openssl s_client connection fails

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

openssl s_client connection fails

Patrice Guérin-2
Hello,

I experience the following on Linux Debian 9 (openssl 1.1.0l) :
When using openssl s_client to connect on a site, I get the following

CONNECTED(00000003)
3072988928:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1407:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : 0000
     Session-ID:
     Session-ID-ctx:
     Master-Key:
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1605691623
     Timeout   : 7200 (sec)
     Verify return code: 0 (ok)
     Extended master secret: no
---

The same arises with -tls1, -tls1_1 and -tls1_2.
So I've built the latest 1.1.1h and test it in the same conditions and
it works in all cases...

Does anybody have an idea on what's going wrong ?

Thank you in advance.
Kind regards
Patrice.
Reply | Threaded
Open this post in threaded view
|

Re: openssl s_client connection fails

Matt Caswell-2


On 18/11/2020 11:24, Patrice Guérin wrote:
> 3072988928:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
> handshake failure:../ssl/record/rec_layer_s3.c:1407:SSL alert number 40

This is a very generic "something went wrong" alert that is being
received from the server and could be due to any number of issues. Do
you have access to the server in question? If so there may be more clues
in the server logs that might explain it.

> Does anybody have an idea on what's going wrong ?

One thing that springs to mind that often goes wrong is SNI handling.
s_client changed between 1.1.0 and 1.1.1 to always provider SNI by
default. If the server requires SNI then it could explain this
behaviour. Your can add SNI in 1.1.0 by using the "-servername" command
line option followed by the name of the server in question, e.g.

$ openssl s_client -connect www.openssl.org -port 443 -servername
www.openssl.org

Matt

>
> Thank you in advance.
> Kind regards
> Patrice.
>
Reply | Threaded
Open this post in threaded view
|

Fwd: Re: openssl s_client connection fails

Patrice Guérin-2
Hi All,
Sorry, send to [hidden email] missing.

Patrice.

-------- Message transféré --------
Sujet : Re: openssl s_client connection fails
Date : Wed, 18 Nov 2020 11:40:33 +0000
De : Matt Caswell [hidden email]
Pour : [hidden email]


On 18/11/2020 11:24, Patrice Guérin wrote:
> 3072988928:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
> handshake failure:../ssl/record/rec_layer_s3.c:1407:SSL alert number 40

This is a very generic "something went wrong" alert that is being
received from the server and could be due to any number of issues. Do
you have access to the server in question? If so there may be more clues
in the server logs that might explain it.

> Does anybody have an idea on what's going wrong ?

One thing that springs to mind that often goes wrong is SNI handling.
s_client changed between 1.1.0 and 1.1.1 to always provider SNI by
default. If the server requires SNI then it could explain this
behaviour. Your can add SNI in 1.1.0 by using the "-servername" command
line option followed by the name of the server in question, e.g.

$ openssl s_client -connect www.openssl.org -port 443 -servername
www.openssl.org

Matt

> 
> Thank you in advance.
> Kind regards
> Patrice.
>