[Poodle] SSLv3.0 vulnerability mitigations cause RHC to fail.

Solution Unverified - Updated -

Environment

  • OpenShift Enterprise
  • OpenShift Online

Issue

# rhc apps
A secure connection could not be established to the server (SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure). You may disable secure connections to your server with
the -k (or --insecure) option 'https://broker.domain.com/broker/rest/api'.

The "sslv3 alert handshake failure" is the signature of this problem. Other similar error strings may be caused by other issues, e.g. the broker presenting a self-signed certificate.

Resolution

Add the following to the .openshift/express.conf to set a non SSLv3 protocol. This file is usually located in a user's home directory.

ssl_version=tlsv1

Alternatively you can add the following to the .openshift/servers.yml to set a non SSLv3 protocol, if you have multiple servers configured.

  • Note: if the .openshift/servers.yml is used to connect you to your OpenShift broker this configuration takes precedence over the .openshift/express.conf file.
- server:
    ...
    ssl_version: tlsv1

You should only need to modify an existing file to resolve this issue. If the file does not exist you either have not setup rhc, or it is not being used by rhc.

Root Cause

The ruby httpclient gem (which is used for accessing the broker) defaulted to using SSLv3 as the SSL protocol until version 2.4.0. Updating this gem also resolves the problem as later versions work with TLSv1 by default.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments