OpenSSL KEYUPDATE and "SSL_key_update:wrong ssl version"

Question

I am using Ubuntu 19.04 which ships with OpenSSL 1.1.1b. The system info is below. I am encountering SSL_key_update:wrong ssl version when transferring large docs during KEYUPDATE.

I am starting my server with:

openssl s_server -accept 443 -cert /app/keys/cert.pem  -key /app/keys/private.key

I am connecting to the server with the following command using AES128:

openssl s_client -connect localhost:443 -cipher AES128-GCM-SHA256 -tls1_2

Sometimes it works, particularly if I am sending less than 100KB. However, with larger transfers it usually stops with:

KEYUPDATE
140048546800768:error:1420310A:SSL routines:SSL_key_update:wrong ssl version:../ssl/ssl_lib.c:2090:

Others have seen this too but they don't seem to conclude which aspect of the configuration is causing the problem.

Interestingly, if I run an older openssl 1.1.0h-fips s_client against this same 1.1.1b server, it works just fine when using the same -cipher AES128-GCM-SHA256 -tls1_2 options. And in fact it says:

Protocol  : TLSv1.2
Cipher    : AES128-GCM-SHA256

As did the 1.1.1b client... it's just that the 1.1.1b client doesn't seem to be working.

What is the problem, and how do I fix it?

---

Here is the system info:

cli5# openssl version -a
OpenSSL 1.1.1b  26 Feb 2019
built on: Wed Apr 17 16:50:04 2019 UTC
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(int) blowfish(ptr) 
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-FmdPCA/openssl-1.1.1b=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specific
cli5# cat /proc/version
Linux version 5.0.0-17-generic (buildd@lcy01-amd64-015) (gcc version 8.3.0 (Ubuntu 8.3.0-6ubuntu1)) #18-Ubuntu SMP Tue Jun 4 15:34:08 UTC 2019
cli5#

Answer 1

s_client is a test tool that interprets certain letters received on stdin to perform certain operations. The KeyUpdate operation is triggered via K/k. However, KeyUpdate only makes sense when TLSv1.3 has been negotiated. However, you have explicitly requested TLSv1.2 only on the command line. Using K/k under those circumstances results in the "wrong ssl version" error.

You can switch off the interactive commands using the -ign_eof option - although that does have the unfortunate side effect of keeping s_client running, even after a file that you have piped through it has all been sent.