemes. TLS 1.3 will not offer them. They have been removed in favor of schemes that provide forward secrecy. Schemes that provide forward secrecy are the Diffie-Hellman ones, like TLS_DHE_* and TLS_ECDHE_*.
Even the banking industry could not get the IETF to change the decision. Hat's off to the IETF for holding their ground. I think they are a bit too accommodating at times and that often leads to weaker security. But I think they made the right decision in the post-Snowed era, where we have a good idea of the extent of the snooping and spying.
- How to import Tailwind plugin in Rails 7
- How can I avoid running ActiveRecord callbacks?
- Ruby on Rails: Load Utility Module for Unit Test
- What's :locals for in render in rails?
- Implement a derived attribute in Rails 7
- How to select where ID in Array Rails ActiveRecord without exception
- error connecting external database with rails
- Calling a turbo stream from within another one
- Why is Bundler ignoring Gemfile.lock in GitHub actions?
- How do I render a partial of a different format in Rails?
- How do I use the "turbo:frame-load" event with Hotwire and Stimulus in Rails?
- Rails5 Directly inheriting from from ActiveRecord::Migration is not supported. Sorcery Gem
- Uninitialized constant Admin::Admin
- In Rails, how to have an /admin section, and then controllers within the admin section?
- How to use tailwind css gem in a rails 7 engine?
- Rails Active Storage - Keep Existing Files / Uploads?
- Multiple hits to an API bringing server to it's knees
- Trying to allow creation of a related object in Ruby on Rails form
- Adding * to required form labels
- Rails 4 + Capistrano 3 - Deploy to Production Server from Local Repo
- How to set up has_many, through: with only unique combinations
- Rails 3.0.2 installation build fails with "error: 'maybe_unused' attribute cannot be applied to types"
- Reserved names with ActiveRecord models
- How do I order by lower-cased field on an aliased association without manually specifying a join?
- Convert string array to array object
- Rails ( set_no_cache method) Cannot disable browser caching in Safari and Opera
- controller action iterates, thereby generating an N+1 condition
- Error running '__rvm_make install',
- failed to install ruby Error running '__rvm_make -j4',
- Can't find the PostgreSQL client library (libpq)