How to tell Async::IO::SSLEndpoint#connect to not verify the certificate?

[postmodern]

I'm trying to connect to an SSL port and obtain the peer_cert. To do this reliably, I need to ignore any certificate verification.

The documentation for Async::IO::Endpoint.ssl doesn't explain how to pass in additional OpenSSL options.

[postmodern]

I'm also unclear where/how :ssl_params is passed in to populate the OpenSSL::SSL::SSLContext?

async-io/lib/async/io/ssl_endpoint.rb

Lines 41 to 46 in 6b5dc26

	@options[:ssl_params]
	end
	def build_context(context = OpenSSL::SSL::SSLContext.new)
	if params = self.params
	context.set_params(params)

[postmodern]

What would be the difference between HTTP/3 TLS and HTTP/2 TLS contexts? They both would accept a OpenSSL::SSL::SSLContext or a nested Hash of options that would be used to populate a OpenSSL::SSL::SSLContext object?

[ioquatix]

No, OpenSSL is not compatible with the HTTP/3 style encryption which works on UDP payloads rather than a TCP stream.

[postmodern]

OpenSSL does support QUIC which is what HTTP/3 is currently building upon.

[ioquatix]

Nice, I didn't know they finally added support, it's literally been years.

Unfortunately, it looks like it's only client side support:

OpenSSL 3.2 and later features support for the QUIC transport protocol. Currently, only client connectivity is supported.

[postmodern]

I'd give it time. HTTP/3 still hasn't been ratified yet, so who knows what will change in the future.

[postmodern]

Hmm, after passing in a custom OpenSSL::SSL::SSLContext with verify_mode set to OpenSSL::SSL::VERIFY_NONE, it appears that I'm actually hitting some kind of odd SSL/TLS handshake failure that also happens when using SSLSocket or even curl.

context = OpenSSL::SSL::SSLContext.new
context.verify_mode = OpenSSL::SSL::VERIFY_NONE

host = '172.66.40.156'
port = 8443
endpoint = Async::IO::Endpoint.ssl(address,port, ssl_context: context)

endpoint.connect do |socket|
  # ...
end

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=172.66.40.156:8443 state=error: ssl/tls alert handshake failure

$ curl -k https://172.66.40.156:8443
curl: (35) OpenSSL/3.2.1: error:0A000410:SSL routines::ssl/tls alert handshake failure

[ioquatix]

I tried connecting with OpenSSL s_connect and couldn't get any further:

> openssl s_client -connect 172.66.40.156:8443 -tls1_3
Connecting to 172.66.40.156
CONNECTED(00000003)
40073167A6720000:error:0A000410:SSL routines:ssl3_read_bytes:ssl/tls alert handshake failure:ssl/record/rec_layer_s3.c:907:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 229 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

> openssl s_client -connect 172.66.40.156:8443 -tls1_2
Connecting to 172.66.40.156
CONNECTED(00000003)
40670791637A0000:error:0A000410:SSL routines:ssl3_read_bytes:ssl/tls alert handshake failure:ssl/record/rec_layer_s3.c:907:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 194 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1720829726
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---