SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A

Question

Hi, I have a ruby client that connects to an exchange server using IMAP & SSL. I use the Ruby Net::IMAP library (which uses openssl under the covers) to connect. Its been working fine for months. The exchange server admin installed new cert from godaddy and now I get this error:

 SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A

Does anyone know what this error means? (I tried googling)

I suspect there is an issue with the new cert causing this, but I dont know how to troubleshoot it.

Also I know you can disable certificate verification when using NET:HTTP by doing:

 http.verify_mode = OpenSSL::SSL::VERIFY_NONE if http.use_ssl?

but I cant figure out how to do this using NET:IMAP. I want to disable this to see if this is the problem.

As for code im using: Im using this(or very close to this) http://github.com/look/fetcher/blob/master/lib/fetcher/imap.rb

I tried changing to : @connection = Net::IMAP.new(@server, @port, @ssl, nil, false)

Here is the stacktrace

 checking emails on: Tue Aug 17 20:48:01 +0000 2010
 rake aborted!
 SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
 /usr/lib/ruby/1.8/net/imap.rb:904:in `connect'
 /usr/lib/ruby/1.8/net/imap.rb:904:in `initialize' 
 /u/apps/aras/releases/20100728212439/vendor/plugins/fetcher/lib/fetcher/imap.rb:34:in `new'
 /u/apps/aras/releases/20100728212439/vendor/plugins/fetcher/lib/fetcher/imap.rb:34:in `establish_connection'
 /usr/lib/ruby/gems/1.8/gems/system_timer-1.0/lib/system_timer.rb:28:in `timeout_after'
 /u/apps/aras/releases/20100728212439/vendor/plugins/fetcher/lib/fetcher/imap.rb:33:in `establish_connection'
 /u/apps/aras/releases/20100728212439/vendor/plugins/fetcher/lib/fetcher/base.rb:31:in `fetch'

Answer 1

According to the documentation, you can set the SSL verification to none when instantiating Net:IMAP

foo = Net::IMAP.new(host, port, true, nil, false)

You can also point to a local copy of the CA cert with the certs option.

note: I haven't tried this myself...

Answer 2

Well it turns out the root cause on this one was ms exchange was misconfigured. I would love to have learned more about ssl errors and how to troublshoot them, but I just didnt get much info on this.

I did try to just troublshoot this using open ssl, fyi, you can do: OpenSSL> s_client -connect myserver:993

When it was broken, I received this error: CONNECTED(00000003) 26831:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

Once we fixed I got a cert and handshake message etc.

Here is what my exchange admin said he did: "I just went to the IMAP protocol and went to the access tab. Then the certificates button. From there I chose to replace the cert and chose the new cert."