[openssl-users] SSL errors connecting to some websites

Tue, 12 Apr 2016 01:56:12 -0700 

Hi

Our schools filtering product utilises OpenSSL with Squid; we're seeing issues 
connecting to some sites which seem OpenSSL related. Two sites with known 
issues are:

https://www.spellanywhere.co.uk/

https://www.mymaths.co.uk/

Connecting to either of these Squid returns the error:

(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:14077438:SSL 
routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

Running openssl tests direct from a schools box (OpenSSL 1.0.1) gets:

# openssl s_client -connect www.spellanywhere.co.uk:443
CONNECTED(00000003)
3073661128:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert 
internal error:s23_clnt.c:734:

Attempting to disable protocols for testing gets:

openssl s_client -no_tls1 -no_tls1_1 -no_tls1_2 -connect 
www.spellanywhere.co.uk:443
CONNECTED(00000003)
3074005192:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert 
handshake failure:s23_clnt.c:734:

and eventually

openssl s_client -no_tls1 -no_tls1_1 -no_tls1_2 -no_ssl3 -no_ssl2 -connect 
www.spellanywhere.co.uk:443
CONNECTED(00000003)
3073534152:error:140740BF:SSL routines:SSL23_CLIENT_HELLO:no protocols 
available:s23_clnt.c:385:

While forcing dtls with 

openssl s_client -dtls1 -connect www.spellanywhere.co.uk:443

seems to establish a tunnel as expected. 

Using curl or wget on the same boxes to those sites works as expected. Tests on 
a local box with OpenSSL 1.0.2e return similar results, although the disabled 
protocols test returns a different error:

openssl s_client -no_tls1 -no_tls1_1 -no_tls1_2 -no_ssl3 -no_ssl2 -connect 
www.spellanywhere.co.uk:443
CONNECTED(00000003)
139735616550552:error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported 
protocol:s23_clnt.c:735:

Is this some sort of SSL handshake fallback error? Is there anything we can do 
in terms of configuration? Are we barking up the wrong tree?

All input/questions welcome.

Thanks

Chris


---
Chris Puttick
CEO & Chief Asst to the duck
TwoTen
http://twoten.is
Making the Internet better. For kids.
+44 7908 997 146
@putt1ck
Two Ten Web Limited, Regd Company no. 7774762 Regd office Unit 6, Southill, 
Cornbury Park, Charlbury, Oxfordshire OX7 3EW United Kingdom

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to