[openssl-users] Unexpected SSL23_GET_SERVER_HELLO unsupported protocol Error

Welling, Conrad Gerhart CONRAD.GERHART.WELLING at leidos.com
Mon Aug 8 23:21:57 UTC 2016 

Never mind ...

I was sailing by the Bellman's map.  The IIS servers cited were not configured correctly or as indicated.  No problems, of course, with openssl ....



From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Welling, Conrad Gerhart
Sent: Friday, August 05, 2016 5:47 PM
To: openssl-users at openssl.org
Subject: [openssl-users] Unexpected SSL23_GET_SERVER_HELLO unsupported protocol Error



--- Reformatted and resent ---



I am encountering curl-7.44.0+openssl-1.0.2d (FIPS-capable) TLS session-initialization failures like ...



* TLSv1.2 (OUT), TLS header, Certificate Status (22):

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol



on only ONE (HOSTX) of two 2008 R2 IIS 7.5 HTTPS servers (HOSTX, ROOM40) which are supposed to be configured the same.



I am using



   OpenSSL 1.0.2d-fips 9 Jul 2015



   curl 7.44.0 (i386-pc-win32) libcurl/7.44.0 OpenSSL/1.0.2d

   Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s

   rtsp smb smbs smtp smtps telnet tftp

   Features: AsynchDNS Largefile NTLM SSL



ROOM40 and HOSTX servers run IIS 7.5 or IIS 8.0, and, the values of the keys (SSL 2.0 - TLS 1.2, Client and Server) in the registry branch



   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols



are the same (see following).  All the OTHER ..\Protocols keys - Ciphers, CipherSuites, Hashes, and KeyExchangeAlgorithms - are the same (all blank).



   SSL 2.0

      Client

         "DisabledByDefault"=dword:00000001

         "Enabled"=dword:00000000

      Server

         <empty>

   SSL 3.0

      Client

         "Enabled"=dword:00000000

      Server

         "Enabled"=dword:00000000

   TLS 1.0   (Does not exist on HOSTX)

      Client

         <empty>

      Server

         <empty>

   TLS 1.1

      Client

         "DisabledByDefault"=dword:00000000

         "Enabled"=dword:00000001

      Server

         "DisabledByDefault"=dword:00000000

         "Enabled"=dword:00000001

   TLS 1.2

      Client

         "Enabled"=dword:00000001

      Server

         "Enabled"=dword:00000001



I've researched "TLS version intolerance", SNI, ALPN and more, but, haven't figured this out yet.

Following are four curl-7.44.0+openssl-1.0.2d (FIPS- capable) attempts to "upload" a file.  The 1st attempt to server ROOM40 succeeds, but the subsequent three attempts to server HOSTX all fail.

Any hints or insights are very much appreciated ...



Note: The following output has been been edited to enhance readability and disguise client and servers.



===============================================================================



==> openssl version

OpenSSL 1.0.2d-fips 9 Jul 2015



==> curl --version

curl 7.44.0 (i386-pc-win32) libcurl/7.44.0 OpenSSL/1.0.2d

Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s

rtsp smb smbs smtp smtps telnet tftp

Features: AsynchDNS Largefile NTLM SSL



==> REM -----------------------------------------------------------------------

==> REM ATTEMPT TO UPLOAD TO ROOM40 (Successful)

==> REM -----------------------------------------------------------------------



==> %CD%\curl.exe

--verbose -T "stuff.dat"

--tlsv1.2

--ciphers AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DES-CBC3-SHA

--capath ..\certs

--user matahari:18761917 https://ROOM40/datasink/



*   Trying 10.11.51.37...

* Connected to ROOM40 (10.11. 51.37) port 443 (#0)

* ALPN, offering http/1.1

* Cipher selection: AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DES-CBC3-SHA

* successfully set certificate verify locations:

*   CAfile: none

  CApath: ..\certs

* TLSv1.2 (OUT), TLS header, Certificate Status (22):

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Client hello (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS change cipher, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-SHA256

* ALPN, server did not agree to a protocol

* Server certificate:

*   subject: C=US; ST=CA; L=Los Angeles; O=CID; OU=LA DEV; CN=ROOM40

*   start date: 2014-05-01 15:44:59 GMT

*   expire date: 2018-02-05 22:10:46 GMT

*   common name: ROOM40 (matched)

*   issuer: CN=DISRAELI

*   SSL certificate verify ok.

* Server auth using Basic with user 'matahari'

> PUT /datasink/stuff.dat HTTP/1.1

> Host: ROOM40

> Authorization: Basic ZnRwd2FsbDoxMzRGa3JlVDk1andfMlE=

> User-Agent: curl/7.44.0

> Accept: */*

> Content-Length: 161

> Expect: 100-continue

>

< HTTP/1.1 100 Continue

* We are completely uploaded and fine

< HTTP/1.1 201 Created

< Location: http://ROOM40/datasink/stuff.dat

< Server: Microsoft-IIS/7.5

< X-Powered-By: ASP.NET

< Date: Thu, 04 Aug 2016 01:31:09 GMT

< Content-Length: 0

<

* Connection #0 to host ROOM40 left intact



==> REM -----------------------------------------------------------------------

==> REM ATTEMPT #1 TO UPLOAD TO HOSTX (Fails)

==> REM -----------------------------------------------------------------------



==> %CD%\curl.exe

--verbose -T "stuff.dat"

--tlsv1.2

--ciphers AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DES-CBC3-SHA

--capath ..\certs

--user TELawrence:18881935 https://hostx.area51.gov/upload/

*   Trying 211.3.150.21...

* Connected to hostx.area51.gov (211.3.150.21) port 443 (#0)

* ALPN, offering http/1.1

* Cipher selection: AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DES-CBC3-SHA

* successfully set certificate verify locations:

*   CAfile: none

  CApath: ..\certs

* TLSv1.2 (OUT), TLS header, Certificate Status (22):

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol

* Closing connection 0

curl: (35) error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol



==> REM -----------------------------------------------------------------------

==> REM ATTEMPT #2 TO UPLOAD TO HOSTX (Fails)

==> REM -----------------------------------------------------------------------



==> %CD%\curl.exe

--verbose -T "stuff.dat"

--tlsv1.2

--ciphers AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256

--capath ..\certs

--user TELawrence:18881935 https://hostx.area51.gov/upload/

*   Trying 211.3.150.21...

* Connected to hostx.area51.gov (211.3.150.21) port 443 (#0)

* ALPN, offering http/1.1

* Cipher selection: AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256

* successfully set certificate verify locations:

*   CAfile: none

  CApath: ..\certs

* TLSv1.2 (OUT), TLS header, Certificate Status (22):

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* Unknown SSL protocol error in connection to hostx.area51.gov:443

* Closing connection 0

curl: (35) Unknown SSL protocol error in connection to hostx.area51.gov:443





==> REM -----------------------------------------------------------------------

==> REM ATTEMPT #3 TO UPLOAD TO HOSTX (Fails)

==> REM -----------------------------------------------------------------------



==> %CD%\curl.exe

--verbose -T "stuff.dat"

--tlsv1.2

--capath ..\certs

--user TELawrence:18881935 https://hostx.area51.gov/upload/

*   Trying 211.3.150.21...

* Connected to hostx.area51.gov (211.3.150.21) port 443 (#0)

* ALPN, offering http/1.1

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

* successfully set certificate verify locations:

*   CAfile: none

  CApath: ..\certs

* TLSv1.2 (OUT), TLS header, Certificate Status (22):

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol

* Closing connection 0

curl: (35) error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160808/3bf23a29/attachment-0001.html>

More information about the openssl-users mailing list