OpenSSL error alert handshake failure

Question

When trying to connect to some websites OpenSSL fails to connect. I get this error with OpenSSL's s_client:

$ openssl s_client -connect www.airvistara.com:443 -debug
CONNECTED(00000003)
write to 0x600060cf0 [0x600076e90] (346 bytes => 346 (0x15A))
0000 - 16 03 01 01 55 01 00 01-51 03 03 b7 94 61 d2 52   ....U...Q....a.R
0010 - 8e fa c5 5e 3d d0 0b 62-91 14 c3 21 d5 62 3a e8   ...^=..b...!.b:.
0020 - 27 1c 99 12 0c e8 1d e8-ea cf 15 00 00 b4 c0 30   '..............0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a5 00 a3 00 a1   .,.(.$..........
0040 - 00 9f 00 6b 00 6a 00 69-00 68 00 39 00 38 00 37   ...k.j.i.h.9.8.7
0050 - 00 36 00 88 00 87 00 86-00 85 c0 32 c0 2e c0 2a   .6.........2...*
0060 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 2f   .&.......=.5.../
0070 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a4 00 a2 00 a0   .+.'.#..........
0080 - 00 9e 00 67 00 40 00 3f-00 3e 00 33 00 32 00 31   ...g.@.?.>.3.2.1
0090 - 00 30 00 9a 00 99 00 98-00 97 00 45 00 44 00 43   .0.........E.D.C
00a0 - 00 42 c0 31 c0 2d c0 29-c0 25 c0 0e c0 04 00 9c   .B.1.-.).%......
00b0 - 00 3c 00 2f 00 96 00 41-c0 11 c0 07 c0 0c c0 02   .<./...A........
00c0 - 00 05 00 04 c0 12 c0 08-00 16 00 13 00 10 00 0d   ................
00d0 - c0 0d c0 03 00 0a 00 15-00 12 00 0f 00 0c 00 09   ................
00e0 - 00 ff 02 01 00 00 73 00-0b 00 04 03 00 01 02 00   ......s.........
00f0 - 0a 00 3a 00 38 00 0e 00-0d 00 19 00 1c 00 0b 00   ..:.8...........
0100 - 0c 00 1b 00 18 00 09 00-0a 00 1a 00 16 00 17 00   ................
0110 - 08 00 06 00 07 00 14 00-15 00 04 00 05 00 12 00   ................
0120 - 13 00 01 00 02 00 03 00-0f 00 10 00 11 00 23 00   ..............#.
0130 - 00 00 0d 00 20 00 1e 06-01 06 02 06 03 05 01 05   .... ...........
0140 - 02 05 03 04 01 04 02 04-03 03 01 03 02 03 03 02   ................
0150 - 01 02 02 02 03 00 0f 00-01 01                     ..........
read from 0x600060cf0 [0x60007c3f0] (7 bytes => 7 (0x7))
0000 - 15 03 03 00 02 02 28                              ......(
2348672:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handsha
 failure:s23_clnt.c:769:
...

My strong point is not with SSL so some guidance would be appreciated. The client software works with nearly all sites but there are a few that give this error.

Answer 1

The client software works with nearly all sites but there are a few that give this error.

As commented by jww - you don't get this error if you use SNI.

SNI is supported by all modern browsers, but outside of this it is not supported with older versions of Java (up to JDK6), python (up to 2.7.9), with some commonly used libraries on Android etc.

Since SNI is more and more a requirement (all of Cloudflare FreeSSL works only with SNI) the client software should be fixed to get SNI support.

Answer 2

Use this method...

 $ openssl s_client -connect www.example.com:443 -servername www.example.com
    CONNECTED(00000003)
    ...
       Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256

It might be that the -servername option is not available with OpenSSL 0.9.8, but it should be with OpenSSL 1.0.1.