What does this error mean?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

What does this error mean?

Rob Marshall
Hi,

It may not be relevant, but I'm running SLES 10 SP3 which is a very
old version of the OS and I can't upgrade it due to some installed
products. When I try to do a wget I'm seeing the error:

OpenSSL: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
alert protocol version

What does the error mean and how do I fix it?

Thanks,

Rob
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: What does this error mean?

Marcus Meissner
On Mon, Apr 16, 2018 at 02:27:17PM -0400, Rob Marshall wrote:

> Hi,
>
> It may not be relevant, but I'm running SLES 10 SP3 which is a very
> old version of the OS and I can't upgrade it due to some installed
> products. When I try to do a wget I'm seeing the error:
>
> OpenSSL: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
> alert protocol version
>
> What does the error mean and how do I fix it?

From which host? The host probably only speaks TLS 1.2.

Ciao, Marcus
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: What does this error mean?

Michael Wojcik
In reply to this post by Rob Marshall

The server is rejecting the connection because it doesn't like the SSL/TLS version range that wget is offering. Anything prior to TLSv1.1 suffers from vulnerabilities that can be exploited under practical conditions, so many servers reject older protocol versions.


You don't have to upgrade the OS to put a newer version of OpenSSL on, though you may have to build OpenSSL yourself.


From: openssl-users <[hidden email]> on behalf of Rob Marshall <[hidden email]>
Sent: Monday, April 16, 2018 2:27:17 PM
To: [hidden email]
Subject: [openssl-users] What does this error mean?
 
Hi,

It may not be relevant, but I'm running SLES 10 SP3 which is a very
old version of the OS and I can't upgrade it due to some installed
products. When I try to do a wget I'm seeing the error:

OpenSSL: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
alert protocol version

What does the error mean and how do I fix it?

Thanks,

Rob
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: What does this error mean?

Rob Marshall
In reply to this post by Marcus Meissner
Hi,

I built and installed OpenSSL 1.0.2n and I'm still seeing the problem.
I originally tried to build/install 1.1.0h but my goal was to
build/install an updated OpenSSH (7.7.p1) and it wouldn't build with
that version and a straight 1.1.0 build failed. So I went with the
most recent 1.0.2 (in this case n) that I could find.

Rob

On Mon, Apr 16, 2018 at 2:33 PM, Marcus Meissner <[hidden email]> wrote:

> On Mon, Apr 16, 2018 at 02:27:17PM -0400, Rob Marshall wrote:
>> Hi,
>>
>> It may not be relevant, but I'm running SLES 10 SP3 which is a very
>> old version of the OS and I can't upgrade it due to some installed
>> products. When I try to do a wget I'm seeing the error:
>>
>> OpenSSL: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
>> alert protocol version
>>
>> What does the error mean and how do I fix it?
>
> From which host? The host probably only speaks TLS 1.2.
>
> Ciao, Marcus
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: What does this error mean?

Michael Wojcik

It may be how the (probably somewhat outdated) version of wget is using the openssl API. Try "openssl s_client -connect server:port", using the server and port you're trying to get wget to connect to.



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: What does this error mean?

Rob Marshall
Hi,

When I do that I see, among other things:

...
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 9B63040F2D2F498F610A84E4A9D9017AF375772DFDDA760378666391A17C2C75
...

When I tried to force TLSv1.2 I got:

hostname:~ # wget --no-check-certificate --secure-protocol=TLSv1_2
https://bootstrap.pypa.io/get-pip.py
wget: --secure-protocol: Invalid value `TLSv1_2'.

My guess is that it's just too old of a version of wget. I was going
to try to build/install a newer version, but it seems to have
prerequisites I can't meet on SLES 10 SP3.

Thanks,

Rob

On Mon, Apr 16, 2018 at 5:17 PM, Michael Wojcik
<[hidden email]> wrote:

> It may be how the (probably somewhat outdated) version of wget is using the
> openssl API. Try "openssl s_client -connect server:port", using the server
> and port you're trying to get wget to connect to.
>
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: What does this error mean?

OpenSSL - User mailing list
In reply to this post by Rob Marshall
You didn't answer the question that was asked.

Which host?

On 4/16/18, 4:23 PM, "Rob Marshall" <[hidden email]> wrote:

    Hi,
   
    I built and installed OpenSSL 1.0.2n and I'm still seeing the problem.
    I originally tried to build/install 1.1.0h but my goal was to
    build/install an updated OpenSSH (7.7.p1) and it wouldn't build with
    that version and a straight 1.1.0 build failed. So I went with the
    most recent 1.0.2 (in this case n) that I could find.
   
    Rob
   
    On Mon, Apr 16, 2018 at 2:33 PM, Marcus Meissner <[hidden email]> wrote:
    > On Mon, Apr 16, 2018 at 02:27:17PM -0400, Rob Marshall wrote:
    >> Hi,
    >>
    >> It may not be relevant, but I'm running SLES 10 SP3 which is a very
    >> old version of the OS and I can't upgrade it due to some installed
    >> products. When I try to do a wget I'm seeing the error:
    >>
    >> OpenSSL: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
    >> alert protocol version
    >>
    >> What does the error mean and how do I fix it?
    >
    > From which host? The host probably only speaks TLS 1.2.
    >
    > Ciao, Marcus
    > --
    > openssl-users mailing list
    > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
    --
    openssl-users mailing list
    To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
   

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: What does this error mean?

Rob Marshall
Hi,

The command I'm running is:

wget --no-check-certificate https://bootstrap.pypa.io/get-pip.py

So in this particular case the host is: bootstrap.pypa.io. I was
trying to install the Python pip command.

Rob

On Mon, Apr 16, 2018 at 5:53 PM, Salz, Rich via openssl-users
<[hidden email]> wrote:

> You didn't answer the question that was asked.
>
> Which host?
>
> On 4/16/18, 4:23 PM, "Rob Marshall" <[hidden email]> wrote:
>
>     Hi,
>
>     I built and installed OpenSSL 1.0.2n and I'm still seeing the problem.
>     I originally tried to build/install 1.1.0h but my goal was to
>     build/install an updated OpenSSH (7.7.p1) and it wouldn't build with
>     that version and a straight 1.1.0 build failed. So I went with the
>     most recent 1.0.2 (in this case n) that I could find.
>
>     Rob
>
>     On Mon, Apr 16, 2018 at 2:33 PM, Marcus Meissner <[hidden email]> wrote:
>     > On Mon, Apr 16, 2018 at 02:27:17PM -0400, Rob Marshall wrote:
>     >> Hi,
>     >>
>     >> It may not be relevant, but I'm running SLES 10 SP3 which is a very
>     >> old version of the OS and I can't upgrade it due to some installed
>     >> products. When I try to do a wget I'm seeing the error:
>     >>
>     >> OpenSSL: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
>     >> alert protocol version
>     >>
>     >> What does the error mean and how do I fix it?
>     >
>     > From which host? The host probably only speaks TLS 1.2.
>     >
>     > Ciao, Marcus
>     > --
>     > openssl-users mailing list
>     > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>     --
>     openssl-users mailing list
>     To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: What does this error mean?

OpenSSL - User mailing list
>    wget --no-check-certificate https://bootstrap.pypa.io/get-pip.py
 
When I try this:
        ; ./apps/openssl s_client -connect bootstrap.pypa.io:443 -tls1_1
It fails.  When I leave off the last flag, it connects via TLS 1.2

So that website does not support anything older than TLS 1.2, apparently.  You'll have to build a modern OpenSSL, and then wget to use that version.  Good luck.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users