I'm dealing with an issue where python can't connect to a specific server over ssl due to openssl not being able to complete the handshake. Curl and my browser work. I've tried a couple of different openssl versions and solutions, but can't seem to connect.
Here is what I've tried on both of the following platforms. The output is printed slightly different on OpenSSL 1.0.1e, but it's still the same errors.
Mac OSX Yosemite - OpenSSL 0.9.8zg 14 July 2015
Debian GNU/Linux 7 (wheezy) - OpenSSL 1.0.1e 11 Feb 2013
Without specifying which version of
openssl s_client -connect www.uk-recruitment.net:443
openssl s_client -connect www.uk-recruitment.net:443 -cipher 'DEFAULT:!ECDH'
openssl s_client -connect www.uk-recruitment.net:443 -CAfile cacert.pem
openssl s_client -connect www.uk-recruitment.net:443 -CAfile cacert.pem -cipher 'DEFAULT:!ECDH'
openssl s_client -connect www.uk-recruitment.net:443 -CAfile cacert.pem -cipher 'DEFAULT:!ECDH' -servername uk-recruitment.net
but I always get the same result
CONNECTED(00000003)
66716:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s23_clnt.c:593:
If I add -tls1
, -tls1_1
or -tls1_2
with all the same options, I get a slightly different error:
openssl s_client -connect www.uk-recruitment.net:443 -tls1
CONNECTED(00000003)
66750:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s3_pkt.c:1145:SSL alert number 80
66750:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s3_pkt.c:566:
The sites requires Server Name Indication (SNI) and SSL handshakes not using SNI will cause failure:
$ openssl s_client -connect www.uk-recruitment.net:443
CONNECTED(00000003)
139999237719712:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:770:
With SNI instead it looks much better:
$ openssl s_client -connect www.uk-recruitment.net:443 -servername www.uk-recruitment.net
CONNECTED(00000003)
...
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
It might be that the -servername
option is not available with OpenSSL 0.9.8, but it should be with OpenSSL 1.0.1.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With