touch-packages team mailing list archive

Thread
Date

[Bug 1475228] Re: openssl/curl error: SSL23_GET_SERVER_HELLO:tlsv1 alert internal error on TLS only configured server

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Tyler Hicks <tyhicks@xxxxxxxxxxxxx>
Date: Thu, 30 Jul 2015 18:02:47 -0000
Reply-to: Bug 1475228 <1475228@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hi Felix - Thanks for reporting this bug. After making a number of
s_client connection attempts and using the ssllabs.com scanner, I
believe that the askubuntu member is correct in that the server is
mishandling the ECDH ciphers presented by s_client.  As mentioned on
askubuntu, this command works:

  $ openssl s_client -connect ms.icometrix.com:443 -cipher
'DEFAULT:!ECDH'

If we tailor the ciphers to only what your server advertises support of,
it works:

 $ openssl s_client -connect ms.icometrix.com:443 -cipher
AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA

However, if we prepend ECDHE-RSA-AES256-SHA to the cipher list, it fails
in the manner you originally reported:

  $ openssl s_client -connect ms.icometrix.com:443 -cipher ECDHE-RSA-
AES256-SHA:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA

Is the server running tomcat from the Ubuntu archive? If so, you may
want to open a bug against the appropriate tomcat package if you cannot
see anything wrong with the server's tomcat configuration.

** Changed in: openssl (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1475228

Title:
  openssl/curl error: SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
  on TLS only configured server

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  (taken from http://askubuntu.com/questions/649000/openssl-curl-error-
  ssl23-get-server-hellotlsv1-alert-internal-
  error?noredirect=1#comment931621_649000)

  
  We encounter very strange problems connecting with openssl or curl to one of our servers, from Ubuntu 14.04

  Executing:

  openssl s_client -connect ms.icometrix.com:443
  gives:

  CONNECTED(00000003)
  140557262718624:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
  internal error:s23_clnt.c:770:
  A similar error when executing:

  curl https://ms.icometrix.com
  curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
  internal error
  Output of openssl version (on client/server):

  OpenSSL 1.0.1f 6 Jan 2014
  The funny thing is, the problem vanishes when connecting with other versions of Openssl:

  From a mac, OpenSSL 0.9.8zd 8 Jan 2015, all ok
  From centos, OpenSSL 1.0.1e-fips 11 Feb 2013, all ok
  Latest stable release on Ubuntu 14.04, OpenSSL 1.0.2d 9 Jul 2015, all ok.
  From server side, we do not see anything strange. The problem started when we disabled SSL3 on our machines.

  Might there be a problem with the build in the apt-get?

  We also test other versions, the one proposed by apt-cache showpkg,
  but the problem remains...

  
  BTW: I don't consider this the same as https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/861137?comments=al because, they're talking about SSL enabled servers.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1475228/+subscriptions