Unable to establish the SSL connection to the Ubuntu Linux Machine

Question

Have tried to establish the SSL connection to the Linux server machine from an STB client device. Am getting the following SSL error,

error:1408F10B:lib(20):func(143):reason(267) (find reason(code) at openssl/ssl.h)

On checking with openssl command, am getting the following information,

CONNECTED(00000003)
write to 0x7ee98 [0x8a153] (148 bytes => 148 (0x94))
0000 - 16 03 00 00 8f 01 00 00-8b 03 00 50 40 64 2c 41   ...........P@d,A
0010 - 53 23 c1 e1 9a dd e3 40-61 b3 71 cb 38 fe ba c9   S#.....@a.q.8...
0020 - 6b d7 b4 00 0d 21 88 19-6a 7c 56 00 00 64 c0 14   k....!..j|V..d..
0030 - c0 0a 00 39 00 38 00 37-00 36 00 88 00 87 00 86   ...9.8.7.6......
0040 - 00 85 c0 0f c0 05 00 35-00 84 c0 13 c0 09 00 33   .......5.......3
0050 - 00 32 00 31 00 30 00 9a-00 99 00 98 00 97 00 45   .2.1.0.........E
0060 - 00 44 00 43 00 42 c0 0e-c0 04 00 2f 00 96 00 41   .D.C.B...../...A
0070 - 00 07 c0 11 c0 07 c0 0c-c0 02 00 05 00 04 c0 12   ................
0080 - c0 08 00 16 00 13 00 10-00 0d c0 0d c0 03 00 0a   ................
0090 - 00 ff 01                                          ...
0094 - <SPACES/NULS>
read from 0x7ee98 [0x85c03] (5 bytes => 5 (0x5))
0000 - 48 54 54 50 2f                                    HTTP/
write to 0x7ee98 [0x8f610] (7 bytes => 7 (0x7))
0000 - 15 03 00 00 02 02 28                              ......(
3069535440:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version    number:s3_pkt.c:362:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
   Protocol  : SSLv3
Cipher    : 0000
Session-ID: 
Session-ID-ctx: 
Master-Key: 
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1516869657
Timeout   : 7200 (sec)
Verify return code: 0 (ok)

Exact error am getting is 3069535440:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:362:.

Please have someone help to resolve this issue?

**WRONG PORT.** You omitted from your Q, but say in a comment below, you are connecting to port 8080. 8080 is normally HTTP not HTTPS, and you can see from the trace that is true on this server. Try connecting to the port that is HTTPS; that can vary depending on the server which you don't identify but may be 8443. But your openssl is in fact requesting SSLv3 and many modern implementations no longer allow that because it is broken; what exactly is the server? — dave_thompson_085, Jan 25 '18 at 14:37
Server is a Linux machine running Ubuntu 14.04. And am trying to connect this machine from client set top box device. SSL attempt to this machine ip and port was used is 8080. — Vysakh A V, Jan 25 '18 at 14:39
Ubuntu is an OS, not a webserver; there are thousands of webservers that can run on Ubuntu -- and that's if you need HTTPS and not some other SSL/TLS protocol; are you sure of that? If you do want HTTPS on 8080, you need to turn off whatever is currently doing HTTP on 8080, and turn on something that does HTTPS on 8080 (maybe the same thing modified to do HTTPS instead of HTTP). — dave_thompson_085, Jan 25 '18 at 17:49
@dave_thompson_085 yes. From the client device , am trying to connect to the http server listening on the port 8080. If am doing wrong, please help me to rectify my issues. Thanks very much. — Vysakh A V, Jan 26 '18 at 07:01
If the device is trying to connect SSL/TLS to port 8080, which is very unusual but seems to be indicated by its error message, and you have an HTTP server on port 8080, then yes you are doing something wrong. **SSL/TLS and HTTP are different.** Given what you say, you need a server on port 8080 for some SSL/TLS-based protocol -- possibly HTTPS (note the S; HTTPS is not the same as HTTP, although many webservers can do both). At a minimum given you have a suitable cert&key, you could use `openssl s_server -accept 8080 ...` and if the device handshakes okay look at what it sends. — dave_thompson_085, Jan 26 '18 at 10:02

Vincent Scharf · Answer 1 · 2018-01-25T12:36:31.307

0

As you can see in the error information you provided there is a routines:SSL3_GET_RECORD:wrong version error. It seems to me that you try to use SSL3 although the Sever and/or Client is not supporting this SSL-Version. Try to change the used method and try again.

EDIT: The protocol is supported due to Verify return code with Protocol SSLv3 being 0.

edited Jan 25 '18 at 12:36

answered Jan 25 '18 at 08:55

Vincent Scharf

71
1
5

In both client and server, could see SSLv3 and TLSv1.2 protcols supported. But am not able to connect from client to server, Here am trying to connect to the port 8080 and am getting the above metioned error in both case. – Vysakh A V Jan 25 '18 at 09:24
Yes, just saw, that the Verify returned 0, so SSLv3 should be supported. What kind of certificate is the server your connecting to using? – Vincent Scharf Jan 25 '18 at 09:55
Am not sure about the certificate which I have used here. Do we need to store the certificate from server machine on the client side, if so how we can get the server side certificate. – Vysakh A V Jan 25 '18 at 10:28
You should check if you are using a self-signed certificate and if this certificate is valid. You could try using Lets-Encrypt for generating a validated free certificate, for your server to check if the validation is the problem. – Vincent Scharf Jan 25 '18 at 12:03
@VysakhAV No, you do not need to store the server certificate on the client machine. Maybe the problem is, that the STB is trying to validate the certificate, but due to it being self-signed it cannot validate the CA and closes the connection. – Vincent Scharf Jan 25 '18 at 12:35
@VysakhAV what you can do though is trying to tell your Client to trust the server certificate, by installing the CA on the client. Maybe that fixes the problem. – Vincent Scharf Jan 25 '18 at 12:40
Thanks Vincent for the detailed explanation. Could you please let me know how we can install the CA certificate in STB. What certificate should I download to STB? – Vysakh A V Jan 25 '18 at 12:50
Have a look here: https://unix.stackexchange.com/a/90607 following this guide you should be abl to add the self-signed CA to the pool of trusted CAs on your device. – Vincent Scharf Jan 25 '18 at 12:54
The problem in this Q is not a certificate problem. The verify error is meaningless since verification wasn't even attempted. All of the session parametes are meaningless since negotation failed at the hello. – dave_thompson_085 Jan 25 '18 at 14:32
@dave_thompson_085 Well in case that the error does not lie and the SSL version is not supported by either client or server, that would be a reason to fail at hello would'nt it? – Vincent Scharf Jan 25 '18 at 14:46

Unable to establish the SSL connection to the Ubuntu Linux Machine

1 Answers1