openssl/curl error: SSL23_GET_SERVER_HELLO:tlsv1 alert internal error on TLS only configured server

Bug #1475228 reported by Felix Ruiz de Arcaute on 2015-07-16
268
This bug affects 3 people
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Undecided
Unassigned

Bug Description

(taken from http://askubuntu.com/questions/649000/openssl-curl-error-ssl23-get-server-hellotlsv1-alert-internal-error?noredirect=1#comment931621_649000)

We encounter very strange problems connecting with openssl or curl to one of our servers, from Ubuntu 14.04

Executing:

openssl s_client -connect ms.icometrix.com:443
gives:

CONNECTED(00000003)
140557262718624:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
internal error:s23_clnt.c:770:
A similar error when executing:

curl https://ms.icometrix.com
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
internal error
Output of openssl version (on client/server):

OpenSSL 1.0.1f 6 Jan 2014
The funny thing is, the problem vanishes when connecting with other versions of Openssl:

From a mac, OpenSSL 0.9.8zd 8 Jan 2015, all ok
From centos, OpenSSL 1.0.1e-fips 11 Feb 2013, all ok
Latest stable release on Ubuntu 14.04, OpenSSL 1.0.2d 9 Jul 2015, all ok.
From server side, we do not see anything strange. The problem started when we disabled SSL3 on our machines.

Might there be a problem with the build in the apt-get?

We also test other versions, the one proposed by apt-cache showpkg, but the problem remains...

BTW: I don't consider this the same as https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/861137?comments=al because, they're talking about SSL enabled servers.

information type: Private Security → Public Security
thelastknowngod (tlkg-me) wrote :

If it helps, this is affecting me on Wheezy as well.

$ cat /etc/debian_version
7.8

$ openssl version
OpenSSL 1.0.1e 11 Feb 2013

$ openssl s_client -connect example.com:443
CONNECTED(00000003)
140073850304168:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:749:

Python script using requests and bs4:
$ python rss.py
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
Traceback (most recent call last):
  File "rss.py", line 19, in <module>
    feed = requests.get(x)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 69, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 465, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 573, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 431, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [Errno 1] _ssl.c:504: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

Same script and URL using feedparser:
$ python rss.py
{'feed': {}, 'bozo': 1, 'bozo_exception': URLError(SSLError(1, '_ssl.c:504: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error'),), 'entries': []}

Tyler Hicks (tyhicks) wrote :

Hi Felix - Thanks for reporting this bug. After making a number of s_client connection attempts and using the ssllabs.com scanner, I believe that the askubuntu member is correct in that the server is mishandling the ECDH ciphers presented by s_client. As mentioned on askubuntu, this command works:

  $ openssl s_client -connect ms.icometrix.com:443 -cipher 'DEFAULT:!ECDH'

If we tailor the ciphers to only what your server advertises support of, it works:

 $ openssl s_client -connect ms.icometrix.com:443 -cipher AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA

However, if we prepend ECDHE-RSA-AES256-SHA to the cipher list, it fails in the manner you originally reported:

  $ openssl s_client -connect ms.icometrix.com:443 -cipher ECDHE-RSA-AES256-SHA:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA

Is the server running tomcat from the Ubuntu archive? If so, you may want to open a bug against the appropriate tomcat package if you cannot see anything wrong with the server's tomcat configuration.

Changed in openssl (Ubuntu):
status: New → Incomplete
Tyler Hicks (tyhicks) wrote :

On second look, the command that failed on 14.04 is working fine on Wily:

  $ openssl s_client -connect ms.icometrix.com:443 -cipher ECDHE-RSA-AES256-SHA:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA

Opening this back up as it seems to be a bug in Ubuntu's openssl package.

Changed in openssl (Ubuntu):
status: Incomplete → Confirmed
Marc Deslauriers (mdeslaur) wrote :

This is the commit that allows 1.0.2 to connect successfully:

https://git.openssl.org/?p=openssl.git;a=commit;h=f4d1fb776955187a35c3ee36d4413871917c3138

Marc Deslauriers (mdeslaur) wrote :

I suspect the server doesn't like the long list of curves 1.0.1 has, but the smaller list in 1.0.2 works.

What's running on the server?

Changed in openssl (Ubuntu):
status: Confirmed → Incomplete

output from dpkg -l tomcat7

7.0.52-1ubuntu0.3

Timmie (timmie) wrote :

Same issue here when connecting to https://bootswatch.com via python-requests

Linux Mint 17.2 Rafaela / Ubuntu 14.04 LTS

dpkg -l openssl
1.0.1f-1ubuntu2.15

openssl s_client -ssl3 -connect bootswatch.com:443

shows:

140204664612512:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1262:SSL alert number 40
140204664612512:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598

openssl s_client -connect bootswatch.com:443
CONNECTED(00000003)
140005724673696:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:770:

curl bootswatch.com:443 -3
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>cloudflare-nginx</center>
</body>
</html>

See further info similar observation:
http://stackoverflow.com/a/22858593

Why doe this happen & what could eb done?

Launchpad Janitor (janitor) wrote :

[Expired for openssl (Ubuntu) because there has been no activity for 60 days.]

Changed in openssl (Ubuntu):
status: Incomplete → Expired
Daniel Hansson (y-daniel-b) wrote :

I also experience this bug on Ubuntu Server 14.04.3.

"Error: SSLError: [Errno 1] _ssl.c:510: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error"

Kernel:
3.19.0-42
OpenSSL:
1.0.1f

Will this be fixed in 14.04, or is there some way to fix this?

Changed in openssl (Ubuntu):
status: Expired → Confirmed
interstar (interstar) wrote :

I'm seeing this too. On 14.04

When I try to use Racket's package manager to download and install a new package. And when I try to make an https request from inside a Racket program I'm writing, using their standard net library.

    ssl-connect: connect failed (error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error)

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers