Re: [openssl-users] openssl problems
On 07/06/18 21:40, wazzu62 wrote: > read from 0x55f11344dea0 [0x55f113455ee3] (5 bytes => 5 (0x5)) > - 48 54 54 50 2fHTTP/ Here is your problem. s_client sends a TLS ClientHello to the server. And the server responds with HTTP!!! The server is not using TLS on that port. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] openssl problems
I will look into the wireshark trace Here is the output with the debug option CONNECTED(0003) write to 0x55f11344dea0 [0x55f11345f100] (176 bytes => 176 (0xB0)) - 16 03 01 00 ab 01 00 00-a7 03 03 8c 1a 33 4f 8e .3O. 0010 - fb e3 3f 51 82 36 ae 38-5e 86 3c af d2 82 0f d9 ..?Q.6.8^.<. 0020 - 1a 1c c6 8e 55 98 4e db-16 08 5a 00 00 38 c0 2c U.N...Z..8., 0030 - c0 30 00 9f cc a9 cc a8-cc aa c0 2b c0 2f 00 9e .0.+./.. 0040 - c0 24 c0 28 00 6b c0 23-c0 27 00 67 c0 0a c0 14 .$.(.k.#.'.g 0050 - 00 39 c0 09 c0 13 00 33-00 9d 00 9c 00 3d 00 3c .9.3.=.< 0060 - 00 35 00 2f 00 ff 01 00-00 46 00 0b 00 04 03 00 .5./.F.. 0070 - 01 02 00 0a 00 0a 00 08-00 1d 00 17 00 19 00 18 0080 - 00 23 00 00 00 16 00 00-00 17 00 00 00 0d 00 20 .#. 0090 - 00 1e 06 01 06 02 06 03-05 01 05 02 05 03 04 01 00a0 - 04 02 04 03 03 01 03 02-03 03 02 01 02 02 02 03 read from 0x55f11344dea0 [0x55f113455ee3] (5 bytes => 5 (0x5)) - 48 54 54 50 2fHTTP/ 140415382974912:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 176 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher: Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1528403881 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- -- Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] openssl problems
On 07/06/18 17:57, wazzu62 wrote: > When I run the following command on the server the reverse proxy is pointing > to I get a similar error > *openssl s_client -connect localhost:443* > CONNECTED(0003) > 140508314333632:error:1408F10B:SSL routines:ssl3_get_record:wrong version > number:../ssl/record/ssl3_record.c:252: Can you get a wireshark trace of the above? Or failing that, what is the output from s_client if you add the "-debug" option? Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] openssl problems
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of wazzu62 > Sent: Thursday, June 07, 2018 10:57 > Attempts to connect to the reverse proxy endpoint via a browser generate > the following error in the apache log file By "the apache log file", you mean the log for the origin server, behind the reverse proxy? Or the log file for the reverse proxy itself? > [Tue May 29 09:14:36.494710 2018] [ssl:info] [pid 23700:tid 139947205977856] > SSL Library Error: error:1408F10B:SSL routines:ssl3_get_record:wrong version > number What version of OpenSSL is Apache using? Or if it's not using OpenSSL, what TLS implementation is it using? (Presumably that appears in the log somewhere, and if not you can find it by running strings or similar against the OpenSSL library it's using.) Assuming it's a fairly recent 1.0.2 build (i.e., a fairly up-to-date release of the LTS branch), there are a few places where the "wrong version number" error is produced. Here we see it's coming from ssl3_get_record. That could mean: - OpenSSL received an SSL record that had a different version number than what the client sent in its ClientHello message. Could be due to a broken client, garbage on the wire, etc. - OpenSSL received an SSL record that didn't have a major version number of 3. Major version 3 is used for SSLv3 and TLSv1, so basically for everything. (If you have a client that's using SSLv2, it's wasting its time; SSLv2 is hopelessly insecure.) So if the major version isn't 3, then something is quite wrong, AFAIK. > When I run the following command on the server the reverse proxy is > pointing > to I get a similar error > *openssl s_client -connect localhost:443* > CONNECTED(0003) > 140508314333632:error:1408F10B:SSL routines:ssl3_get_record:wrong > version > number:../ssl/record/ssl3_record.c:252: It looks to me like the server has a broken SSL configuration or a broken SSL implementation. If you were running s_client against an endpoint that wasn't using SSL/TLS at all, I'd expect to see an earlier error, such as "unknown protocol", from openssl s_client. So it looks like your server is sending a ServerHello in response to the ClientHello. After that it all goes wrong, though. A wire trace might be informative, if the problem isn't obvious from inspecting the software and configuration being used by the origin server. Wireshark's SSL/TLS dissector does a decent job with the unencrypted parts of the conversation, and it doesn't look like you're getting far enough to have anything encrypted. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users