[openssl-users] SSL errors connecting to some websites

Matt Caswell matt at openssl.org
Tue Apr 12 09:13:36 UTC 2016



On 12/04/16 09:45, Chris Puttick wrote:
> Hi
> 
> Our schools filtering product utilises OpenSSL with Squid; we're seeing issues connecting to some sites which seem OpenSSL related. Two sites with known issues are:
> 
> https://www.spellanywhere.co.uk/
> 
> https://www.mymaths.co.uk/
> 
> Connecting to either of these Squid returns the error:
> 
> (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
> Handshake with SSL server failed: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

It seems these servers require connections to supply SNI information.
Supplying the servername option to s_client adds it:

# openssl s_client -connect www.spellanywhere.co.uk:443 -servername
www.spellanywhere.co.uk

I am able to create successful connections to both of the sites you list
above with OpenSSL 1.0.1 using the above option.

Unfortunately I am unfamiliar with Squid configuration, so I can't
advise as to whether this is the problem with your squid setup, and if
it is - how you fix it.

Matt



> 
> Running openssl tests direct from a schools box (OpenSSL 1.0.1) gets:
> 
> # openssl s_client -connect www.spellanywhere.co.uk:443
> CONNECTED(00000003)
> 3073661128:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:734:
> 
> Attempting to disable protocols for testing gets:
> 
> openssl s_client -no_tls1 -no_tls1_1 -no_tls1_2 -connect www.spellanywhere.co.uk:443
> CONNECTED(00000003)
> 3074005192:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:734:
> 
> and eventually
> 
> openssl s_client -no_tls1 -no_tls1_1 -no_tls1_2 -no_ssl3 -no_ssl2 -connect www.spellanywhere.co.uk:443
> CONNECTED(00000003)
> 3073534152:error:140740BF:SSL routines:SSL23_CLIENT_HELLO:no protocols available:s23_clnt.c:385:
> 
> While forcing dtls with 
> 
> openssl s_client -dtls1 -connect www.spellanywhere.co.uk:443
> 
> seems to establish a tunnel as expected. 
> 
> Using curl or wget on the same boxes to those sites works as expected. Tests on a local box with OpenSSL 1.0.2e return similar results, although the disabled protocols test returns a different error:
> 
> openssl s_client -no_tls1 -no_tls1_1 -no_tls1_2 -no_ssl3 -no_ssl2 -connect www.spellanywhere.co.uk:443
> CONNECTED(00000003)
> 139735616550552:error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol:s23_clnt.c:735:
> 
> Is this some sort of SSL handshake fallback error? Is there anything we can do in terms of configuration? Are we barking up the wrong tree?
> 
> All input/questions welcome.
> 
> Thanks
> 
> Chris
> 
> 
> ---
> Chris Puttick
> CEO & Chief Asst to the duck
> TwoTen
> http://twoten.is
> Making the Internet better. For kids.
> +44 7908 997 146
> @putt1ck
> Two Ten Web Limited, Regd Company no. 7774762 Regd office Unit 6, Southill, Cornbury Park, Charlbury, Oxfordshire OX7 3EW United Kingdom
> 


More information about the openssl-users mailing list