openssl/curl error: SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

ssl openssl tls

53,123

This looks like a problem with ECDH support between client and server. If you exclude all ECDH ciphers it works:

openssl s_client -connect ms.icometrix.com:443 -cipher 'DEFAULT:!ECDH'

My guess is that the server croaks on some of the 25 ECC curves offered by the client. Browsers only offer few curves. OpenSSL 0.9.8 does not support any ECC yet and RedHat/CentOS has a history of disabling ECC by default for patent reasons. I don't know why OpenSSL 1.0.2 works since I don't have access to this version.

Please note that giving the OpenSSL version is usually not enough because all the distributions keep older versions but add security patches. Instead check with dpkg -l openssl which gives 1.0.1f-1ubuntu2.15 on my system.

53,123

cecemel

Updated on September 18, 2022

Comments

cecemel over 1 year
We encounter very strange problems connecting with openssl or curl to one of our servers, from Ubuntu 14.04

Executing:
```
openssl s_client -connect ms.icometrix.com:443
```
gives:
```
CONNECTED(00000003)
140557262718624:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
internal error:s23_clnt.c:770:
```
A similar error when executing:
```
curl https://ms.icometrix.com
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
internal error
```
Output of openssl version (on client/server):
```
OpenSSL 1.0.1f 6 Jan 2014
```
Output of openssl from dpkg -l openssl:
```
1.0.1f-1ubuntu2
```
The funny thing is, the problem vanishes when connecting with other versions of Openssl:
- From a mac, OpenSSL 0.9.8zd 8 Jan 2015, all ok
- From centos, OpenSSL 1.0.1e-fips 11 Feb 2013, all ok
- Latest stable release on Ubuntu 14.04, OpenSSL 1.0.2d 9 Jul 2015, all ok.
From server side, we do not see anything strange. The problem started when we disabled SSL3 on our machines.

Might there be a problem with the build in the apt-get?

We also test other versions, the one proposed by apt-cache showpkg, but the problem remains...
- Jos almost 9 years
  
  It looks like you have been hit by this bug: bugs.launchpad.net/ubuntu/+source/openssl/+bug/861137. Some workarounds are mentioned. Does curl --sslv3 https://ms.icometrix.com work?
- cecemel almost 9 years
  
  Hi, thanks for the reply. No this does not work, because we disabled ssl on our servers . Furthermore, actually, we don't care about curl or openssl, the real problem for us is that we use the requests from python, which uses this version of openssl. So if you happen to have any ideas, thanks for letting know. I gonna dig further.
cecemel almost 9 years

thx it did the trick! I updated the post with output from dpkg -l