Reg Change in Error Code

Fri May 3 15:46:23 UTC 2019

On 03/05/2019 16:18, ramakrushna mishra wrote:
> Hi,
> 
> When client(openssl) is configured with TLSv1 and Server(java) was configured
> with TLSv1_2, then in openssl version 1.1.0e we used to get the error code
> : 337002677( 0x141640B5). But with openssl 1.1.1 upgrade the error code changed
> to 337285301
> (0x141A90B5). Moreover Earlier in java also we used to see
> "javax.net.ssl.SSLHandshakeException: Caused by: Remote host closed connection
> during handshake " exception at the server end which is not seen now. 
> 
> Following are my doubts. 
> 
> 1) Has anyone noticed this change ? 
> 2) Where these error codes ( 337002677) and (337285301) defined ?

You can use the command line "errstr" utility for the relevant openssl version
to check their meanings. For 1.1.0e:

$ openssl errstr 141640B5
error:141640B5:SSL routines:tls_construct_client_hello:no ciphers available

For 1.1.1:
$ openssl errstr 141A90B5
error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available

You can also get your application to generate these human readable error strings
using the appropriate functions:

https://www.openssl.org/docs/man1.1.1/man3/ERR_error_string.html

Error codes are highly version specific and may change from one version to
another. We do not provide any guarantee that the same error will always produce
the same error code - so you should not rely on them remaining static. The
different components of the error string tell you different things about the
cause of the error. "SSL routines" tells us that the error came from libssl.
"tls_construct_client_hello" tells us the name of the function in the source
code that generated the error. Finally "no ciphers available" tells us
specifically what the error was.

In this case "no ciphers available" means that there are no configured
ciphersuites that are suitable for use in your configuration. For example if
your client is configured to only use TLSv1 but you've only configured
ciphersuites suitable for use in TLSv1.2 then you will get this error.
(Incidentally it seems very strange to use 1.1.0/1.1.1 but then restrict the
client to using TLSv1 only - I'd recommend using the highest protocol version
available for the library in use)

This error occurs in the "tls_construct_client_hello" function (in 1.1.0e) which
is very early in the handshake process. It occurs during construction of the
very first message sent by the client (the ClientHello).

It appears that in 1.1.1 the function that does this check has changed. It is
now done in "ssl_cipher_list_to_bytes". This function is called from
"tls_construct_client_hello". This is why the error code has changed - but it is
the same underlying cause.

> 3) Why the java server will not throw the exception any more ? 

Looking at the code it appears that in 1.1.0e the client just abandons the
connection attempt without sending any error alert to the server. In 1.1.1 it
now sends an "internal_error" alert first. This is most likely the cause of the
change of behaviour on the server side.

Matt

>  
> Any help is highly appreciated. 
> 
> Thanks and Regards,
> Ram Krushna