[openssl-users] openssl problems

Michael Wojcik Michael.Wojcik at microfocus.com
Thu Jun 7 18:07:00 UTC 2018 

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of wazzu62
> Sent: Thursday, June 07, 2018 10:57

> Attempts to connect to the reverse proxy endpoint via a browser generate
> the following error in the apache log file

By "the apache log file", you mean the log for the origin server, behind the reverse proxy? Or the log file for the reverse proxy itself?

> [Tue May 29 09:14:36.494710 2018] [ssl:info] [pid 23700:tid 139947205977856]
> SSL Library Error: error:1408F10B:SSL routines:ssl3_get_record:wrong version
> number

What version of OpenSSL is Apache using? Or if it's not using OpenSSL, what TLS implementation is it using? (Presumably that appears in the log somewhere, and if not you can find it by running strings or similar against the OpenSSL library it's using.)

Assuming it's a fairly recent 1.0.2 build (i.e., a fairly up-to-date release of the LTS branch), there are a few places where the "wrong version number" error is produced. Here we see it's coming from ssl3_get_record. That could mean:

- OpenSSL received an SSL record that had a different version number than what the client sent in its ClientHello message. Could be due to a broken client, garbage on the wire, etc.

- OpenSSL received an SSL record that didn't have a major version number of 3. Major version 3 is used for SSLv3 and TLSv1, so basically for everything. (If you have a client that's using SSLv2, it's wasting its time; SSLv2 is hopelessly insecure.) So if the major version isn't 3, then something is quite wrong, AFAIK.

> When I run the following command on the server the reverse proxy is
> pointing
> to I get a similar error
> *openssl s_client -connect localhost:443*
> CONNECTED(00000003)
> 140508314333632:error:1408F10B:SSL routines:ssl3_get_record:wrong
> version
> number:../ssl/record/ssl3_record.c:252:

It looks to me like the server has a broken SSL configuration or a broken SSL implementation.

If you were running s_client against an endpoint that wasn't using SSL/TLS at all, I'd expect to see an earlier error, such as "unknown protocol", from openssl s_client.  So it looks like your server is sending a ServerHello in response to the ClientHello. After that it all goes wrong, though.

A wire trace might be informative, if the problem isn't obvious from inspecting the software and configuration being used by the origin server. Wireshark's SSL/TLS dissector does a decent job with the unencrypted parts of the conversation, and it doesn't look like you're getting far enough to have anything encrypted.

--
Michael Wojcik
Distinguished Engineer, Micro Focus

More information about the openssl-users mailing list