openssl/curl error: SSL23_GET_SERVER_HELLO:tlsv1 alert internal error on TLS only configured server

Bug #1475228 reported by Felix Ruiz de Arcaute
This bug affects 3 people
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Fix Released

Bug Description

(taken from

We encounter very strange problems connecting with openssl or curl to one of our servers, from Ubuntu 14.04


openssl s_client -connect

140557262718624:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
internal error:s23_clnt.c:770:
A similar error when executing:

curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
internal error
Output of openssl version (on client/server):

OpenSSL 1.0.1f 6 Jan 2014
The funny thing is, the problem vanishes when connecting with other versions of Openssl:

From a mac, OpenSSL 0.9.8zd 8 Jan 2015, all ok
From centos, OpenSSL 1.0.1e-fips 11 Feb 2013, all ok
Latest stable release on Ubuntu 14.04, OpenSSL 1.0.2d 9 Jul 2015, all ok.
From server side, we do not see anything strange. The problem started when we disabled SSL3 on our machines.

Might there be a problem with the build in the apt-get?

We also test other versions, the one proposed by apt-cache showpkg, but the problem remains...

BTW: I don't consider this the same as because, they're talking about SSL enabled servers.

information type: Private Security → Public Security
Revision history for this message
thelastknowngod (tlkg-me) wrote :

If it helps, this is affecting me on Wheezy as well.

$ cat /etc/debian_version

$ openssl version
OpenSSL 1.0.1e 11 Feb 2013

$ openssl s_client -connect
140073850304168:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:749:

Python script using requests and bs4:
$ python
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see
Traceback (most recent call last):
  File "", line 19, in <module>
    feed = requests.get(x)
  File "/usr/local/lib/python2.7/dist-packages/requests/", line 69, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/", line 465, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/", line 573, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/", line 431, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [Errno 1] _ssl.c:504: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

Same script and URL using feedparser:
$ python
{'feed': {}, 'bozo': 1, 'bozo_exception': URLError(SSLError(1, '_ssl.c:504: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error'),), 'entries': []}

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hi Felix - Thanks for reporting this bug. After making a number of s_client connection attempts and using the scanner, I believe that the askubuntu member is correct in that the server is mishandling the ECDH ciphers presented by s_client. As mentioned on askubuntu, this command works:

  $ openssl s_client -connect -cipher 'DEFAULT:!ECDH'

If we tailor the ciphers to only what your server advertises support of, it works:

 $ openssl s_client -connect -cipher AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA

However, if we prepend ECDHE-RSA-AES256-SHA to the cipher list, it fails in the manner you originally reported:

  $ openssl s_client -connect -cipher ECDHE-RSA-AES256-SHA:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA

Is the server running tomcat from the Ubuntu archive? If so, you may want to open a bug against the appropriate tomcat package if you cannot see anything wrong with the server's tomcat configuration.

Changed in openssl (Ubuntu):
status: New → Incomplete
Revision history for this message
Tyler Hicks (tyhicks) wrote :

On second look, the command that failed on 14.04 is working fine on Wily:

  $ openssl s_client -connect -cipher ECDHE-RSA-AES256-SHA:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA

Opening this back up as it seems to be a bug in Ubuntu's openssl package.

Changed in openssl (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is the commit that allows 1.0.2 to connect successfully:;a=commit;h=f4d1fb776955187a35c3ee36d4413871917c3138

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I suspect the server doesn't like the long list of curves 1.0.1 has, but the smaller list in 1.0.2 works.

What's running on the server?

Changed in openssl (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Felix Ruiz de Arcaute (ruiz-felixruiz) wrote :

output from dpkg -l tomcat7


Revision history for this message
Timmie (timmie) wrote :

Same issue here when connecting to via python-requests

Linux Mint 17.2 Rafaela / Ubuntu 14.04 LTS

dpkg -l openssl

openssl s_client -ssl3 -connect


140204664612512:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1262:SSL alert number 40
140204664612512:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598

openssl s_client -connect
140005724673696:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:770:

curl -3
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>

See further info similar observation:

Why doe this happen & what could eb done?

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for openssl (Ubuntu) because there has been no activity for 60 days.]

Changed in openssl (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Daniel Hansson (y-daniel-b) wrote :

I also experience this bug on Ubuntu Server 14.04.3.

"Error: SSLError: [Errno 1] _ssl.c:510: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error"


Will this be fixed in 14.04, or is there some way to fix this?

Changed in openssl (Ubuntu):
status: Expired → Confirmed
Revision history for this message
interstar (interstar) wrote :

I'm seeing this too. On 14.04

When I try to use Racket's package manager to download and install a new package. And when I try to make an https request from inside a Racket program I'm writing, using their standard net library.

    ssl-connect: connect failed (error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error)

Revision history for this message
Adrien Nader (adrien-n) wrote :

There has been no activity on this bug for 7 years. Marc stated 1.0.2 connects successfully. Moreover, the last comments were about this occuring with 1.0.1f on 14.04 (8 years old). Lastly, the corresponding code seems to be gone. I'll mark this as Fix Released.

Changed in openssl (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.