Errno::ECONNRESET: Connection reset by peer - SSL_connect

[dsteadman]

Running 1.9.3 and Rails 3.2.14

I've been getting

Errno::ECONNRESET: Connection reset by peer - SSL_connect

I've tried this on multiple dev machines, made sure it wasn't an issue with openssl, all to no avail. Anyone experience the same / have a suggestion for what could be causing it?

Thanks

[dsteadman]

I ran a test against their API (https://www.ssllabs.com/ssltest/analyze.html?d=swsim.stamps.com) and it seems that it's failing with TLS 1.2 and SSLv2. Does anyone have experience forcing a different TLS / SSL version with this gem? It seems like a solution would be to force SSLv3 and TLS 1.0.

[mattsears]

Hey @dsteadman. Sorry, I have not come across this issue before with stamps. I've tried it locally, but not getting the same error. I remember having OpenSSL and RVM issues with my Ruby version a while back. I'm not sure if it’s the same issue you're having though.

[kayluhb]

I'm also seeing this issue when testing on ubuntu with rvm 1.22.3, ruby-2.0.0, and rails 3.2.14. @mattsears what were the issues you were having? Is there a way to explicitly configure the gem to use different TLS / SSL?

[kayluhb]

I also just tried with a fresh rails project (ruby 1.9.3, rails 3.2.14) and I'm getting the same issues.

My stamps settings look like this (with the correct integration id and u/p)

Stamps.configure do |config|
  config.integration_id = 'integration-id'
  config.username       = 'username'
  config.password       = 'password'
# Tried with and without the namespace.
#  config.namespace      = 'http://stamps.com/xml/namespace/2012/05/swsim/swsimv29'
  config.endpoint       = 'https://swsim.testing.stamps.com/swsim/swsimv29.asmx'
  config.test_mode      = true
  config.raise_errors   = true
end

Gems look like this:

$ gem list

*** LOCAL GEMS ***

actionmailer (3.2.14)
actionpack (3.2.14)
activemodel (3.2.14)
activerecord (3.2.14)
activeresource (3.2.14)
activesupport (3.2.14)
akami (1.2.0)
arel (3.0.2)
builder (3.0.4)
bundler (1.3.5)
bundler-unload (1.0.1)
coffee-rails (3.2.2)
coffee-script (2.2.0)
coffee-script-source (1.6.3)
erubis (2.7.0)
execjs (2.0.1)
gyoku (1.1.0)
hashie (1.0.0)
hike (1.2.3)
httpi (2.1.0)
i18n (0.6.5)
journey (1.0.4)
jquery-rails (3.0.4)
json (1.8.0)
mail (2.5.4)
mime-types (1.25)
multi_json (1.8.0)
nokogiri (1.5.10)
nori (2.3.0)
pg (0.16.0)
polyglot (0.3.3)
rack (1.4.5)
rack-cache (1.2)
rack-ssl (1.3.3)
rack-test (0.6.2)
rails (3.2.14)
railties (3.2.14)
rake (10.1.0)
rdoc (3.12.2)
rubygems-bundler (1.2.1)
rubyntlm (0.3.4)
rvm (1.11.3.8)
sass (3.2.10)
sass-rails (3.2.6)
savon (2.3.0)
sprockets (2.2.2)
stamps (0.3.1)
thor (0.18.1)
tilt (1.4.1)
treetop (1.4.15)
tzinfo (0.3.37)
uglifier (2.2.1)
wasabi (3.2.0)

thanks for any insight.

[v-fedorov]

If anyone is still having this issue, I was able to resolve it by downgrading rvm to a version that includes openssl 0.9.8

curl -L https://get.rvm.io | bash -s -- --version 1.14.7
rvm pkg install openssl
rvm install 1.9.3-p194 --with-openssl-dir=~/.rvm/usr

Noticed this looking around dsteadmans link (https://www.ssllabs.com/ssltest/analyze.html?d=swsim.stamps.com) and openssl 1.0.1 fails with handshake simulation.

[dsteadman]

Thank you for your reponse, @v-fedorov. That solution worked for me too.

[dmgarland]

I think the issue is related to the Stamps API only negotiating with clients running SSLv3. If you try their health endpoint using curl, I can only get it to work from our staging box using the --sslv3 switch:

curl https://swsim.testing.stamps.com/label/health.aspx --sslv3

I also get the same result if I try openssl s_client without forcing SSLv3. This worked for me:

openssl s_client -host swsim.testing.stamps.com -ssl3 -showcerts -port 443

Without forcing these options, the client is supposed to figure out the best protocol version to use and everything should just work^TM. It seems that with our server setup that isn't happening. As I don't have control over setting this in my case, the workaround was to force SSLv3 at the Savon level. In my branch, I ended up configuring Savon and telling it the version and where the main ca_cert file is (the presence of which forces the underlying HTTPI adapter to use SSL).

  client = Savon.client do |globals|
     globals.endpoint self.endpoint
     globals.namespace self.namespace
     globals.namespaces("xmlns:tns" => self.namespace)
     globals.log false
     globals.logger Logger.new(STDOUT)
     globals.raise_errors false
     globals.headers({ "SoapAction" => formatted_soap_action(web_method) })
     globals.element_form_default :qualified
     globals.namespace_identifier :tns
     globals.ssl_version :SSLv3
     globals.ssl_ca_cert_file '/etc/ssl/certs/ca-certificates.crt'
  end

If anyone can suggest a better way of forcing SSLv3, or avoid declaring the ssl_ca_cert_file (without verify none!) in a more platform independent way, please let me know.

[thebucknerlife]

Any progress on this bug? I'm still having issues to no avail. I'm also a novice at web technologies so I'm stumbling through the SSLv3 and SSL certs issues.

[onibaka]

I recommend updating rvm.io using the following command

\curl -L https://get.rvm.io | bash -s stable

It has worked for me.

[zhizouxiao]

I'm in China, I get the same problem because of the GFW(Great FireWall).

[MarioSteinitz]

I was looking for a while already, to get this nasty bug fixed while running most recent versions of Ruby and gem on Ubuntu 14.04. Then I read zhizouxiaos comment. Sitting in China as well, I should have tried with a VPN earlier. Made my day. Thanks for giving this hint!

[lamersons]

Mario you can just use Chinese mirror http://ruby.taobao.org/

[MarioSteinitz]

Thanks for this advice lammersons. Tried, and works flawlessly without VPN.

[Litchiware]

@zhizouxiao @lamersons ,Thanks for your responses, I met the same problem and tried several ways but no effect, your advice and solution save my day.

[mukhtaarabdi]

@lamersons thank you very much , it worked!

[nateq314]

Same here, thank you @lamersons!

[nmdias]

What finally did it for me. Shutting down IPv6 !

networksetup setv6off "Wi-Fi"

All is good now. I'm on macOS, by the way.