The Linux Page

Trouble with SSL certificates...

Today we discovered that our SSL system on our server broke when we upgraded the server to Ubuntu 8.10 (Intrepid.)

The technical error message is rather cryptic:

  SSL connect error; error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 ...  
          ... alert unexpected message (https://secure.example.com/path.php)

I also get this message from HttpRequest (in our PHP server running with Apache):

   Empty or too short HTTP message

And according to some people, if the load of your server is too high, you may get that error. So I guess that error is just not describing what the error really is because our load is very small (1% processor...)

As you can see, the SSL breaks, it does not tell us why. Just that something broke.

Testing with curl, I found out that there was no certificate for the SSL system to work, so says curl at least:

*   CAfile: none
    CApath: /etc/ssl/certs

The error is pretty clear, right?

I found a site where the error is inverted. The CAfile is found, but not the path.

*   CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: none

The solution, in this case, is to make sure that you have the CA certificate package installed. This is done with sudo and apt-get like this:

    > sudo apt-get install ca-certificates

This will install the ca-certificates.crt file. In my case, however, the file is there and looks proper.

Now when I try to find out what package it is from, that fails:

   > dpkg -S /etc/ssl/certs/ca-certificates.crt
   dpkg: /etc/ssl/certs/ca-certificates.crt not found.

But the CAfile/CApath maybe either way and it works with curl in the command line!

However, I found a page on PHP.net with the error and that's definitively the same problem I'm having. This was with PHP 5.2. The interesting thing is that they have one more line to setup the HttpRequest, they setup 2 options like this:

$o = array(
'redirect' 
=> '3', 'ssl' => array( 'version' => '3', 'verifyhost' => '1' ));

By adding that code to my PHP function the HttpRequest started working again just like before. I think the problem was with the SSL version, although it is not clear. It could have been the redirect, but the error had nothing to do with a redirect (Any 3xx, usually 301 or 302 from the destination server, can be any number between 300 and 399 inclusive.)

I use the $o variable with the HttpRequest::setOptions() function before calling send() and it works!

curl & FTP problem

Hmmm.... Just like that, I'm not too sure. First of all, I would suggest you use ssh (i.s. scp) instead of ftps. FTP is notoriously unsecure.

You may also want to try with --ftp-ssl-reqd. Your old FTP may have had a non-encrypted fallback that was used silently. This new FTP may force you to have a valid SSL certificate which, if not present, err.

This being said, that change won't solve your current problem. You already use -k (--insecure) therefore even if the certificates are not signed, it should still work.

Next, I would try with -1, -2 and -3. That specifies the SSL version as 1, 2 or 3. (Probably -2 is what you're using.) This was the solution for me in PHP. So I could imagine that you have the same problem.

If that does not work, I'd test some more with SSH to try to see what errors it generates...

Hope this helps!
Thank you.
Alexis

Same problem / suggestion?

I'm using the following command as a backup script:

curl -v -k -T "$file" --ftp-ssl ftp://********* -u *********:*********

This worked before but it has to send the backup to a different backup machine now and it won't work. Other systems can send ftp using the same command to the backup server. Same error message as described in your article on this machine:

* Doing the SSL-TLS handshake on the data stream
* successfully set certificate verify locations:
* CAfile: none
CApath: slash-etc-slash-ssl-slash-certs\
* SSL re-using session ID
* SSLv3, TLS handshake, Client hello (1):
[data not shown]
* Unknown SSL protocol error in connection to *******:21
curl: (35) Unknown SSL protocol error in connection to *******:21

Any suggestions/ideas on how to make this work again?

Regards
Jordan