On 03/05/2019 16:18, ramakrushna mishra wrote: > Hi, > > When client(openssl) is configured with TLSv1 and Server(java) was configured > with TLSv1_2, then in openssl version 1.1.0e we used to get the error code > : 337002677( 0x141640B5). But with openssl 1.1.1 upgrade the error code changed > to 337285301 > (0x141A90B5). Moreover Earlier in java also we used to see > "javax.net.ssl.SSLHandshakeException: Caused by: Remote host closed connection > during handshake " exception at the server end which is not seen now. > > Following are my doubts. > > 1) Has anyone noticed this change ? > 2) Where these error codes ( 337002677) and (337285301) defined ? You can use the command line "errstr" utility for the relevant openssl version to check their meanings. For 1.1.0e: $ openssl errstr 141640B5 error:141640B5:SSL routines:tls_construct_client_hello:no ciphers available For 1.1.1: $ openssl errstr 141A90B5 error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available You can also get your application to generate these human readable error strings using the appropriate functions: https://www.openssl.org/docs/man1.1.1/man3/ERR_error_string.html Error codes are highly version specific and may change from one version to another. We do not provide any guarantee that the same error will always produce the same error code - so you should not rely on them remaining static. The different components of the error string tell you different things about the cause of the error. "SSL routines" tells us that the error came from libssl. "tls_construct_client_hello" tells us the name of the function in the source code that generated the error. Finally "no ciphers available" tells us specifically what the error was. In this case "no ciphers available" means that there are no configured ciphersuites that are suitable for use in your configuration. For example if your client is configured to only use TLSv1 but you've only configured ciphersuites suitable for use in TLSv1.2 then you will get this error. (Incidentally it seems very strange to use 1.1.0/1.1.1 but then restrict the client to using TLSv1 only - I'd recommend using the highest protocol version available for the library in use) This error occurs in the "tls_construct_client_hello" function (in 1.1.0e) which is very early in the handshake process. It occurs during construction of the very first message sent by the client (the ClientHello). It appears that in 1.1.1 the function that does this check has changed. It is now done in "ssl_cipher_list_to_bytes". This function is called from "tls_construct_client_hello". This is why the error code has changed - but it is the same underlying cause. > 3) Why the java server will not throw the exception any more ? Looking at the code it appears that in 1.1.0e the client just abandons the connection attempt without sending any error alert to the server. In 1.1.1 it now sends an "internal_error" alert first. This is most likely the cause of the change of behaviour on the server side. Matt > > Any help is highly appreciated. > > Thanks and Regards, > Ram Krushna
