Ssl – error:14004438:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert internal error

httpssslssl-certificatetcp

I have tried searching for this, and I have found things that are close, but I have not found anything that helps so far. I apologize in advance if this is already asked.

I have a service which is behind an HTTP VIP, and that is working fine. Now I am trying to add a TCP VIP and do TLS termination on the host, but when I run cURL to test if it is working (please let me know if there is a better way to test the connection), I get the following error, but I do not know what it means. From what I have read from this link, I think it is something to do with the certificate step not working, but I do not know how to figure out why it is not working.

Does anyone know what I am doing wrong or how to go about troubleshooting this? If I need to provide any additional information, please let me know. I am not very experienced with networking, so a lot of this is new to me.

% curl -v https://my-tcp-vip.example.com/explorer/model.json
*   Trying 192.0.2.x...
* TCP_NODELAY set
* Connected to my-tcp-vip.example.com (192.0.2.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14004438:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert internal error
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14004438:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert internal error

If it is of any use, I am using the following version of cURL.

% curl --version
curl 7.54.0 (x86_64-apple-darwin18.0) libcurl/7.54.0 LibreSSL/2.6.5 zlib/1.2.11 nghttp2/1.24.1
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy

Update

After running openssl s_client, I get the following output:

openssl s_client -connect my-tcp-vip.example.com:443
CONNECTED(00000005)
4791412332:error:14004438:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert internal error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:1205:SSL alert number 80
4791412332:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:585:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Start Time: 1569522740
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

I am still not that familiar with networking. Does this mean there is something wrong with the certificate or pem file or key file or what else does this mean? I am sorry if this is a dumb question. I have just never really done much networking work before.

Update 2

Here is the openssl s_client command using -msg.

openssl s_client -connect my-tcp-vip.example.com:443 -msg
CONNECTED(00000005)
>>> TLS 1.2 Handshake [length 00c3], ClientHello
    01 00 00 bf 03 03 9f b4 25 72 5a d7 be aa 41 ba
    4c a6 e0 a9 88 13 98 86 09 a0 bb a6 67 69 95 aa
    44 4c ef 8a 21 86 00 00 60 c0 30 c0 2c c0 28 c0
    24 c0 14 c0 0a 00 9f 00 6b 00 39 cc a9 cc a8 cc
    aa ff 85 00 c4 00 88 00 81 00 9d 00 3d 00 35 00
    c0 00 84 c0 2f c0 2b c0 27 c0 23 c0 13 c0 09 00
    9e 00 67 00 33 00 be 00 45 00 9c 00 3c 00 2f 00
    ba 00 41 c0 11 c0 07 00 05 00 04 c0 12 c0 08 00
    16 00 0a 00 15 00 09 00 ff 01 00 00 36 00 0b 00
    02 01 00 00 0a 00 08 00 06 00 1d 00 17 00 18 00
    23 00 00 00 0d 00 1c 00 1a 06 01 06 03 ef ef 05
    01 05 03 04 01 04 03 ee ee ed ed 03 01 03 03 02
    01 02 03
<<< TLS 1.2 Alert [length 0002], fatal internal_error
    02 50
4598130284:error:14004438:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert internal error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:1205:SSL alert number 80
4598130284:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:585:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Start Time: 1569525554
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Thank you so much for your help.

Best Answer

Adding the server name as follows worked for me:

openssl s_client -connect server.com:443 -servername server.com
Related Topic