openssl problems

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

openssl problems

wazzu62
I will preface this with the fact I am not an ssl expert.

I am trying to resolve an issue I am having with apache and a reverse proxy
that I think is ssl related.
Attempts to connect to the reverse proxy endpoint via a browser generate the
following error in the apache log file

[Tue May 29 09:14:36.494710 2018] [ssl:info] [pid 23700:tid 139947205977856]
SSL Library Error: error:1408F10B:SSL routines:ssl3_get_record:wrong version
number

When I run the following command on the server the reverse proxy is pointing
to I get a similar error
*openssl s_client -connect localhost:443*
CONNECTED(00000003)
140508314333632:error:1408F10B:SSL routines:ssl3_get_record:wrong version
number:../ssl/record/ssl3_record.c:252:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1528389016
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no

If I run that same command on the front end server running apache that has
the reverse proxy configuration I get the following

 *openssl s_client -connect localhost:443*
CONNECTED(00000003)
depth=0 CN = 1804-repo
verify return:1
---
Certificate chain
 0 s:/CN=1804-repo
   i:/CN=1804-repo
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICzjCCAbagAwIBAgIJAPiVKPiTG4FhMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
BAMMCTE4MDQtcmVwbzAeFw0xODAzMjIyMjUyMzNaFw0yODAzMTkyMjUyMzNaMBQx
EjAQBgNVBAMMCTE4MDQtcmVwbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAK3w7ErX2bo7ijEx0jEGi+MzkceAIU6km0G7+q9wRJ7u7qy1HMvfynjKQnrK
AmIqwPsKr4kJl4m/cn6Wv1u7E53ZEiNpjs8qO73xOS/C/Sqs0f9vbBFNu1DYGcFZ
MtJVWSvPz9aPUnNu5IfL6tUI/yRThKa6YXrjOX35NxxmvK0eQMROGx9LJ8Hz9/Ld
4z0znsLgZFOQL1ssx4xDzJ6M5hnaTBOkfJn/yDiaEOH4RlRKE9rBi5BD6wPa5jIC
L9SU2+1VkicWZUoYyXI4N7EYS8dznYMpVaQbUTjsKktgN0R8zZXTdF84CFkI8w11
Buacbsf8B4Ea8qqUSvVoFdreANMCAwEAAaMjMCEwCQYDVR0TBAIwADAUBgNVHREE
DTALggkxODA0LXJlcG8wDQYJKoZIhvcNAQELBQADggEBAIHKZbF97JWPrw058upQ
7cngDwOOKYQDkOo1HWWfAfK2rWeBvwEDvZmebM8S6Sx9ccJxjf80o17tJA6dJ+Uz
KR2ip45VCbwK64SpKAeKfnqgTEvliUV7eMCjpG6pP+MuTnKCglRtAtS9TiEddj1A
h13uXDl2kInNyU+Hbk65mFRWsX4f7JTTDqMB0MCALW3H4RhnAIX5j5viyXL0qbE0
KNkM9S7sgei67RAl6XlAo/KQ8PNU5jWkjWMkGC0TdgeUI0H79R35sGBXKCWJ6w0v
mqCh2C5zX9yDzKQoQaFWi0UFzknO+178rGB9FIYBkF4CliQSji8yXhWSwa4K74+M
2AE=
-----END CERTIFICATE-----
subject=/CN=1804-repo
issuer=/CN=1804-repo
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1379 bytes and written 269 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
4F1F7BFC0A73D9CF792319A42D06FB553638D774A9DE31E66A0B094876E2C379
    Session-ID-ctx:
    Master-Key:
6274D9B869D4281E2A538171E282B74DF5476F7A1195E38E5DE6454DA14C2F57654048DC4A774985CE45F290111D976C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 54 47 a8 3a 25 5f 30 b2-4a d7 69 5a 6b 94 32 ff  
TG.:%_0.J.iZk.2.
    0010 - 12 50 ab e7 8a 46 f4 15-2f 1d 4a 1f 8f fd 2c e4  
.P...F../.J...,.
    0020 - d5 1a d8 06 74 0a 26 74-3d af 2a f6 81 72 40 33  
....t.&t=.*..r@3
    0030 - 9e 5a 49 a6 a4 3d c5 1c-2e 80 ea d6 30 25 00 4f  
.ZI..=......0%.O
    0040 - 34 06 d8 38 a1 b5 2c 63-38 50 46 ac 15 36 ad dd  
4..8..,c8PF..6..
    0050 - ed 10 3c 1e 35 6d 5d 11-46 ab 8f a5 51 8e 51 ea  
..<.5m].F...Q.Q.
    0060 - cb 22 13 7f 6e ea 8d 9b-08 07 6f 98 24 43 ab 70  
."..n.....o.$C.p
    0070 - bf b6 e9 37 b0 b9 51 aa-41 96 3d 55 25 ba 17 78  
...7..Q.A.=U%..x
    0080 - dc c0 d5 91 f0 4f 61 d5-c4 46 09 0b 2d c7 35 26  
.....Oa..F..-.5&
    0090 - ed 2d 51 90 0b 29 08 51-5a 59 19 00 b8 95 ea 16  
.-Q..).QZY......
    00a0 - c2 f2 c9 ed f9 13 df a5-c4 f6 d1 69 ba 84 9a c4  
...........i....
    00b0 - bd 68 c7 f1 7f d8 60 d4-27 b4 d4 3c a4 ef cc 5b  
.h....`.'..<...[

    Start Time: 1528389796
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
closed

So I suspect my whole problem stems from the *SSL
routines:ssl3_get_record:wrong version number* but I have no idea how to
resolve this.  I have tried searching for answers, but nothing seems to
help.  In inherited this problem and the folks who set this up are no longer
around to be able to ask questions.

Any assistance would be greatly appreciated.




--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl problems

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf
> Of wazzu62
> Sent: Thursday, June 07, 2018 10:57

> Attempts to connect to the reverse proxy endpoint via a browser generate
> the following error in the apache log file

By "the apache log file", you mean the log for the origin server, behind the reverse proxy? Or the log file for the reverse proxy itself?

> [Tue May 29 09:14:36.494710 2018] [ssl:info] [pid 23700:tid 139947205977856]
> SSL Library Error: error:1408F10B:SSL routines:ssl3_get_record:wrong version
> number

What version of OpenSSL is Apache using? Or if it's not using OpenSSL, what TLS implementation is it using? (Presumably that appears in the log somewhere, and if not you can find it by running strings or similar against the OpenSSL library it's using.)

Assuming it's a fairly recent 1.0.2 build (i.e., a fairly up-to-date release of the LTS branch), there are a few places where the "wrong version number" error is produced. Here we see it's coming from ssl3_get_record. That could mean:

- OpenSSL received an SSL record that had a different version number than what the client sent in its ClientHello message. Could be due to a broken client, garbage on the wire, etc.

- OpenSSL received an SSL record that didn't have a major version number of 3. Major version 3 is used for SSLv3 and TLSv1, so basically for everything. (If you have a client that's using SSLv2, it's wasting its time; SSLv2 is hopelessly insecure.) So if the major version isn't 3, then something is quite wrong, AFAIK.

> When I run the following command on the server the reverse proxy is
> pointing
> to I get a similar error
> *openssl s_client -connect localhost:443*
> CONNECTED(00000003)
> 140508314333632:error:1408F10B:SSL routines:ssl3_get_record:wrong
> version
> number:../ssl/record/ssl3_record.c:252:

It looks to me like the server has a broken SSL configuration or a broken SSL implementation.

If you were running s_client against an endpoint that wasn't using SSL/TLS at all, I'd expect to see an earlier error, such as "unknown protocol", from openssl s_client.  So it looks like your server is sending a ServerHello in response to the ClientHello. After that it all goes wrong, though.

A wire trace might be informative, if the problem isn't obvious from inspecting the software and configuration being used by the origin server. Wireshark's SSL/TLS dissector does a decent job with the unencrypted parts of the conversation, and it doesn't look like you're getting far enough to have anything encrypted.

--
Michael Wojcik
Distinguished Engineer, Micro Focus



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl problems

Matt Caswell-2
In reply to this post by wazzu62


On 07/06/18 17:57, wazzu62 wrote:
> When I run the following command on the server the reverse proxy is pointing
> to I get a similar error
> *openssl s_client -connect localhost:443*
> CONNECTED(00000003)
> 140508314333632:error:1408F10B:SSL routines:ssl3_get_record:wrong version
> number:../ssl/record/ssl3_record.c:252:


Can you get a wireshark trace of the above? Or failing that, what is the
output from s_client if you add the "-debug" option?

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl problems

wazzu62
I will look into the wireshark trace
Here is the output with the debug option

CONNECTED(00000003)
write to 0x55f11344dea0 [0x55f11345f100] (176 bytes => 176 (0xB0))
0000 - 16 03 01 00 ab 01 00 00-a7 03 03 8c 1a 33 4f 8e   .............3O.
0010 - fb e3 3f 51 82 36 ae 38-5e 86 3c af d2 82 0f d9   ..?Q.6.8^.<.....
0020 - 1a 1c c6 8e 55 98 4e db-16 08 5a 00 00 38 c0 2c   ....U.N...Z..8.,
0030 - c0 30 00 9f cc a9 cc a8-cc aa c0 2b c0 2f 00 9e   .0.........+./..
0040 - c0 24 c0 28 00 6b c0 23-c0 27 00 67 c0 0a c0 14   .$.(.k.#.'.g....
0050 - 00 39 c0 09 c0 13 00 33-00 9d 00 9c 00 3d 00 3c   .9.....3.....=.<
0060 - 00 35 00 2f 00 ff 01 00-00 46 00 0b 00 04 03 00   .5./.....F......
0070 - 01 02 00 0a 00 0a 00 08-00 1d 00 17 00 19 00 18   ................
0080 - 00 23 00 00 00 16 00 00-00 17 00 00 00 0d 00 20   .#.............
0090 - 00 1e 06 01 06 02 06 03-05 01 05 02 05 03 04 01   ................
00a0 - 04 02 04 03 03 01 03 02-03 03 02 01 02 02 02 03   ................
read from 0x55f11344dea0 [0x55f113455ee3] (5 bytes => 5 (0x5))
0000 - 48 54 54 50 2f                                    HTTP/
140415382974912:error:1408F10B:SSL routines:ssl3_get_record:wrong version
number:../ssl/record/ssl3_record.c:252:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1528403881
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---




--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl problems

Matt Caswell-2


On 07/06/18 21:40, wazzu62 wrote:
> read from 0x55f11344dea0 [0x55f113455ee3] (5 bytes => 5 (0x5))
> 0000 - 48 54 54 50 2f                                    HTTP/

Here is your problem. s_client sends a TLS ClientHello to the server.
And the server responds with HTTP!!! The server is not using TLS on that
port.

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users