7 Replies Latest reply: Feb 7, 2017 3:34 AM by rgirdlestone . RSS

OpenSSL getversion error

Ken Vance

Hi we are seeing an SSL error on our SSHs , and its affecting SSL optimisation.

 

SH01 sport[115899]: [ssl/SrvServerConnect.WARN] 61504127 {CLIENT:63114 SVR:443} Failure in the OpenSSL library, look at the error stack

SH01 sport[115899]: [ssl/SrvServerConnect.WARN] 61504127 {CLIENT:63114 SVR:443} error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

SH01 sport[115899]: [ssl/SrvServerConnect.WARN] 61504127 {CLIENT:63114 SVR:443} Sending a message to the client sport about server handshake failure

SH01 sport[115899]: [ssl/SrvServerConnect.WARN] 61504127 {CLIENT:63114 SVR:443} Temporarily disabling interception of SSL for Client = 0.0.0.0 Server = <SVRIP>:443 cn = <SVRNAME> - SSL handshake between server-side Steelhead appliance and server

 

Now its inconsistent. I clear the server from the bypassed server list and there is definitely optimised connections. However after a short while the above errors again appear and the server is bypassed once more with different client IPs appearing in the log output.

 

We have a valid certificate configured.

 

Has anyone seen this before? I can't find a reference to it on Splash but g**gle knows it for other applications.

  • Re: OpenSSL getversion error
    rgirdlestone .

    Hi again Ken

     

    The command only changes the way the SH shakes hands with the backend server, so it is only SSH that need it.  Basically it will trust any certificate signed by CA s that it has never heard of.  My thinking is to use it to find out if it is a trust issue or something more complex within TLS.  My only concern is that it is inconsistent.  However it will tell us something.

     

    I can’t think of any problems that it will cause. 

     

     

    However, are you going through a load balancer?  That might be why it works sometimes and not others.  The SSL may be terminated there, as opposed to the server itself.  As such we could get different results.

     

    Rupert

  • Re: OpenSSL getversion error
    Ken Vance

    Hi all, thanks for your help.

     

    A little more info.

     

    Using ssl-connect I'm able to discern that TLSv1.1 and TLSv1.2 give us the above error - 'wrong version number'

     

    Now we are using RIOS 9.2. Does this version support/try TLSv1 or SSLv3 by default?

     

    On an earlier RIOS version I'm seeing that optimisation works still.

    • Re: OpenSSL getversion error
      rgirdlestone .

      Hi ken

       

      This is from 9.2 release notes.  The first point seems relevant.  BTW Thanks, I forgot about the SSL CONNECT command.

       

       

      • TLS 1.2 Support - Transport Layer Security (TLS) 1.2 is enabled by default and upon upgrade for client-side and server-side SteelHeads for improved security.
      •   OpenSSL 1.0.2 Support - The SteelHead support for the SSL protocol stack is based on OpenSSL 1.0.2. This version includes support for camillia ciphers, krb5 ciphers, and ECDHE cipher negotiation.
      •   SafeNet Hardware Security Module (HSM) Support for SSL Certificates - You can store proxy private keys and certificates on SafeNet Luna HSM devices for SSL optimization.

       

       

      20 SteelHead Installation and Configuration Guide

       

       

      Upgrading RiOS to 9.2 Product Overview

       

       

      •   SHA2 Support for Proxy Certificate - The SteelHead uses SHA-512 for proxy certificate signature hash.
      •   Subject Alternative Name (SAN) with SSL Proxy Certificate - Includes Subject Alternative Name field checking when the SteelHead returns a proxy certificate.