Openssl TLS errors while connecting to SSLv3 sites

Bug #861137 reported by Mahendra on 2011-09-28
152
This bug affects 30 people
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Undecided
Unassigned
python-apns-client (Ubuntu)
Undecided
Unassigned

Bug Description

I upgraded to Oneiric Ocelot beta1. OpenSSL version is "1.0.0e 6 Sep 2011"

Now, when I connect to certain HTTPs servers with wget or curl I get a TLS error.

With wget : OpenSSL: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
With curl : curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

In wget, this can be fixed by specifying --secure-protocol=sslv3 option
In curl, this can be fixed by specifying -sslv3 option

The issue is that the automatic check for the version seems to be failing. This is working fine in Natty systems using older versions of openssl.

The impact of this will be in scripts using curl, wget etc. which will start failing after an upgrade.

Ubuntu version

Description: Ubuntu oneiric (development branch)
Release: 11.10

OpenSSL version : OpenSSL 1.0.0e 6 Sep 2011

openssl:
  Installed: 1.0.0e-2ubuntu2
  Candidate: 1.0.0e-2ubuntu2
  Version table:
 *** 1.0.0e-2ubuntu2 0
        500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
        100 /var/lib/dpkg/status

Mahendra (mahendra-m) wrote :

Tested python SOAPpy to use this to connect to WSDL servers. The same error appears.

p = SOAPpy.WSDL.Proxy( 'https://localhost:8443/ejbca/ejbcaws/ejbcaws?wsdl', config=c)
[Errno socket error] [Errno 1] _ssl.c:503: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
https://localhost:8443/ejbca/ejbcaws/ejbcaws?wsdl

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssl (Ubuntu):
status: New → Confirmed
Sebastian Peters (koelnconcert) wrote :

perl's LWP with Crypt::SSLeay is also affected:

LWP::Protocol::https::Socket: SSL connect attempt failed with unknown errorerror:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error at /usr/share/perl5/LWP/Protocol/http.pm line 51.

It worked before upgrading to Oneiric.

Paul Harvey (csirac2) wrote :

Also fails on Debian wheezy with openssl 1.0.0e-2.1

Interestingly it's failing with only one of our back-end webservices, which runs tomcat 6.0.24

wget works without any extra options

curl works if I supply -3

Paul Harvey (csirac2) wrote :

curl & perl LWP::UserAgent are working fine on an Ubuntu 10.04.3 LTS server, which seems to have openssl 0.9.8k

Paul Harvey (csirac2) wrote :

Using the advice here: http://blog.techstacks.com/2008/09/securing-ssl-in-tomcat-part-two.html - in other words, constraining the ciphers allowed in my tomcat server's SSL connector definition, made the problem go away.

curl now works on the openssl 1.0.0 clients without -3

the attached perl script also now works on the openssl 1.0.0 clients

To clarify, the full text of the error message I was getting looked like (from curl):
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

And from perl:
./test.pl
Can't connect to solr-server.example.org:8443

LWP::Protocol::https::Socket: SSL connect attempt failed with unknown errorerror:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error at /usr/share/perl5/LWP/Protocol/http.pm line 51.
500 Can't connect to solr-server.example.org:8443 at ./test.pl line 19.

sokai (sokai) wrote :

Hi!

Can someone please fix it!? - Because perl's LWP is affected I can't use listadmin anymore. :(
Also the workaround
  $ua->ssl_opts(verify_hostnames => 0);
doesn't work.

Please...! - And thanks! :)

Nagi (natsag2000) wrote :

OS : 11.10 oneiric
Server Side is : Jboss 5

> openssl version

OpenSSL 1.0.0e 6 Sep 2011

> curl --version

curl 7.21.6 (i686-pc-linux-gnu) libcurl/7.21.6 OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

> curl -v -L --capath ~/temp --cacert ~/temp/ca-bundle.crt https://SERVERIP:8443

* About to connect() to SERVERIP port 8443 (#0)
* Trying SERVERIP... connected
* Connected to SERVERIP (SERVERIP) port 8443 (#0)
* successfully set certificate verify locations:
* CAfile: /home/nagi/temp/ca-bundle.crt
  CApath: /home/nagi/temp/
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
* Closing connection #0
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

with option -3:
> curl -v -3 -L --capath ~/temp --cacert ~/temp/ca-bundle.crt https://SERVERIP:8443

* About to connect() to SERVERIP port 8443 (#0)
* Trying SERVERIP... connected
* Connected to SERVERIP (SERVERIP) port 8443 (#0)
* successfully set certificate verify locations:
* CAfile: /home/nagi/temp/ca-bundle.crt
  CApath: /home/nagi/temp/
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error
* Closing connection #0
curl: (35) error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error

The ca-bundle.crt is created with firefox-db2pem.sh script in http://curl.haxx.se/docs/caextract.html

graingert (tagrain) wrote :

ubuntu 12.04

I don't get this issue in wget, curl or openssl

But I do get this issue in python

import requests
requests.post("https://browserid.org/verify", data={})
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 84, in post
    return request('post', url, data=data, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 39, in request
    return s.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 203, in request
    r.send(prefetch=prefetch)
  File "/usr/local/lib/python2.7/dist-packages/requests/models.py", line 557, in send
    raise SSLError(e)
requests.exceptions.SSLError: [Errno 1] _ssl.c:504: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol

Ivan Toshkov (itoshkov) wrote :

I'm with 64bit Ubuntu 12.04 and the problem is still present. I need to debug a locally running tomcat and thankfully the workaround from comment #6 worked for me too.

Max Bowsher (maxb) wrote :

The reproduction method given my graingert in comment #9 works successfully for me now on 12.04, and no-one else has mentioned any specific servers which exhibited the problem.

Therefore changing bug status to 'Incomplete' as it is impossible to investigate at present.

Changed in openssl (Ubuntu):
status: Confirmed → Incomplete

reproducible with "curl https://mds.datacite.org".

Changed in openssl (Ubuntu):
status: Incomplete → Confirmed
Pienz (pienz+lp) wrote :

I got the same problem here:
running a tomcat under ubuntu 10.4 and no problem connecting with it from different servers
a new installed server with ubuntu 12.4 isn't able to wget something from the tomcat (only with --secure-protocol=sslv3)
tomcat runs with openJDK

looking forward ;)

Yurx Cherio (cherio-e) wrote :

Same problem here. Same on 12.04 when trying to wget from Tomcat 7 (OpenJDK7) using https.

Rex Tsai (chihchun) on 2012-10-15
tags: added: oneiric

I have the same problem. My 10.04 Apache server reverse proxied my Tomcat 6.0.24 OpenJDK server just fine. I just swapped out the 10.04 Apache server with a 12.04 Apache server and the proxy failed until I used the solution mentioned in comment #6.

I just found that instead of restricting the available ciphers on the Tomcat server as per comment #6 I am also able to workaround the problem by just restricting the available ciphers that the Apache proxy uses by adding "SSLProxyCipherSuite RC4-SHA" to my Apache VirtualHost config. This makes more sense to me to since the problem is with the new server rather than with the old Tomcat server. (At least that's my understanding.)

Bradford Hovinen (hovinen) wrote :

I can confirm that this bug is still present on Ubuntu 13.04. Is there any news on when this will be fixed? Right now it is causing enormous problems for us, to the point that we may have to ditch Ubuntu altogether if it is not fixed!

Marc Deslauriers (mdeslaur) wrote :

The issue is actually with certain SSLv3 servers that don't understand the TLSv1.1 handshake and are closing the connection. This unfortunately can't be fixed on the client without disabling TLSv1.1, or forcing an SSLv3 connection.

Aaron Schif (aaronschif) wrote :

I have been able to fix this with the `-3` tag. The culprit appears to be OpenSSLv1.0+

This bug does not affect:
$ curl --version
curl 7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
$ lsb_release -d
Description: Ubuntu 10.04.3 LTS
$ curl $URL
!connection!

$ curl --version
curl 7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8r zlib/1.2.3
# This is Mac OS 10.6.8
$ curl $URL
!connection!

This bug does affect:
$ curl --version
curl 7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
$ lsb_release -d
Description: Ubuntu 12.04.1 LTS
$ curl $URL
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
$ curl $URL -3
!connection!

$ curl --version
curl 7.29.0 (x86_64-pc-linux-gnu) libcurl/7.29.0 OpenSSL/1.0.1c zlib/1.2.7 libidn/1.25 librtmp/2.3
$ lsb_release -d
Description: Ubuntu 13.04
$ curl $URL
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
$ curl $URL -3
!connection!

Marc Deslauriers (mdeslaur) wrote :

Yes, that's the openssl version that gained TLSv1.1 support, which is causing the remote server to close the connection. Passing -3 forces openssl to use SSLv3 instead of TLSv1.1.

Matias Pecchia (mabeett) wrote :

I cannot deploy the bug with updated ubuntu 12.04

ii openssl 1.0.1-4ubuntu5.11
ii curl 7.22.0-3ubuntu4.7

curl 7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3

Has been the bug solved?

Thanks

Matias Pecchia (mabeett) wrote :

I checked all again and unfortunatrly I find the bug again. In my scenario the server es a Tomcat webserver.

I changed the server's configuration, changing the ciphers options:

ciphers="SSL_RSA_WITH_RC4_128_SHA"

http://georgik.sinusgear.com/2012/02/19/tomcat-7-and-curl-ssl23_get_server_hellotlsv1-alert-internal-error/

Patrick Helmig (j-ph) wrote :

Hi,
this Bug is unfortunately still active. Here is how to reproduce it:

$ curl https://auslandsjahr-usa.com --sslv3

$ curl --version
curl 7.35.0 (x86_64-pc-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f zlib/1.2.8 libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP

$ openssl version
OpenSSL 1.0.1f 6 Jan 2014

The issue seems to be SSLv3, since

$ curl https://auslandsjahr-usa.com --ssl

works.

Unfortunately this bug also affects all depending libraries and scripting languages. (python 2.7.6 in my case):

$ python -c "import sys; import os; import ssl; print(ssl.OPENSSL_VERSION); sys.path.insert(1, os.path.abspath(os.path.join(os.getcwd(), 'lib'))); import requests; requests.get('https://auslandsjahr-usa.com')"

requests.get('https://auslandsjahr-usa.com')"
OpenSSL 1.0.1f 6 Jan 2014
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 55, in get
    return request('get', url, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 44, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 455, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 558, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 385, in send
    raise SSLError(e)
requests.exceptions.SSLError: [Errno 1] _ssl.c:510: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

We use Ubuntu 14.04.2 LTS
# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.2 LTS
Release: 14.04
Codename: trusty

A patch would be highly appreciated.

Seth Arnold (seth-arnold) wrote :

Patrick, I suggest filing a new bug; this bug is about TLS errors while connecting to SSLv3 sites, but the site you listed specifically does not support SSLv3: https://www.ssllabs.com/ssltest/analyze.html?d=auslandsjahr%2dusa.com&s=104.28.16.100&latest

Thanks

Hi Seth,
thank you for the quick reply. Actually the bug occurs with TLSv1 (not 1.2 apparently) and SSLv3. with pythons 2.7.9's ssl module it works for example since it tries tls1.2 by default. I will add this information later I just found it out since I needed a quick solution for a production issue.

Gruß
Patrick Helmig
Co-Founder SECDASH

Tel: +49170 1880969
Mail: <email address hidden>
Web: http://secdash.com

> Am 13.05.2015 um 22:06 schrieb Seth Arnold <email address hidden>:
>
> Patrick, I suggest filing a new bug; this bug is about TLS errors while
> connecting to SSLv3 sites, but the site you listed specifically does not
> support SSLv3:
> https://www.ssllabs.com/ssltest/analyze.html?d=auslandsjahr%2dusa.com&s=104.28.16.100&latest
>
> Thanks
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/861137
>
> Title:
> Openssl TLS errors while connecting to SSLv3 sites
>
> Status in openssl package in Ubuntu:
> Confirmed
>
> Bug description:
> I upgraded to Oneiric Ocelot beta1. OpenSSL version is "1.0.0e 6 Sep
> 2011"
>
> Now, when I connect to certain HTTPs servers with wget or curl I get a
> TLS error.
>
> With wget : OpenSSL: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
> With curl : curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
>
> In wget, this can be fixed by specifying --secure-protocol=sslv3 option
> In curl, this can be fixed by specifying -sslv3 option
>
> The issue is that the automatic check for the version seems to be
> failing. This is working fine in Natty systems using older versions of
> openssl.
>
> The impact of this will be in scripts using curl, wget etc. which will
> start failing after an upgrade.
>
> Ubuntu version
>
> Description: Ubuntu oneiric (development branch)
> Release: 11.10
>
> OpenSSL version : OpenSSL 1.0.0e 6 Sep 2011
>
> openssl:
> Installed: 1.0.0e-2ubuntu2
> Candidate: 1.0.0e-2ubuntu2
> Version table:
> *** 1.0.0e-2ubuntu2 0
> 500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
> 100 /var/lib/dpkg/status
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/861137/+subscriptions
>

Hi patrick,

we have exactly the same problem. Disabling SSL and everything related to openssl just fails (and requests)

Nevertheless you told about this problem only occurring with TLS versions other than 1.2, so I disabled all other TLS versions server side, but the problem remains .

I checked btw your site too and this it where it becomes funny:
- curl seems to work fine
- openssl fails (same error, with OpenSSL 1.0.1f 6 Jan 2014)
- python request (2.7) fails

So any tips, especially with requests, would be greatly appreciated. I tried building requests with custom OpenSSL version, but got no luck so far.

@Seth Arnold:
I submitted a bug. https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1475228

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers