Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OpenSSL connection error SSL23_GET_SERVER_HELLO, but browser and curl works

Tags:

ssl

openssl

I'm dealing with an issue where python can't connect to a specific server over ssl due to openssl not being able to complete the handshake. Curl and my browser work. I've tried a couple of different openssl versions and solutions, but can't seem to connect.

Here is what I've tried on both of the following platforms. The output is printed slightly different on OpenSSL 1.0.1e, but it's still the same errors.

Mac OSX Yosemite - OpenSSL 0.9.8zg 14 July 2015
Debian GNU/Linux 7 (wheezy) - OpenSSL 1.0.1e 11 Feb 2013

Without specifying which version of

openssl s_client -connect www.uk-recruitment.net:443
openssl s_client -connect www.uk-recruitment.net:443 -cipher 'DEFAULT:!ECDH'
openssl s_client -connect www.uk-recruitment.net:443 -CAfile cacert.pem
openssl s_client -connect www.uk-recruitment.net:443 -CAfile cacert.pem -cipher 'DEFAULT:!ECDH'
openssl s_client -connect www.uk-recruitment.net:443 -CAfile cacert.pem -cipher 'DEFAULT:!ECDH' -servername uk-recruitment.net

but I always get the same result

CONNECTED(00000003)
66716:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s23_clnt.c:593: 

If I add -tls1, -tls1_1 or -tls1_2 with all the same options, I get a slightly different error:

openssl s_client -connect www.uk-recruitment.net:443 -tls1
CONNECTED(00000003)
66750:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s3_pkt.c:1145:SSL alert number 80
66750:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s3_pkt.c:566:
like image 475
Ted Tomlinson Avatar asked Dec 09 '15 20:12

Ted Tomlinson


1 Answers

The sites requires Server Name Indication (SNI) and SSL handshakes not using SNI will cause failure:

$ openssl s_client -connect www.uk-recruitment.net:443
CONNECTED(00000003)
139999237719712:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:770:

With SNI instead it looks much better:

$ openssl s_client -connect www.uk-recruitment.net:443 -servername www.uk-recruitment.net
CONNECTED(00000003)
...
   Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256

It might be that the -servername option is not available with OpenSSL 0.9.8, but it should be with OpenSSL 1.0.1.

like image 177
Steffen Ullrich Avatar answered Sep 22 '22 07:09

Steffen Ullrich