SSL routines:SSL23_WRITE:ssl handshake failure

ssl openssl

I'm trying to use OpenSSL to connect to an SSL server.

When I run:

openssl s_client -connect myhost.com:443

The following SSL client configurations work just fine:

  • Windows (OpenSSL 0.9.83e 23 Feb 2007)
  • Linux (OpenSSL 0.9.8o 01 Jun 2010)
  • Linux (OpenSSL 1.0.0-fips 29 Mar 2010)

Output from any successful connection looks like this:

New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA
    Session-ID: (hidden)
    Session-ID-ctx:
    Master-Key: (hidden)
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1337266099
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

However, when I use client with my Ubuntu 12.04 (w/ OpenSSL 1.0.1 14 Mar 2012) I get error:

CONNECTED(00000003)
...:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:

How can I proceed on solving this?

All tips are much appreciated!


Solution 1:

This looks to be a known issue with Ubuntu's 1.0.1 OpenSSL: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/965371

It doesn't look like a fix is available. If possible you could downgrade to 1.0.0.

Try openssl s_client -tls1 -connect myhost.com:443

Solution 2:

This error can be caused by an older version of openssl when it can not re-negotiate the cipher (I generated a self-signed certificate using elliptic curves).

Specifically, I was getting the same error on MacOS with default openssl - 0.9.8zh

After installing the brew version OpenSSL 1.0.2f the error went away:

~/bin/openssl s_client -connect localhost:45678 | grep Cipher

verify return:1
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384

Solution 3:

If you get this issue with a Java HTTPS server running on OpenJDK, try editing /etc/java-7-openjdk/security/java.security and commenting out the line

security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg

as discovered by Christoph W.

Related

LVM logical volume partition corrupted after lvreduce
Network monitoring [duplicate]
Limit/Throttle per user OpenVPN bandwidth using TC
How do I expand the root's volume size?
GUI tools to administer Linux Box
How do I grant permissions to remotely start/stop a service using Powershell?
Configuring NTFS file system for performance
How to NOT get so many apache CLOSE_WAIT connections?
SQL Server 2005 / 2008 - multiple files / filegroups - how many? Why?
Windows Server 2016 not updating through WSUS
Generate self signed SSL certificate for apache
Can't enter iLO3 at bootup (HP ProLiant DL360 G7)