0

Version: REBOL/View 2.7.8.3.1 1-Jan-2011

I have run a REBOL script weekly that fetches data for years. The last verified working of the script 21-Oct-2016.

As of today, 28-Oct-2016 the script fails with this error:

** Command Error: SSL Error: error:14077410:SSL routines:SSL23_GET_SERVER_HEL LO:sslv3 alert handshake failure

Someone suggests that during the SSL/TLS handshake, REBOL only offers ciphers that current servers no longer support. Subsequently, the server my script tried to contact is not willing to work with older ciphers of REBOL and thus the handshake fails.

Is this right? If this is so, REBOL 2.7.8 will become useless before long unless patched.

Incidentally, this fails with Saphirion's R3. In that case, it simply crashes and stops working without spewing an error message.

Time Series Lord
  • 23
  • 1
  • 1
  • 5
  • 2
    Hard to say for certain as Rebol 2 is closed source. Have you tried the Atronix or Ren-C builds? As I understand it, they use an updated version of TLS. If you must stick with Rebol 2, you could [wrap curl](http://reb4.me/r/curl) via CALL to delegate your HTTPS requests. Also, do you have a URL on which the error can be reproduced? – rgchris Oct 28 '16 at 15:42
  • `>> read https://www.espacehifi.com/ connecting to: www.espacehifi.com ** Command Error: SSL Error: error:14077438:SSL routines:SSL23_GET_SERVER_HEL LO:tlsv1 alert internal error ** Where: build-port ** Near: system/words/set-modes port/sub-port [secure: true]` Perhaps the latest patches to Windows 10 Anniversary Update have bblocked SSL 3 support by default. – Time Series Lord Oct 28 '16 at 22:33
  • But it's OK with GOOGLE: >> read https://www.google.com connecting to: www.google.com == { – Time Series Lord Oct 28 '16 at 22:41
  • And ... `>> a: https://fred.stlouisfed.org/graph/fredgraph.csv?id=wCURRNS == https://fred.stlouisfed.org/graph/fredgraph.csv?id=wCURRNS >> read a connecting to: fred.stlouisfed.org ** Command Error: SSL Error: error:14077410:SSL routines:SSL23_GET_SERVER_HEL LO:sslv3 alert handshake failure ** Where: build-port ** Near: system/words/set-modes port/sub-port [secure: true]` – Time Series Lord Oct 28 '16 at 22:49
  • How does one use your curl script? I can load it in REBOL but when I tried to use it, e.g., `>> curl https://fred.stlouisfed.org/graph/fredgraph.csv?id=wcurrns` it hangs. So does cur/method a 'get ;; where is the URL above – Time Series Lord Oct 28 '16 at 23:23
  • That's the correct usage—seems to work fine for me: Core 2.7.8.2.5. It can take a little finessing to work on Windows if that's your platform. Also, you can `trace/net on` to get the full shell command used: try running it directly in the shell to see if the issue is with curl (or just construct the curl command to use with CALL yourself with flags that you know to work). – rgchris Oct 29 '16 at 19:21
  • 2
    Even on Rebol3, we at Atronix use curl when TLS 1.2 is required. Adding TLS 1.2 support in the Atronix build of Rebol3 is on our roadmap. It should be complete in 2017. We will more than likely integrate LibreSSL from the OpenBSD project since it has a cleaner API and few security holes. – David den Haring Oct 31 '16 at 12:42

2 Answers2

3

REBOL/View 2.7.8.3.1 1-Jan-2011

I don't know much about rebol but according to the documentation it is available for a variety of systems, including various UNIX like systems. This suggests that the underlying library used for SSL/TLS is the most commonly used library which covers all supported systems, i.e. OpenSSL.

Given the data of the release if the rebol version this should be either an early version 1.0.0 of OpenSSL or more likely version 0.9.8. None of these OpenSSL releases support TLS 1.2 or ECDHE ciphers which are commonly supported by modern servers and sometimes not only supported but required. In the last case the SSL handshake simply will fail. Other reasons why the handshake might fail is that the site requires Server Name Indication (SNI). While SNI could be supported with OpenSSL 0.9.8 already it wasn't that much used in 2011 and thus only few software supported it at this time. But today SNI is often essential, for example if you try to access sites protected by Cloudflare Free SSL.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
0

Rebol2 only has support for TLS 1.0. If you run the report from ssllabs on that server the report says that the only supported cipher suite for TLS 1.0 is TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA.

Now, Rebol3 and its forks aren't Rebol2, but if you look at the rebol3 source for prot-tls you'll see that the supported cipher suites do not include Elliptic Curve Diffie-Hellman Ephemeral or ECDHE.

We've updated the error message in the mean time so that it now says something more meaningful

read https://www.espacehifi.com/ ** Error: Handshake failure - no supported cipher suite available on server

until we get ECDHE suites into rebol3.

Bruno Rohée
  • 3,436
  • 27
  • 32
Graham Chiu
  • 4,856
  • 1
  • 23
  • 41
  • I'm being bit by this problem now too. The key sites in my company are now TLS 1.2... – Edoc Nov 09 '17 at 17:15