openssl problems

wazzu62 <jon.page@xxxxxxxx> · Thu, 7 Jun 2018 09:57:26 -0700 (MST)

I will preface this with the fact I am not an ssl expert.

I am trying to resolve an issue I am having with apache and a reverse proxy
that I think is ssl related.
Attempts to connect to the reverse proxy endpoint via a browser generate the
following error in the apache log file

[Tue May 29 09:14:36.494710 2018] [ssl:info] [pid 23700:tid 139947205977856]
SSL Library Error: error:1408F10B:SSL routines:ssl3_get_record:wrong version
number

When I run the following command on the server the reverse proxy is pointing
to I get a similar error
*openssl s_client -connect localhost:443*
CONNECTED(00000003)
140508314333632:error:1408F10B:SSL routines:ssl3_get_record:wrong version
number:../ssl/record/ssl3_record.c:252:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1528389016
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no

If I run that same command on the front end server running apache that has
the reverse proxy configuration I get the following

 *openssl s_client -connect localhost:443*
CONNECTED(00000003)
depth=0 CN = 1804-repo
verify return:1
---
Certificate chain
 0 s:/CN=1804-repo
   i:/CN=1804-repo
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICzjCCAbagAwIBAgIJAPiVKPiTG4FhMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
BAMMCTE4MDQtcmVwbzAeFw0xODAzMjIyMjUyMzNaFw0yODAzMTkyMjUyMzNaMBQx
EjAQBgNVBAMMCTE4MDQtcmVwbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAK3w7ErX2bo7ijEx0jEGi+MzkceAIU6km0G7+q9wRJ7u7qy1HMvfynjKQnrK
AmIqwPsKr4kJl4m/cn6Wv1u7E53ZEiNpjs8qO73xOS/C/Sqs0f9vbBFNu1DYGcFZ
MtJVWSvPz9aPUnNu5IfL6tUI/yRThKa6YXrjOX35NxxmvK0eQMROGx9LJ8Hz9/Ld
4z0znsLgZFOQL1ssx4xDzJ6M5hnaTBOkfJn/yDiaEOH4RlRKE9rBi5BD6wPa5jIC
L9SU2+1VkicWZUoYyXI4N7EYS8dznYMpVaQbUTjsKktgN0R8zZXTdF84CFkI8w11
Buacbsf8B4Ea8qqUSvVoFdreANMCAwEAAaMjMCEwCQYDVR0TBAIwADAUBgNVHREE
DTALggkxODA0LXJlcG8wDQYJKoZIhvcNAQELBQADggEBAIHKZbF97JWPrw058upQ
7cngDwOOKYQDkOo1HWWfAfK2rWeBvwEDvZmebM8S6Sx9ccJxjf80o17tJA6dJ+Uz
KR2ip45VCbwK64SpKAeKfnqgTEvliUV7eMCjpG6pP+MuTnKCglRtAtS9TiEddj1A
h13uXDl2kInNyU+Hbk65mFRWsX4f7JTTDqMB0MCALW3H4RhnAIX5j5viyXL0qbE0
KNkM9S7sgei67RAl6XlAo/KQ8PNU5jWkjWMkGC0TdgeUI0H79R35sGBXKCWJ6w0v
mqCh2C5zX9yDzKQoQaFWi0UFzknO+178rGB9FIYBkF4CliQSji8yXhWSwa4K74+M
2AE=
-----END CERTIFICATE-----
subject=/CN=1804-repo
issuer=/CN=1804-repo
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1379 bytes and written 269 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
4F1F7BFC0A73D9CF792319A42D06FB553638D774A9DE31E66A0B094876E2C379
    Session-ID-ctx:
    Master-Key:
6274D9B869D4281E2A538171E282B74DF5476F7A1195E38E5DE6454DA14C2F57654048DC4A774985CE45F290111D976C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 54 47 a8 3a 25 5f 30 b2-4a d7 69 5a 6b 94 32 ff  
TG.:%_0.J.iZk.2.
    0010 - 12 50 ab e7 8a 46 f4 15-2f 1d 4a 1f 8f fd 2c e4  
.P...F../.J...,.
    0020 - d5 1a d8 06 74 0a 26 74-3d af 2a f6 81 72 40 33  
....t.&t=.*..r@3
    0030 - 9e 5a 49 a6 a4 3d c5 1c-2e 80 ea d6 30 25 00 4f  
.ZI..=......0%.O
    0040 - 34 06 d8 38 a1 b5 2c 63-38 50 46 ac 15 36 ad dd  
4..8..,c8PF..6..
    0050 - ed 10 3c 1e 35 6d 5d 11-46 ab 8f a5 51 8e 51 ea  
..<.5m].F...Q.Q.
    0060 - cb 22 13 7f 6e ea 8d 9b-08 07 6f 98 24 43 ab 70  
."..n.....o.$C.p
    0070 - bf b6 e9 37 b0 b9 51 aa-41 96 3d 55 25 ba 17 78  
...7..Q.A.=U%..x
    0080 - dc c0 d5 91 f0 4f 61 d5-c4 46 09 0b 2d c7 35 26  
.....Oa..F..-.5&
    0090 - ed 2d 51 90 0b 29 08 51-5a 59 19 00 b8 95 ea 16  
.-Q..).QZY......
    00a0 - c2 f2 c9 ed f9 13 df a5-c4 f6 d1 69 ba 84 9a c4  
...........i....
    00b0 - bd 68 c7 f1 7f d8 60 d4-27 b4 d4 3c a4 ef cc 5b  
.h....`.'..<...[

    Start Time: 1528389796
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
closed

So I suspect my whole problem stems from the *SSL
routines:ssl3_get_record:wrong version number* but I have no idea how to
resolve this.  I have tried searching for answers, but nothing seems to
help.  In inherited this problem and the folks who set this up are no longer
around to be able to ask questions.

Any assistance would be greatly appreciated.

--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users