RE: SSL connection broken after upgrading from 0.9.8a to 1.0.1e version of openssl

[Dave Thompson]

This is almost certainly belongs in -users only, but if I restrict reply it
looks unanswered.

> From: owner-openssl-us...@openssl.org On Behalf Of Nayna Jain
> Sent: Thursday, July 31, 2014 17:37

> We got one of our openssl version  upgraded to openssl 1.0.1e version.
> But after that I am facing this error at client side.
> 
> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> 
> But I am not sure why is it giving wrong version number as both client and
> server has SSLv3 connection.  Below are the details:
> 
>    Client is 0.9.8a and calls SSLv3_method()   for ivSMethod()
>    Server is upgraded to 1.0.1e and calls SSLv3_method() for ivSMethod()
>    Client when tries to connect to server , I get the error
> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>    Logically I thought, it will work as both are SSLv3 and nothing changed
>    there, but still it fails with wrong version number ..
>    When I tried using openssl s_client it fails as below with similar
error
>    message
> testsystem:~ # openssl s_client -connect <ip>:<port> -msg
> CONNECTED(00000003)
> >>> SSL 2.0 [length 008f], CLIENT-HELLO
<snip>
0.9.8 s_client by default sends SSLv2 hello, as this shows.
Either use 1.0.0 or higher s_client, or use s_client -ssl3.
Or at least s_client -no_ssl2.

> Can someone help to debug this please ? There is no more further
> information could be traced on why it failed. If someone have idea on
> debugging tools for tracking openssl connection, do let me know.
>
See above. 

Does the server start immediately in SSL, or does it require any kind of
STARTTLS?
If the latter, s_client supports a few forms of STARTTLS but not all, and
only if 
you specify which one explicitly. Otherwise you'll need a custom program.

If neither of those helps, the usual best debugging method, if you have
access 
on at least one end system or another system on the same network segment 
(typically LAN hub, but may vary greatly depending on your network hardware)
is to run a network capture like Wireshark (for Windows or MacOSX or Linux),
tcpdump (for most Unix), etc. and look at it. 



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org