[Bug 861137] Re: Openssl TLS errors while connecting to SSLv3 sites

Nagi natsag2000 at googlemail.com
Tue Feb 28 07:31:40 UTC 2012 

OS : 11.10 oneiric
Server Side is : Jboss 5

> openssl version

OpenSSL 1.0.0e 6 Sep 2011

> curl --version

curl 7.21.6 (i686-pc-linux-gnu) libcurl/7.21.6 OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtmp rtsp smtp smtps telnet tftp 
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

> curl  -v  -L --capath ~/temp --cacert ~/temp/ca-bundle.crt
https://SERVERIP:8443

* About to connect() to SERVERIP port 8443 (#0)
*   Trying SERVERIP... connected
* Connected to SERVERIP (SERVERIP) port 8443 (#0)
* successfully set certificate verify locations:
*   CAfile: /home/nagi/temp/ca-bundle.crt
  CApath: /home/nagi/temp/
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
* Closing connection #0
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

with option  -3:
> curl  -v -3  -L --capath ~/temp --cacert ~/temp/ca-bundle.crt https://SERVERIP:8443

* About to connect() to SERVERIP port 8443 (#0)
*   Trying SERVERIP... connected
* Connected to SERVERIP (SERVERIP) port 8443 (#0)
* successfully set certificate verify locations:
*   CAfile: /home/nagi/temp/ca-bundle.crt
  CApath: /home/nagi/temp/
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error
* Closing connection #0
curl: (35) error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error

The ca-bundle.crt is created with firefox-db2pem.sh script in
http://curl.haxx.se/docs/caextract.html

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/861137

Title:
  Openssl TLS errors while connecting to SSLv3 sites

Status in “openssl” package in Ubuntu:
  Confirmed

Bug description:
  I upgraded to Oneiric Ocelot beta1. OpenSSL version is "1.0.0e 6 Sep
  2011"

  Now, when I connect to certain HTTPs servers with wget or curl I get a
  TLS error.

  With wget : OpenSSL: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
  With curl : curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

  In wget, this can be fixed by specifying --secure-protocol=sslv3 option
  In curl, this can be fixed by specifying -sslv3 option

  The issue is that the automatic check for the version seems to be
  failing. This is working fine in Natty systems using older versions of
  openssl.

  The impact of this will be in scripts using curl, wget etc. which will
  start failing after an upgrade.

  Ubuntu version

  Description:	Ubuntu oneiric (development branch)
  Release:	11.10

  OpenSSL version : OpenSSL 1.0.0e 6 Sep 2011

  openssl:
    Installed: 1.0.0e-2ubuntu2
    Candidate: 1.0.0e-2ubuntu2
    Version table:
   *** 1.0.0e-2ubuntu2 0
          500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
          100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/861137/+subscriptions

More information about the foundations-bugs mailing list