Ubuntu
openssl package

SSL handshake error when connecting to api.samurai.feefighters.com

Bug #1035558 reported by Scott Wagner on 2012-08-11

This bug report is a duplicate of: Bug #965371: HTTPS requests fail on sites which immediately close the connection if TLS 1.1 negotiation is attempted, on Ubuntu 12.04. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	openssl (Ubuntu)	New	Undecided	Unassigned

Bug Description

I am receiving an SSL handshake error when connecting to my credit card gateway. Ubuntu version is 12.04. OpenSSL version is 1.0.1-4ubuntu5.3. Server is running on an OpenStack VPS

I can connect to the gateway without errors from Ubuntu 10.04 and Fedora 17. Interestingly, if I specify SSLv3 (openssl s_client -connect api.samurai.feefighters.com:443 -ssl3) then I can connect without errors. I find that interesting and unexpected becuase api.samura.feefighters.com does not accept SSLv2 connections, and because I understand that the version of OpenSSL included in Ubuntu 12.04 is compiled without SSLv2 support.

I have attached the output of "openssl s_client -connect api.samurai.feefighters.com:443 -debug"

Let me know if there is any other information I can provide.

Revision history for this message

Scott Wagner (g-ham) wrote on 2012-08-11:

openssl s_client output Edit (1.6 KiB, text/plain)

Fabio Marconi (fabiomarconi) on 2012-08-11

affects:

ubuntu → openssl (Ubuntu)

Revision history for this message

Scott Wagner (g-ham) wrote on 2012-08-12:

I've done some further testing. First I recompiled OpenSSL with SSLv2 support. I received the same error when connecting to api.samurai.feefighters.com. I went back to the command line and tested more options to try and narrow down the problem. Here are the results:

openssl s_client -connect api.samurai.feefighters.com:443 -ssl2 Error (expected as remote server has disabled SSLv2)
openssl s_client -connect api.samurai.feefighters.com:443 -ssl3 Works
openssl s_client -connect api.samurai.feefighters.com:443 -tls1 Works
openssl s_client -connect api.samurai.feefighters.com:443 -tls1_1 Error
openssl s_client -connect api.samurai.feefighters.com:443 -tls1_2 Error

openssl s_client -connect api.samurai.feefighters.com:443 -no_ssl2 Error
openssl s_client -connect api.samurai.feefighters.com:443 -no_ssl3 Error
openssl s_client -connect api.samurai.feefighters.com:443 -no_tls1 Error
openssl s_client -connect api.samurai.feefighters.com:443 -no_tls1_1 Works
openssl s_client -connect api.samurai.feefighters.com:443 -no_tls1_2 Error

The second to last line demonstrates to me that the remote server is configured to prefer TLSv1.1, and somewhere there is a bug which is causing the connection to fail when using TLSv1.1. There is also an error when using TLSv1.2 but I am uncertain if the remote server supports TLSv1.2