Faraday::SSLError for Elasticsearch

Question

Currently running into an issue where my background workers which are communicating with elasticsearch via elasticsearch-client are running into SSL errors inside Faraday.

The error is this:

SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure

The configuration works fine some of the time (around ~50%) and it has never failed for me inside of a console sessions.

The trace of the command is this: curl -X GET 'https://<host>/_alias/models_write?pretty

The client config is this

Thread.current[:chewy_client] ||= begin
  client_configuration[:reload_on_failure] = true
  client_configuration[:reload_connections] = 30
  client_configuration[:sniffer_timeout] = 0.5
  client_configuration[:transport_options] ||= {}
  client_configuration[:transport_options][:ssl] = { :version => :TLSv1_2 }
  client_configuration[:transport_options][:headers] = { content_type: 'application/json' }
  client_configuration[:trace] = true
  client_configuration[:logger] = Rails.logger
  ::Elasticsearch::Client.new(client_configuration) do |f|
    f.request :aws_signers_v4,
              credentials: AWS::Core::CredentialProviders::DefaultProvider.new,
              service_name: 'es',
              region: ENV['ES_REGION'] || 'us-west-2'
  end
end

As you can see I explicitly set the ssl version to TSLv1_2, but still getting an SSLv3 error.

Thought maybe it was a race condition issue. So ran a script spawning about 10 processes with 50 threads each and calling the sidekiq perform method inside and still not able to reproduce.

I am using the managed AWS 2.3 Elasticsearch if that is at all relevant.

Any help or guidance in the right direction would be greatly appreciated, I would be happy to attach as much info as needed.

Answer 1

Figured it out. The problem was that the elasticsearch-ruby gem autoloads in an http adapter that it detects if one is not specified. The one used in my console was not the one getting auto loaded into sidekiq.

The sidekiq job was using the HTTPClient adapter which did not respect the SSL version option. Thus I was getting this error. After explicitly defining the faraday adapter it worked.