OAuth2 中の SSL エラー

このトピック

は閉じられていますが、バージョン 2.4.0.beta8 でも引き続きこの問題に遭遇しています。

これは OAuth2 認証中に発生しています。

Excon::Error::Socket (SSL_connect returned=1 errno=0 state=error: dh key too small (OpenSSL::SSL::SSLError))
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/ssl_socket.rb:125:in `connect_nonblock'

バックトレースの最後の 14 行：

/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/ssl_socket.rb:125:in `connect_nonblock'
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/ssl_socket.rb:125:in `initialize'
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/connection.rb:455:in `new'
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/connection.rb:455:in `socket'
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/connection.rb:116:in `request_call'
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/middlewares/mock.rb:56:in `request_call'
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/middlewares/instrumentor.rb:34:in `request_call'
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/middlewares/idempotent.rb:19:in `request_call'
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/middlewares/base.rb:22:in `request_call'
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/middlewares/base.rb:22:in `request_call'
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.64.0/lib/excon/connection.rb:270:in `request'
/var/www/discourse/plugins/discourse-oauth2-basic/plugin.rb:127:in `fetch_user_details'
/var/www/discourse/plugins/discourse-oauth2-basic/plugin.rb:164:in `after_authenticate'
/var/www/discourse/app/controllers/users/omniauth_callbacks_controller.rb:37:in `complete'

よろしくお願いいたします、

Julian

It doesn’t affect email in this case, but the explanation I gave in the topic you linked stays the same. The connection to the OAuth2 server fails because the DH key is too small and therefore considered insecure by OpenSSL.

You can apply the following temporary workaround, but increasing the DH key size on the OAuth2 server is the only solution.

sorry, I forgot … now the bad thing … it doesn´t work for me anymore …
I made the mentioned changes to /etc/ssl/openssl.cnf

[system_default_sect]
MinProtocol = TLSv1.2
#CipherString = DEFAULT@SECLEVEL=2

Then i left the container and did a

docker restart app

Afterwards I still got the same error in error logs

Didn´t say the truth, sorry… there error is not the same now:

Faraday::ConnectionFailed (Connection reset by peer - SSL_connect)
/usr/local/lib/ruby/2.6.0/net/protocol.rb:44:in `connect_nonblock’

Very strange … I just tried it again, and again this

“Oops, The software powering this discussion forum encountered an unexpected problem. We apologize for the inconvenience…”

came up … Then I "F5"´ved a few times (out of frustration ) and suddenly the screen changed to

Sorry, there was an error authorizing your account. Please try again.

Then I had to log in again over my oauth2 provider log in site, and then came the “Ops …” again, and after another F5 I was in …

Uhmm… either I found a serious security problem, or it´s just about timing …

Probably the latter …

What timeouts are there, that I could try to adjust ?

Thanks and cheers!