OpenSSL :: SSL :: SSLError(连接到Paypal时,返回SSL_connect = 1 errno = 0 state = SSLv3读取服务器证书B:证书验证失败) [英] OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed) while connecting to Paypal
问题描述
我知道有关此错误的讨论很多,但很抱歉,我无法在那找到任何可行的解决方案.
I know there are lots of discussion regarding this error but sorry to say that I'm unable to find any working solution over there.
我正在使用 ShareTribe 开发一个电子商务网站.我正在尝试将Paypal用作支付网关.因此,我正在使用 Activemerchant .
I'm developing a ecommerce site using ShareTribe.I'm trying to implement Paypal as payment gateway.So I'm using Activemerchant.
在开发机上一切正常,但是当我将Rails应用程序部署到生产环境时,它会抛出
Everything works fine on development machine but when I deploy my rails app to production It throws
OpenSSL :: SSL :: SSLError(SSL_connect返回= 1 errno = 0状态= SSLv3读取服务器证书B:证书验证失败)
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed)
我正在将Activemerchant初始化为
I'm initializing my Activemerchant as
config.after_initialize do
ActiveMerchant::Billing::Base.mode = :test
paypal_options = {
login: "bla bla",
password: "bla bla",
signature: "bla bla",
appid: "APP-80W284485P519543T"
}
::EXPRESS_GATEWAY = ActiveMerchant::Billing::PaypalExpressGateway.new(paypal_options)
end
添加了HTTPS并禁用了SSLV3
经过大量的搜索后,我发现了
Added HTTPS and Disabled SSLV3
After lots of googling I found that
已证明SSLv3具有POODLE漏洞是不安全的.你 应该确保您的系统具有最新版本的OpenSSL,因此 您可以使用TLSv1.2.
SSLv3 was proven to be insecure with the POODLE vulnerability. You should make sure that your system has the latest version of OpenSSL so that you can use TLSv1.2.
所以我如下所示禁用了SSLV3
So I disabled SSLV3 as shown below
openssl s_client -connect kickmarket.eu:443
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=www.kickmarket.eu
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...........................................
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=www.kickmarket.eu
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2038 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 4D23F4A942AAD4264BE96EB5F1E62204269D882A64ACFBD2D139CD2F10A449A0
Session-ID-ctx:
Master-Key: 1E381DAA3BA90FE3609606716E7E9A2EB2E2F671E9F3C4005D8EBAE009103A7AB771FB2AC8B45F169F43CBD0AD352E06
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
..................................
Start Time: 1446132175
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
但是重启nginx之后我遇到了同样的问题,是否有任何方法可以解决这个问题. 任何建议将不胜感激.
But after restarting nginx I got the same problem.Is there Any way to fix this issue. Any suggestion will be appreciated.
推荐答案
主要原因是安装了rvm的ruby确实在错误的证书目录中进行了检查,而OSX-ruby会在正确的目录中进行检查.
The primary cause for this is the rvm installed ruby does look into the wrong directory for certificates whereas the OSX-ruby will look into the correct one.
您要做的是不使用任何预编译的红宝石,而是在本地计算机上编译红宝石,就像这样:
What you wanna do is NOT TO USE any of the precompiled rubies and rather have ruby compiled on your local machine, like so:
rvm install 2.2.0 --disable-binary
您可以阅读详细说明 https://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html
这篇关于OpenSSL :: SSL :: SSLError(连接到Paypal时,返回SSL_connect = 1 errno = 0 state = SSLv3读取服务器证书B:证书验证失败)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
