openssl/curl error: SSL23_GET_SERVER_HELLO:tlsv1 alert internal error on TLS only configured server

If it helps, this is affecting me on Wheezy as well.

$ cat /etc/debian_version
7.8

$ openssl version
OpenSSL 1.0.1e 11 Feb 2013

$ openssl s_client -connect example.com:443
CONNECTED(00000003)
140073850304168:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:749:

Python script using requests and bs4:
$ python rss.py
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
Traceback (most recent call last):
  File "rss.py", line 19, in <module>
    feed = requests.get(x)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 69, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 465, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 573, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 431, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [Errno 1] _ssl.c:504: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

Same script and URL using feedparser:
$ python rss.py
{'feed': {}, 'bozo': 1, 'bozo_exception': URLError(SSLError(1, '_ssl.c:504: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error'),), 'entries': []}

Hi Felix - Thanks for reporting this bug. After making a number of s_client connection attempts and using the ssllabs.com scanner, I believe that the askubuntu member is correct in that the server is mishandling the ECDH ciphers presented by s_client. As mentioned on askubuntu, this command works:

  $ openssl s_client -connect ms.icometrix.com:443 -cipher 'DEFAULT:!ECDH'

If we tailor the ciphers to only what your server advertises support of, it works:

 $ openssl s_client -connect ms.icometrix.com:443 -cipher AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA

However, if we prepend ECDHE-RSA-AES256-SHA to the cipher list, it fails in the manner you originally reported:

  $ openssl s_client -connect ms.icometrix.com:443 -cipher ECDHE-RSA-AES256-SHA:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA

Is the server running tomcat from the Ubuntu archive? If so, you may want to open a bug against the appropriate tomcat package if you cannot see anything wrong with the server's tomcat configuration.

On second look, the command that failed on 14.04 is working fine on Wily:

  $ openssl s_client -connect ms.icometrix.com:443 -cipher ECDHE-RSA-AES256-SHA:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA

Opening this back up as it seems to be a bug in Ubuntu's openssl package.

This is the commit that allows 1.0.2 to connect successfully:

https://git.openssl.org/?p=openssl.git;a=commit;h=f4d1fb776955187a35c3ee36d4413871917c3138

I suspect the server doesn't like the long list of curves 1.0.1 has, but the smaller list in 1.0.2 works.

What's running on the server?

output from dpkg -l tomcat7

7.0.52-1ubuntu0.3

Same issue here when connecting to https://bootswatch.com via python-requests

Linux Mint 17.2 Rafaela / Ubuntu 14.04 LTS

dpkg -l openssl
1.0.1f-1ubuntu2.15

openssl s_client -ssl3 -connect bootswatch.com:443

shows:

140204664612512:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1262:SSL alert number 40
140204664612512:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598

openssl s_client -connect bootswatch.com:443
CONNECTED(00000003)
140005724673696:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:770:

curl bootswatch.com:443 -3
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>cloudflare-nginx</center>
</body>
</html>

See further info similar observation:
http://stackoverflow.com/a/22858593

Why doe this happen & what could eb done?

[Expired for openssl (Ubuntu) because there has been no activity for 60 days.]

I also experience this bug on Ubuntu Server 14.04.3.

"Error: SSLError: [Errno 1] _ssl.c:510: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error"

Kernel:
3.19.0-42
OpenSSL:
1.0.1f

Will this be fixed in 14.04, or is there some way to fix this?

I'm seeing this too. On 14.04

When I try to use Racket's package manager to download and install a new package. And when I try to make an https request from inside a Racket program I'm writing, using their standard net library.

    ssl-connect: connect failed (error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error)

There has been no activity on this bug for 7 years. Marc stated 1.0.2 connects successfully. Moreover, the last comments were about this occuring with 1.0.1f on 14.04 (8 years old). Lastly, the corresponding code seems to be gone. I'll mark this as Fix Released.