[Bug 861137] Re: Openssl TLS errors while connecting to SSLv3 sites

Paul Harvey 861137 at bugs.launchpad.net
Tue Nov 22 01:49:48 UTC 2011 

Using the advice here: http://blog.techstacks.com/2008/09/securing-ssl-
in-tomcat-part-two.html - in other words, constraining the ciphers
allowed in my tomcat server's SSL connector definition, made the problem
go away.

curl now works on the openssl 1.0.0 clients without -3

the attached perl script also now works on the openssl 1.0.0 clients

To clarify, the full text of the error message I was getting looked like (from curl):
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

And from perl:
./test.pl 
Can't connect to solr-server.example.org:8443

LWP::Protocol::https::Socket: SSL connect attempt failed with unknown errorerror:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error at /usr/share/perl5/LWP/Protocol/http.pm line 51.
500 Can't connect to solr-server.example.org:8443 at ./test.pl line 19.


** Attachment added: "example perl script to test LWP::UserAgent"
   https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/861137/+attachment/2604458/+files/test.pl

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/861137

Title:
  Openssl TLS errors while connecting to SSLv3 sites

Status in “openssl” package in Ubuntu:
  Confirmed

Bug description:
  I upgraded to Oneiric Ocelot beta1. OpenSSL version is "1.0.0e 6 Sep
  2011"

  Now, when I connect to certain HTTPs servers with wget or curl I get a
  TLS error.

  With wget : OpenSSL: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
  With curl : curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

  In wget, this can be fixed by specifying --secure-protocol=sslv3 option
  In curl, this can be fixed by specifying -sslv3 option

  The issue is that the automatic check for the version seems to be
  failing. This is working fine in Natty systems using older versions of
  openssl.

  The impact of this will be in scripts using curl, wget etc. which will
  start failing after an upgrade.

  Ubuntu version

  Description:	Ubuntu oneiric (development branch)
  Release:	11.10

  OpenSSL version : OpenSSL 1.0.0e 6 Sep 2011

  openssl:
    Installed: 1.0.0e-2ubuntu2
    Candidate: 1.0.0e-2ubuntu2
    Version table:
   *** 1.0.0e-2ubuntu2 0
          500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
          100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/861137/+subscriptions

More information about the foundations-bugs mailing list