You are not logged in.

#1 2023-01-11 13:40:15

dodomockl
Member
Registered: 2023-01-05
Posts: 5

ruby gem installation fails with SSL connection timeout

the system is up to date, ruby and gem are installed, also openssl

when I want to install a ruby gem, I get the following error:

 gem install mechanize

->

ERROR:  Could not find a valid gem 'mechanize' (>= 0), here is why:
          Unable to download data from [url]https://rubygems.org/[/url] - Net::OpenTimeout: Net::OpenTimeout ([url]https://rubygems.org/specs.4.8.gz[/url])

when I try to read the specs by curl, I get the following result:

 curl -vvv -k https://rubygems.org/specs.4.8.gz --output tmp/specs.4.8.gz

->

% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 151.101.129.227:443...
* Connected to rubygems.org (151.101.129.227) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* [CONN-0-0][CF-SSL] TLSv1.0 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
  0     0    0     0    0     0      0      0 --:--:--  0:04:59 --:--:--     0* SSL connection timeout
  0     0    0     0    0     0      0      0 --:--:--  0:05:00 --:--:--     0
* Closing connection 0
curl: (28) SSL connection timeout

in principle, target host is reachable, socket is opened, but ssl negotiation fails

thanks in advance for help

Last edited by dodomockl (2023-01-12 19:41:54)

Offline

#2 2023-01-11 20:32:31

twelveeighty
Member
From: Alberta, Canada
Registered: 2011-09-04
Posts: 1,096

Re: ruby gem installation fails with SSL connection timeout

Please use [ code ] tags (without the spaces) when posting output.

What version of openssl are you on? The download works for me, but there is a warning:

SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

Full result of the TLS handshake (download works fine here):

$  curl -vvv -k https://rubygems.org/specs.4.8.gz --output ./specs.4.8.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 151.101.129.227:443...
* Connected to rubygems.org (151.101.129.227) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* [CONN-0-0][CF-SSL] TLSv1.0 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Certificate Status (22):
{ [5 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Finished (20):
{ [5 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2879 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Finished (20):
} [5 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=rubygems.org
*  start date: Oct 26 17:42:30 2022 GMT
*  expire date: Nov 27 17:42:29 2023 GMT
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Atlas R3 DV TLS CA 2022 Q4
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* h2h3 [:method: GET]
* h2h3 [:path: /specs.4.8.gz]
* h2h3 [:scheme: https]
* h2h3 [:authority: rubygems.org]
* h2h3 [user-agent: curl/7.87.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55f5338b6e60)
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
> GET /specs.4.8.gz HTTP/2
> Host: rubygems.org
> user-agent: curl/7.87.0
> accept: */*
>
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [177 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
< HTTP/2 200

Offline

#3 2023-01-12 10:10:13

dodomockl
Member
Registered: 2023-01-05
Posts: 5

Re: ruby gem installation fails with SSL connection timeout

sudo pacman -Ss openssl | grep '\<Installiert\>' | grep openssl

  ->

core/openssl 3.0.7-4 [Installiert]
core/openssl-1.1 1.1.1.s-4 [Installiert]

I checked gem for referenced shared libraries, to get open ssl versions:

which gem
ldd /usr/bin/gem

result tells (in german) that gem is not dynamically linked...

now I looked for curl's shared libraries:

ldd $(which curl)
	linux-vdso.so.1 (0x00007fff0d590000)
	libcurl.so.4 => /usr/lib/libcurl.so.4 (0x00007f2259c8b000)
	libc.so.6 => /usr/lib/libc.so.6 (0x00007f2259aa4000)
	libnghttp2.so.14 => /usr/lib/libnghttp2.so.14 (0x00007f2259a78000)
	libidn2.so.0 => /usr/lib/libidn2.so.0 (0x00007f2259a56000)
	libssh2.so.1 => /usr/lib/libssh2.so.1 (0x00007f2259a14000)
	libpsl.so.5 => /usr/lib/libpsl.so.5 (0x00007f2259a00000)
	libssl.so.3 => /usr/lib/libssl.so.3 (0x00007f225995e000)
	libcrypto.so.3 => /usr/lib/libcrypto.so.3 (0x00007f2259400000)
	libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00007f225990a000)
	libzstd.so.1 => /usr/lib/libzstd.so.1 (0x00007f2259861000)
	libbrotlidec.so.1 => /usr/lib/libbrotlidec.so.1 (0x00007f2259853000)
	libz.so.1 => /usr/lib/libz.so.1 (0x00007f22593e6000)
	/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007f2259d71000)
	libunistring.so.5 => /usr/lib/libunistring.so.5 (0x00007f225922c000)
	libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00007f2259154000)
	libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00007f2259126000)
	libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x00007f225984b000)
	libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00007f2259118000)
	libkeyutils.so.1 => /usr/lib/libkeyutils.so.1 (0x00007f2259111000)
	libresolv.so.2 => /usr/lib/libresolv.so.2 (0x00007f22590fd000)
	libbrotlicommon.so.1 => /usr/lib/libbrotlicommon.so.1 (0x00007f22590da000)

curl references libssl.so.3, so openssl version is 3.0.7-4 (as seen above)

Last edited by dodomockl (2023-01-12 10:33:14)

Offline

#4 2023-01-12 15:50:57

twelveeighty
Member
From: Alberta, Canada
Registered: 2011-09-04
Posts: 1,096

Re: ruby gem installation fails with SSL connection timeout

What is your output of:

$ pacman -Q openssl ca-certificates

Offline

#5 2023-01-12 19:06:30

dodomockl
Member
Registered: 2023-01-05
Posts: 5

Re: ruby gem installation fails with SSL connection timeout

this is the requested output:

openssl 3.0.7-4
ca-certificates 20220905-1

Last edited by dodomockl (2023-01-12 19:16:49)

Offline

#6 2023-01-12 21:06:09

twelveeighty
Member
From: Alberta, Canada
Registered: 2011-09-04
Posts: 1,096

Re: ruby gem installation fails with SSL connection timeout

Both openssl and ca-certificates are the same for me.

Looking at your original post log output, assuming that's the full log, it appears to fail on the first "IN" transaction, which should have been (from my working log):

* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Certificate Status (22):

Do you have a firewall active? Are you able to curl (with the same parameters) from any other random server?

Offline

#7 2023-01-13 07:23:35

dodomockl
Member
Registered: 2023-01-05
Posts: 5

Re: ruby gem installation fails with SSL connection timeout

curl get from other peer host works:

curl -vvv -k https://google.com --output -

->

*   Trying 142.250.184.228:443...
* Connected to ggoogle.com (142.250.184.228) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* [CONN-0-0][CF-SSL] TLSv1.0 (OUT), TLS header, Certificate Status (22):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Certificate Status (22):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Finished (20):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, CERT verify (15):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Finished (20):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Finished (20):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=www.google.com
*  start date: Dec 12 08:19:43 2022 GMT
*  expire date: Mar  6 08:19:42 2023 GMT
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: ggoogle.com]
* h2h3 [user-agent: curl/7.87.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55bab60d6e60)
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: ggoogle.com
> user-agent: curl/7.87.0
> accept: */*
>
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 404
< content-type: text/html; charset=UTF-8
< referrer-policy: no-referrer
< content-length: 1561
< date: Fri, 13 Jan 2023 07:24:37 GMT
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
<
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
<!DOCTYPE html>
<html lang=en>
  <meta charset=utf-8>
  <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
  <title>Error 404 (Not Found)!!1</title>
  <style>
    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
  </style>
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
  <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
  <p><b>404.</b> <ins>That’s an error.</ins>
  <p>The requested URL <code>/</code> was not found on this server.  <ins>That’s all we know.</ins>
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Connection #0 to host ggoogle.com left intact

Last edited by dodomockl (2023-01-13 07:26:34)

Offline

#8 2023-01-13 20:29:28

dodomockl
Member
Registered: 2023-01-05
Posts: 5

Re: ruby gem installation fails with SSL connection timeout

I took some reading on the web about tls connection negotiation:
In my first post gem starts with 'client Hello' message.
As far as I know, this contains the 'hello' string, the desired TLS version (1.3) and our set of ciphers, of which the Server could choose, plus some random bytes ('client random').
Then the server blocks.

Last edited by dodomockl (2023-01-14 07:15:54)

Offline

Board footer

Powered by FluxBB