Page 1 of 1

SSL routines:ssl3_get_record:wrong version number with OpenSSL 1.1.1d

Posted: Mon Jan 13, 2020 4:44 am
by rocketgib
Hello,

I've been browsing around these forums and it appears that there is some sort of trend when it comes to SSL connectivity via CURL to the latest version of Document Server.

I've been fighting for over a month after mysteriously my document server is no longer accessible to Nextcloud. After further review, it appears that I am getting this error constantly in the error log:

Code: Select all

[onlyoffice] Error: HealthcheckRequest on check error: cURL error 35: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)

PUT /apps/onlyoffice/ajax/settings/address
from 72.210.119.86 by koori at 2020-01-13T04:34:54+00:00
To add to this, we are using LetsEncrypt. We just recently upgraded our certificate too. The server is accessible via Port 443 just fine (from my browser). However, I have a port mapping to 80 from 9080 internally in my config file (for the service listener). It seems nothing I've found really has the answer to this but I've verified that my certificates are valid and are installed properly by certbot. My document server is running on Docker as well, and the container has been rebuilt several times just to troubleshoot.

My NGINX error log is also spamming this (IP address omitted for security):

Code: Select all

2020/01/13 03:38:33 [crit] 11551#11551: *173835 SSL_do_handshake() failed (SSL: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low) while SSL handshaking, client: 72.xxx.xxx.xxx, server: 0.0.0.0:443
2020/01/13 03:39:33 [crit] 11551#11551: *173850 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 72.xxx.xxx.xxx, server: 0.0.0.0:443
I just checked and OpenSSL is currently running at 1.1.1d, which is the latest version for Ubuntu 18.

Also, I did try a suggestion for Nextcloud and add the "verify_peer_off" option but to no avail either.

Has anyone come across this before? Any suggestions on where to begin?

Re: SSL routines:ssl3_get_record:wrong version number with OpenSSL 1.1.1d

Posted: Fri Jan 17, 2020 11:20 am
by Alexandre
Hello rocketgib.
Please provide us some additional information:
1. Did error occur after SSL cert update?
2. Did you stop all services which used port 80 before cert update?
3. Am I right, set true in line 'verify_peer_off' at Nextcloud config file didn’t make a result?
4. Check your updated cert via https://www.sslshopper.com/certificate-decoder.html. Tell us if service notifies you about some issue.