- Unable to establish SSL connection, how do I fix my SSL cert?
- 9 Answers 9
- Not able to access HTTPS link. Getting ssl connection error?
- Troubleshooting TLS/SSL
- Separate client and server
- Tools
- OpenSSL server and client apps
- The sslscan tool
- References
- 3 Ways to Check SSL Connection error
- How is SSL connection established?
- What is SSL certificate
- Check SSL Connection from network side
- Check SSL Certificate info on remote server
- Check SSL handshake process between client and server
Unable to establish SSL connection, how do I fix my SSL cert?
I’m trying to wget to my own box, and it can’t be an internal address in the wget (so says another developer). When I wget, I get this:
wget http://example.com --2013-03-01 15:03:30-- http://example.com/ Resolving example.com. 172.20.0.224 Connecting to example.com|172.20.0.224|:80. connected. HTTP request sent, awaiting response. 302 Found Location: https://www.example.com/ [following] --2013-03-01 15:03:30-- https://www.example.com/ Resolving www.example.com. 172.20.0.224 Connecting to www.example.com|172.20.0.224|:443. connected. OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol Unable to establish SSL connection.
openssl s_client -connect example.com:443 CONNECTED(00000003) 15586:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:
While if I do the same command on another site, it shows the entire cert. Perhaps the ssl cert was never setup in the conf file on Apache for that domain? If so, what should I be specifying in the virtualhost? Is there any alternative other than specifying —no-check-certificate because I don’t want to do that?
Enable SSL/TLS on the port at the server. The error usually means HTML (served over HTTP) is being interpreted as a SSL Record (as if it was served over HTTPS). Also see the following on creating a certificate with all required names and IP addresses (and not just one name): How can I generate a self-signed certificate with SubjectAltName using OpenSSL.
9 Answers 9
This error happens when OpenSSL receives something other than a ServerHello in a protocol version it understands from the server. It can happen if the server answers with a plain (unencrypted) HTTP. It can also happen if the server only supports e.g. TLS 1.2 and the client does not understand that protocol version. Normally, servers are backwards compatible to at least SSL 3.0 / TLS 1.0, but maybe this specific server isn’t (by implementation or configuration).
It is unclear whether you attempted to pass —no-check-certificate or not. I would be rather surprised if that would work.
A simple test is to use wget (or a browser) to request http://example.com:443 (note the http:// , not https:// ); if it works, SSL is not enabled on port 443. To further debug this, use openssl s_client with the -debug option, which right before the error message dumps the first few bytes of the server response which OpenSSL was unable to parse. This may help to identify the problem, especially if the server does not answer with a ServerHello message. To see what exactly OpenSSL is expecting, check the source: look for SSL_R_UNKNOWN_PROTOCOL in ssl/s23_clnt.c .
In any case, looking at the apache error log may provide some insight too.
Not able to access HTTPS link. Getting ssl connection error?
As i have enabled default-ssl site in my ubuntu linux server. When I load the site with Google Chrome I get this error:
SSL connection error
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don’t have.
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
[Fri Apr 04 16:29:33 2014] [notice] Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9 with Suhosin-Patch mod_ssl/2.2.22 OpenSSL/1.0.1 mod_perl/2.0.5 Perl/v5.14.2 configured -- resuming normal operations
/usr/sbin/apachectl: 87: ulimit: error setting limit (Operation not permitted) apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName VirtualHost configuration: wildcard NameVirtualHosts and _default_ servers: *:443 127.0.1.1 (/etc/apache2/sites-enabled/default-ssl:2) *:80 is a NameVirtualHost default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default:1) port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default:1) Syntax OK
/usr/sbin/apachectl: 87: ulimit: error setting limit (Operation not permitted) apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName Syntax OK
Invalid method in request \x16\x03\x01
Troubleshooting TLS/SSL
Debugging TLS/SSL connections and protocols can be daunting due to their complexity. Here are some troubleshooting tips.
Separate client and server
Whenever testing TLS/SSL connections over the network, it’s best to really separate the client and the server. Remember that the crypto library configuration file is read by the library, not just by a server or a client. It’s read by both. Therefore having separate systems acting as clients and servers, with their own configuration files, makes things simpler to analyse.
Tools
Here are some tools to help troubleshooting a TLS/SSL configuration.
OpenSSL server and client apps
The OpenSSL server and client tools are very handy to quickly bring up a server with a selection of ciphers and protocols and test it with a client. Being part of OpenSSL, these tools will also initialize the library defaults directly from the OpenSSL config file, so they are very useful to test your configuration changes.
To bring up an OpenSSL server, a certificate with a private key is needed. There are many ways to generate a pair, and here is a quick one:
$ openssl req -new -x509 -nodes -days 30 -out myserver.pem -keyout myserver.key
Answer the questions as you prefer, but the one that needs special attention is the commonName (CN) one, which should match the hostname of this server. Then bring up the OpenSSL server with this command:
$ openssl s_server -cert myserver.pem -key myserver.key
That will bring up a TLS/SSL server on port 4433. Extra options that can be useful:
- -port N : Set a port number. Remember that ports below 1024 require root privileges, so use sudo if that’s the case.
- -www : Will send back a summary of the connection information, like ciphers used, protocols, etc.
- -tls1_2 , -tls1_3 , -no_tls1_3 , -no_tls1_2 : Enable only the mentioned protocol version, or, with the no_ prefix variant, disable it.
- -cipher : Use the specified cipher string for TLS1.2 and lower.
- -ciphersuite : Use the specified string for TLS1.3 ciphers.
The client connection tool can be used like this when connecting to server :
$ echo | openssl s_client -connect server:port 2>&1 | grep ^New
That will generally show the TLS version used, and the selected cipher:
$ echo | openssl s_client -connect j-server.lxd:443 2>&1 | grep ^New New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
The ciphers and protocols can also be selected with the same command line options as the server:
$ echo | openssl s_client -connect j-server.lxd:443 -no_tls1_3 2>&1 | grep ^New New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 $ echo | openssl s_client -connect j-server.lxd:443 -no_tls1_3 2>&1 -cipher DEFAULT:-AES256 | grep ^New New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
The sslscan tool
The sslscan tool comes from a package with the same name, and it will scan a server and list the supported algorithms and protocols. It’s super useful for determining if your configuration has really disabled or enabled a particular cipher or TLS version.
To use the tool, point it at the server you want to scan:
And you will get a report of the ciphers and algorithms supported by that server. Consult its manpage for more details.
References
- OpenSSL s_server
- OpenSSL s_client
- sslscan
- https://badssl.com: excellent website that can be used to test a client against a multitude of certificates. algorithms, key sizes, protocol versions, and more.
3 Ways to Check SSL Connection error
SSL Connection error is the most common error between client and server. SSL Connection error tells us that we are unable to make a secure connection with the server.
It tells us what the issue is, but what makes it more difficult is that users don’t have an idea what exactly is causing this. In this article, we will cover how the SSL connection is established and how to check SSL Connection error in 3 ways.
How is SSL connection established?
- The client sends a request to the server for a secure session. The server responds by sending its X.509 digital certificate to the client.
- The client receives the server’s X.509 digital certificate.
- The client authenticates the server, using a list of known certificate authorities.
- The client generates a random symmetric key and encrypts it using the server’s public key.
- The client and server now both know the symmetric key and can use the SSL encryption process to encrypt and decrypt the information contained in the client request and the server response.
What is SSL certificate
Server certificates are the most popular type of X.509 certificate. SSL/TLS certificates are issued to hostnames (machine names like ‘ABC-SERVER-02’ or domain names like google.com).
A server certificate is a file installed on a website’s origin server. It’s simply a data file containing the public key and the identity of the website owner, along with other information. Without a server certificate, a website’s traffic can’t be encrypted with TLS.
Technically, any website owner can create their own server certificate, and such certificates are called self-signed certificates. However, browsers do not consider self-signed certificates to be as trustworthy as SSL certificates issued by a certificate authority.
Check SSL Connection from network side
We need to check the network connectivity between client and server first to make sure we can connect to remote server.
Now we collect 6 different ways for this task. We don’t need to install any package if we use the following two python commands.
- Use nc command nc -zvw10 192.168.0.1 22
- Use nmap command nmap 192.168.0.1 -p 22
- Use telnet command telnet 192.168.0.1 22
- Use python telnet module
- Use python socket module
- Use curl command
check more info about this from here
Check SSL Certificate info on remote server
We can check SSL certificate from the following items.
- The SSL certificate is not Installed properly
- The SSL certificate has Expired
- The SSL certificate chain order
Check SSL handshake process between client and server
We have some commands to check the SSL handshake process.
From the command output, we can narrow down the cause of SSL/TLS connection issue and locate root cause.
curl is an open source tool available on Windows 10, Linux and Unix OS. It is a tool designed to transfer data and supports many protocols. HTTPS is one of them. It can also used to test TLS connection.
- Test connection with a given TLS version: curl -v https://google.com –tlsv1.1
- Test with a given CipherSuite and TLS version: curl -v https://google.com –ciphers ECDHE-ECDSA-CHACHA20-POLY1305 –tlsv1.1
openSSL is an open source tool and its s_client acts as SSL client to test SSL connection with a remote server. This is helpful to isolate the cause of client.
- Test a particular TLS version: openssl s_client -host google.com -port 443 -tls1_1
- Test with a given ciphersuite: openssl s_client -host google.com -port 443 -cipher ECDHE-RSA-AES256-GCM-SHA384
we can check more info about openssl s_client command here.