troubleshooting ssl errors

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

troubleshooting ssl errors

Paul Greene
Hello All,

I'm trying to establish a connection between two servers for the purpose of data sharing.

On my end, these are the version numbers of everything I'm using
RHEL 7.4
wget 1.14
openssl 1.0.2k-fips

Not sure what's on the other end, other than it is a Linux server

When I run the connectivity tests, these are the errors I'm getting - you can see the commands run, the output that comes back (hostname and ip address are obfuscated)

Any suggestions?

PG


[root@hostname ~]# wget https://domain.name.com:8443 --secure-protocol=SSLv3 --debug
DEBUG output created by Wget 1.14 on linux-gnu.
 
URI encoding = âUTF-8â
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
--2017-10-10 22:20:20--  https://domain.name.com:8443/
Resolving domain.name.com (domain.name.com)... <ip.address>
Caching domain.name.com => <ip.address>
Connecting to domain.name.com (domain.name.com)|<ip.address>|:8443... connected.
Created socket 3.
Releasing 0x000000000186e340 (new refcount 1).
Initiating SSL handshake.
SSL handshake failed.
Closed fd 3
Unable to establish SSL connection.
 
 
[root@hostname ~]# curl -k https://domain.name.com:8443 -insecure -v
* Couldn't find host domain.name.com in the .netrc file; using defaults
* About to connect() to domain.name.com port 8443 (#0)
*   Trying <ip.address>...
* Connected to domain.name.com (<ip.address>) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Closing connection 0

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: troubleshooting ssl errors

Matt Caswell-2


On 11/10/17 03:57, Paul Greene wrote:
> [root@hostname ~]# wget https://domain.name.com:8443
> --secure-protocol=SSLv3 --debug
> DEBUG output created by Wget 1.14 on linux-gnu.

The "--secure-protocol=SSLv3" bit looks suspect. According to the wget
man page this forces only SSLv3 to be negotiated. If the server doesn't
support it (which is common) then you're out of luck. SSLv3 is very old,
insecure and generally should not be used. Setting "--secure-protocol"
to "auto" (the default) would be a better choice.

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: troubleshooting ssl errors

Paul Greene
Thanks for the response Matt. The SSL 3 switch was one of many that were tried just for the sake of testing. I tried a few other switches, but am getting the same results.

I did a tcpdump of the attempted connection, and you can see that the initial connection is established, but the connection is immediately dropped after that.

We've been try to determine if this is an openssl issue (misconfiguration, incompatibility, or whatever), a wget issue, or a network issue somewhere along the path between the two servers. My support end had me try the "no-check-certificate" option to remove the certificate on my server from the equation.

It always fails after trying to initialize the SSL handshake


[root@hostname ~]# wget https://domain.name.com:8443 --debug
DEBUG output created by Wget 1.14 on linux-gnu.
 
URI encoding = âUTF-8â
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
--2017-10-11 08:45:19--  https://domain.name.com:8443/
Resolving domain.name.com (domain.name.com)... <ip.address>
Caching domain.name.com => <ip.address>
Connecting to domain.name.com (domain.name.com)|<ip.address>|:8443... connected.
Created socket 3.
Releasing 0x0000000002744320 (new refcount 1).
Initiating SSL handshake.
SSL handshake failed.
Closed fd 3
Unable to establish SSL connection.
 
 
wget https://domain.name.com:8443 --no-check-certificate --debug
 
[root@hostname ~]# wget https://domain.name.com:8443 --no-check-certificate --debug
DEBUG output created by Wget 1.14 on linux-gnu.
 
URI encoding = âUTF-8â
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
--2017-10-11 08:49:26--  https://domain.name.com:8443/
Resolving domain.name.com (domain.name.com)... <ip.address>
Caching domain.name.com => <ip.address>
Connecting to domain.name.com (domain.name.com)|<ip.address>|:8443... connected.
Created socket 3.
Releasing 0x00000000017b0340 (new refcount 1).
Initiating SSL handshake.
SSL handshake failed.
Closed fd 3
Unable to establish SSL connection.

On Wed, Oct 11, 2017 at 5:10 AM, Matt Caswell <[hidden email]> wrote:


On 11/10/17 03:57, Paul Greene wrote:
> [root@hostname ~]# wget https://domain.name.com:8443
> --secure-protocol=SSLv3 --debug
> DEBUG output created by Wget 1.14 on linux-gnu.

The "--secure-protocol=SSLv3" bit looks suspect. According to the wget
man page this forces only SSLv3 to be negotiated. If the server doesn't
support it (which is common) then you're out of luck. SSLv3 is very old,
insecure and generally should not be used. Setting "--secure-protocol"
to "auto" (the default) would be a better choice.

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users