Hello,
I've recently come across a problem with openssl versions over 0.9.7a. I
have a network of approximately 100 servers using curl to access
different websites. Some of the servers are using openssl 0.9.7a and
some are using 0.9.8b. We recently encountered a problem accessing some
sites utilizing SSL that returns an error stating...
"Unknown SSL protocol error in connection"
This error only happens on servers running 0.9.8b. The 0.9.7a servers
can access the sites just fine. I tried upgrading one of the servers to
0.9.8i to see if there was a bug in openssl, but the same problem
happened. This issue appears to only happen if SSLv3 is attempted. TLS
or SSLv2 work. The problem is that curl uses sslv3 and fails out. This
only happens on a few sites.
This is a sample from 0.9.8b
$ openssl s_client -connect www.hottopic.com:443 -ssl3 -debug
CONNECTED(00000003)
write to 0x95a9bb0 [0x95b3968] (97 bytes => 97 (0x61))
0000 - 16 03 00 00 5c 01 00 00-58 03 00 49 64 e7 d8 f4
....\...X..Id...
0010 - 71 df 07 cb a3 1a f0 0c-e8 a9 95 48 3b 90 25 f7
q..........H;.%.
0020 - f4 00 b1 05 a7 ef 93 42-d7 46 5a 00 00 30 00 39
.......B.FZ..0.9
0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f
.8.5.......3.2./
0040 - 00 66 00 05 00 04 00 63-00 62 00 15 00 12 00 09
.f.....c.b......
0050 - 00 65 00 64 00 14 00 11-00 08 00 06 00 03 02 01
.e.d............
0061 - <SPACES/NULS>
read from 0x95a9bb0 [0x95af158] (5 bytes => 0 (0x0))
5249:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:530:
Here's a sample from 0.9.7a
> openssl s_client -connect www.hottopic.com:443 -ssl3 -debug
CONNECTED(00000003)
write to 080B2388 [080BC140] (100 bytes => 100 (0x64))
0000 - 16 03 00 00 5f 01 00 00-5b 03 00 49 64 e9 5a 69
...._...[..Id.Zi
0010 - 35 b8 92 66 d4 68 30 fb-ea 31 8d f2 d5 cd 3d aa
5..f.h0..1....=.
0020 - 0f 28 65 21 dc 0b 7c ad-e9 60 0c 00 00 34 00 39
.(e!..|..`...4.9
0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f
.8.5.......3.2./
0040 - 00 66 00 05 00 04 00 63-00 62 00 61 00 15 00 12
.f.....c.b.a....
0050 - 00 09 00 65 00 64 00 60-00 14 00 11 00 08 00 06
...e.d.`........
0060 - 00 03 01 ...
0064 - <SPACES/NULS>
read from 080B2388 [080B7930] (5 bytes => 5 (0x5))
0000 - 16 03 00 06 a0 .....
read from 080B2388 [080B7935] (1696 bytes => 1696 (0x6A0))
0000 - 02 00 00 46 03 00 00 00-00 3a 72 7e 52 85 1d 38
...F.....:r~R..8
0010 - d9 80 11 b6 f3 24 0d ad-19 3a e9 83 a5 6e c6 a5
.....$...:...n..
0020 - 76 0b 67 95 5c 36 20 85-34 00 00 c5 38 ef df 6e v.g.\6
.4...8..n
0030 - 37 13 40 da 90 5d b9 a2-43 c0 ce 58 58 58 58 3a
7...@..]..c..xxxx:
0040 - e2 64 49 f0 00 00 00 00-0a 00 0b 00 06 4e 00 06
.dI..........N..
0050 - 4b 00 04 0d 30 82 04 09-30 82 03 76 a0 03 02 01
K...0...0..v....
0060 - 02 02 10 7b a8 95 b9 01-91 46 76 26 95 5e ef 67
...{.....Fv&.^.g
0070 - d3 6b 5a 30 0d 06 09 2a-86 48 86 f7 0d 01 01 05
.kZ0...*.H......
0080 - 05 00 30 5f 31 0b 30 09-06 03 55 04 06 13 02 55
..0_1.0...U....U
0090 - 53 31 20 30 1e 06 03 55-04 0a 13 17 52 53 41 20 S1 0...U....RSA
00a0 - 44 61 74 61 20 53 65 63-75 72 69 74 79 2c 20 49 Data Security,
I
00b0 - 6e 63 2e 31 2e 30 2c 06-03 55 04 0b 13 25 53 65
nc.1.0,..U...%Se
00c0 - 63 75 72 65 20 53 65 72-76 65 72 20 43 65 72 74 cure Server
Cert
00d0 - 69 66 69 63 61 74 69 6f-6e 20 41 75 74 68 6f 72 ification
Author
00e0 - 69 74 79 30 1e 17 0d 30-36 30 37 31 34 30 30 30
ity0...060714000
00f0 - 30 30 30 5a 17 0d 30 39-30 37 31 36 32 33 35 39
000Z..0907162359
0100 - 35 39 5a 30 81 be 31 0b-30 09 06 03 55 04 06 13
59Z0..1.0...U...
0110 - 02 55 53 31 13 30 11 06-03 55 04 08 13 0a 43 61
.US1.0...U....Ca
0120 - 6c 69 66 6f 72 6e 69 61-31 1b 30 19 06 03 55 04
lifornia1.0...U.
0130 - 07 14 12 43 69 74 79 20-6f 66 20 49 6e 64 75 73 ...City of
Indus
0140 - 74 72 79 2c 2c 31 16 30-14 06 03 55 04 0a 14 0d
try,,1.0...U....
0150 - 48 6f 74 20 54 6f 70 69-63 20 49 6e 63 31 15 30 Hot Topic
Inc1.0
0160 - 13 06 03 55 04 0b 14 0c-49 6e 74 65 72 6e 65 74
...U....Internet
0170 - 20 47 72 70 31 33 30 31-06 03 55 04 0b 14 2a 54
Grp1301..U...*T
0180 - 65 72 6d 73 20 6f 66 20-75 73 65 20 61 74 20 77 erms of use at
w
0190 - 77 77 2e 76 65 72 69 73-69 67 6e 2e 63 6f 6d 2f
ww.verisign.com/
01a0 - 72 70 61 20 28 63 29 30-35 31 19 30 17 06 03 55 rpa
(c)051.0...U
01b0 - 04 03 14 10 77 77 77 2e-68 6f 74 74 6f 70 69 63
....www.hottopic
01c0 - 2e 63 6f 6d 30 81 9f 30-0d 06 09 2a 86 48 86 f7
.com0..0...*.H..
01d0 - 0d 01 01 01 05 00 03 81-8d 00 30 81 89 02 81 81
..........0.....
01e0 - 00 90 f6 07 d2 75 9d 71-b4 ee ed 44 bb 90 5d f4
.....u.q...D..].
01f0 - 86 7b d0 e7 a3 a8 5d a5-3c a9 dc 6b f2 dd 1c 88
.{....].<..k....
0200 - a7 2e 19 ca 8c 45 27 b1-dc 42 63 3b ec 1c 6a 04
.....E'..Bc;..j.
0210 - 27 c0 03 6d e6 cb e6 27-47 cc fc 05 1d b2 4c 01
'..m...'G.....L.
0220 - 1a 14 5f 70 82 da 90 a2-42 ca fa 73 d7 a2 ad 4a
.._p....B..s...J
0230 - 6e 05 ac 80 b3 d1 64 19-19 fc e7 79 35 f4 74 cd
n.....d....y5.t.
0240 - 9c d2 81 f1 7b 23 5f da-4d 4a 09 4d 03 4c 7d fb
....{#_.MJ.M.L}.
0250 - 80 3f 83 26 16 38 14 e2-66 0c 33 2e ea 55 45 93
.?.&.8..f.3..UE.
0260 - 1f 02 03 01 00 01 a3 82-01 68 30 82 01 64 30 09
.........h0..d0.
0270 - 06 03 55 1d 13 04 02 30-00 30 0b 06 03 55 1d 0f
..U....0.0...U..
0280 - 04 04 03 02 05 a0 30 40-06 03 55 1d 1f 04 39 30
.......@..u...90
0290 - 37 30 35 a0 33 a0 31 86-2f 68 74 74 70 3a 2f 2f
705.3.1./http://
02a0 - 53 56 52 53 65 63 75 72-65 2d 63 72 6c 2e 76 65
SVRSecure-crl.ve
02b0 - 72 69 73 69 67 6e 2e 63-6f 6d 2f 53 56 52 53 65
risign.com/SVRSe
02c0 - 63 75 72 65 2e 63 72 6c-30 44 06 03 55 1d 20 04 cure.crl0D..U.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
