Programmers learn & share
0 votes
273 views

Problem:

I am attempting to download records from a https webpage and continue getting the accompanying error:

OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Unable to establish SSL connection.

From perusing sites online I assemble I need to give the server cert and the customer cert. I have discovered strides on the most proficient method to download the server cert yet not the customer cert. Does anybody have a total arrangement of steps to utilize wget with SSL? I additionally attempted the --no-check-certificate alternative however that didn't work.

wget version: wget-1.13.4 openssl version: OpenSSL 1.0.1f 6 Jan 2014

 

by (7.5k points)   | 273 views

2 Answers

0 votes

Solution :

It works from here with same OpenSSL variant, however a more current rendition of wget (1.15). Taking a gander at the Changelog there is the accompanying critical change in regards to your concern:

1.14: Add support for TLS Server Name Indication.

Note that this site doesn't require SNI. Be that as it may, www.coursera.org requires it. What's more, in the event that you would call wget with -v --debug (as I've expressly prescribed in my remark!) you will see:

$ wget https://class.coursera.org

HTTP request sent, awaiting response...

HTTP/1.1 302 Found

Location: https://www.coursera.org/ [following]

Connecting to www.coursera.org (www.coursera.org)|54.230.46.78|:443... connected.

OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Unable to establish SSL connection.

So the error really occurs with www.coursera.org and the explanation is missing help for SNI. You have to overhaul your rendition of wget.

by (36.1k points)  
0 votes

Solution:

you only need to install the new version of git or set a configuration setting to use tls1.2 to resolve this issue. If you are running windows this is probably the case. If you are running an older version of a UNIX operating system this may not be the case.

Explanation:

Building git requires curl and openssl, and if these are out of date it can cause this error as well. For example, you could download the latest version of curl and build that from source, and then build a new version of git from source as well but if this was all done on a system where your openssl is out of date and doesn't support tls1.2 properly; your newly build version of git and curl are not going to function.

Follow this steps

Use yum or yast to upgrade your openssl, curl and git packages should resolve this error. If you are just needing the setting to set git to use tls1.2 here it is:

git config --global --add http.sslVersion tlsv1.2 git config --global --add http.sslbackend openssl

Here are some examples of debugging the error.

The initial error message git clone https://github.com/some/repo.git Cloning into 'reponame'... fatal: unable to access 'https://github.com/some/repo.git': error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol versionSetting debug in the environment

export GIT_CURL_VERBOSE=1

The expanded error details with debug git clone https://github.com/some/repo.git Cloning into 'ngrep'... Couldn't find host github.com in the .netrc file; using defaults About to connect() to github.com port 443 (# 0) Trying 192.30.253.112... * Connected to github.com (192.30.253.112) port 443 (# 0) successfully set certificate verify locations: CAfile: none

CApath: /etc/ssl/certs/ error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version Expire cleared Closing connection # 0 fatal: unable to access 'https://github.com/some/repo.git': error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol versionChecking curl's functionality
curl https://github.com/some/repo.git curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

 

curl --version curl 7.19.7 (x86_64-suse-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8j zlib/1.2.7 libidn/1.10 Protocols: tftp ftp telnet dict ldap ldaps http file https ftps Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Here you can see that curl is using an older version of openssl and git is reporting the exact same error because it's built the same out of date shared libraries from openssl. Now, assuming that you have already build the latest version of openssl you could just need to run the ldconfig to update your linker loader. Like so:

$ldconfig

If this doesn't resolve the issue it could be that you still need to update openssl or you need to build and install the newer version and then try it again. If it's linked properly you'll see the version of openssl change to the new build in the curl version output.

curl -V curl 7.59.0 (x86_64-pc-linux-gnu) libcurl/7.59.0 OpenSSL/1.1.0g zlib/1.2.7 Release-Date: 2018-03-14 Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets HTTPS-proxy

At this point you should be able to test curl against the git URL. As long as that is working and not returning any errors, your git should be working as well assuming you're on the latest version.

 

by (10k points)  
2,220 questions
2,692 answers
59 comments
241 users