Fix SSL negotiation failed - apache

I installed : "cpan isntall Crypt::SSLeay" So the error from "fs.cgi: ERROR 500 SSL negotiation failed:" Changed to "
failed while requesting fs.cgi: SSL negotiation failed: at /usr/local/share/perl5/LWP/Protocol/http.pm line 25 at /usr/local/share/perl5/LWP/Protocol/http.pm line 25
"
How to fix this? I searched this forum but the issue is still there. I have two servers first server is accessing the server 2, both have different ssl certificates.
Apache on CentOS 6. Please explain the solution properly.

This issue was fixed by opening port 443 on both servers.

This error occurs due to problem in SSL. Some SSL certificates won't be enabled to cover the emails. Or in your server the devocot or imap was not installed to connect SSL. I experience the same problem and its fixed by simply turning off the SSL or make it to TLS to connect the email it fixed. May be this solution help someone in future

Related

How to solve "error:1408F10B:SSL routines:ssl3_get_record:wrong version number"?

I am new to HTTPs. In our application to integrate with another system we were given HTTPs URLs along with their certificates. Our team added those certificates in the test store. Now when we are sending request on those URLs, we are getting “Unsupported or unrecognized SSL message”.
And if I do curl -v on that URL, I get error:1408F10B:SSL routines:ssl3_get_record:wrong version number.
Is it problem on our side or this need to be fixed by other systems who shared those URLs with us.
Both of these errors are due to the same reason?
It is very likely that the server does not speak TLS at all.
The client will start with the TLS handshake and the server will reply to this with some non-TLS response. The client expect the server to do its part of the TLS handshake though. Thus it will try to interpret the servers as response as TLS. This will lead to strange error messages depending on the TLS stack used by the client.
With OpenSSL based stacks it will often result in wrong version number, since the trying to extract the TLS version number for the expected TLS record and get some unexpected results since the server did not actually send a TLS record.
Is it problem on our side or this need to be fixed by other systems who shared those URLs with us.
If this is exact the URL you are supposed to use (i.e. no simply changing of http:// to https:// on your site) then it is likely a server side problem. But it might also be a problem of some middlebox or software in the network path to the server, like some antivirus, firewall or captive portal hijacking your data and denying access to the remote system with an error message.
In my case, I had on apache2 another badly configured virtual host. On the other wrong virtual host there was a http virtual server on port 443!!!
The second virtual host was correct but apache cannot use different protocols on the same port for different virtual hosts.
After removing the http on port 443 configuration all other https hosts worked and error
error:1408F10B:SSL routines:ssl3_get_record:wrong version number"
disapeared

Ubuntu Server 16.04 error 60: SSL certificate problem

Ubuntu server 16.04 PHP7.4 Apache2 running wordpress Geotrust SHA256 certificate
I have started getting the following error
cURL error 60: SSL certificate problem: unable to get local issuer certificate
I have read through and tried most solutions on the many questions on here, but to no avail
The latest 2 i have tried is adding to php.ini the following 2 lines and restarted Apache and rebooted after each one to see if it solves the issue. But it does not
After downloading a fresh copy of cacert.pem The first one i tried was
curl.cainfo = "/path/to/cacert.pem"
Then i tried
openssl.cafile = "/path/to/cacert.pem"
But i still get the same error
Any assistance greatly appreciated.
Many thanks
This is likely to be a server problem ("unable to get local issuer certificate" often is):
Even when using a CA bundle to verify a server cert, you might still experience problems if your CA store does not contain the certificates for the intermediates if the server doesn't provide them.
The TLS protocol mandates that the intermediate certificates are sent in the handshake, but as browsers have ways to survive or work around such omissions, missing intermediates in TLS handshakes still happen that browser-users won't notice.
Browsers work around this problem in two ways: they cache intermediate certificates from previous transfers and some implement the TLS "AIA" extension that lets the client explicitly download such cerfificates on demand.
To figure out for sure if this is your problem, use a TLS test service like perhaps this one: https://www.ssllabs.com/ssltest/

How do I use SMTP on a test development server?

I am building an ecommerce website on a local Windows 7 pro (Apache/php) test server with a self-signed SSL. I have the mydomain.com in the hosts file redirecting to localhost - so far so good.
When I try to use the email function of the ecommerce software via Gmail smtp, I am getting an SSL error:
[23-Apr-2018 03:00:06 America/New_York] Connection failed. Error #2: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed [C:\Apache24\htdocs\includes\classes\vendors\PHPMailer\class.smtp.php line 379]
[23-Apr-2018 03:00:06 America/New_York] SMTP Error: Could not connect to SMTP host.
[23-Apr-2018 03:00:06 America/New_York] CLIENT -> SERVER: QUIT
I thought about just getting a cheap CA SSL and installing it on the server but I'm not sure this will work, since the Gmail smtp server is obviously not using my hosts file. This is just a guess at this point.
Question I'd like answered is, 1, will installing CA cert resolve the issue, and 2. if not, what is your strategy to have a functional email on a test server with domain in hosts file?
Thank you,
David
I added the following to the function responsible for smtp connection. Warning, only to be used on completely secure environment, your own test server, never on a live server.
$options["ssl"]=array("verify_peer"=>false,"verify_peer_name"=>false,"allow_self_signed"=>true);

Cloudflare - 525 SSL handshake failed

I switched with my Domain to Cloudflare and now I'm trying to use CloudFlare's SSL Feature.
I already own a SSL cert from StartSSL so I would be possible to set the settings to 'Full (Strict)' but I don't want to so I turned it to 'Full'.
Now I'm getting 525 Errors, after a 'Retry for a live Version' everything is okay.
But I'm getting this Error everytime.
Has anyone an idea ?
Thank you
Picture of my Error
Change Cloudflare SSL/TLS encryption mode in to Flexible. it worked for me.
A 525 error indicates that CloudFlare was unable to contact your origin server and create a SSL connection with it.
This can be due to:
Your servers not having matching or compatible SSL Ciphers
Your website may not have a certificate installed properly
Your website may not have a dedicated IP OR is not configured to use SNI
Attempt to contact your hosting provider for assistance to ensure that your SSL certificate is setup correctly. If you are using a control panel, a quick google search can help you find a install guide for that said control panel.
Visit SSL/TLS tab in Cloudflare. Then:
Switch Your SSL/TLS encryption mode to Flexible.
Make sure to switch On "Always Use HTTPS" under "Edge Certificate" tab.
This will transfer all your request from Http to Https automatically. And if you'll implement custom SSL certificate on your hosting server then this 525 error will automatically disappear without changing anything on Cloudflare.
Got the same problem a few days ago.
Our DevOps contacted support and found out that Cloudflare changed certificate type or smth in that way. Asked to return everything back.
That helped.
I went through the same problem today and found that (at least in my case) it was the lack of TLS v1.3
I had just made a server using nginx + php-fpm and a self signed ssl to use below CloudFlare proxy.
When I switched from the production server to this new one, it gave error 525.
I gave the command: curl -I https://your_server_public_ip/ and it returned the error:
error: 1408F10B: SSL routines: ssl3_get_record: wrong version number
This error is described in the CloudFlare community at:
https://community.cloudflare.com/t/community-tip-fixing-error-525-ssl-handshake-failed/44256
There they advise turning off TLS v1.3 on the CloudFlare panel, but I decided to try installing it.
Using nginx is so easy that I don’t know why to have it shut down.
Only add TLSv1.3 like this-> ssl_protocols TLSv1.2 TLSv1.3; in your nginx/snippets/ssl-params.conf file (default Ubuntu 20 and 18) that will work and you still use the latest and most secure protocols.

intermittent SSL handshake error nginx

Since a week or so I'm having a SSL problem on my Nginx server intermittently.
I know there are a few other topics on this problem on stackoverflow but none of those answers seem to apply
1 Its a real problem because when I'm working on the site it just suddenly dies on me and gives me SSL error in Chrome (Version 44.0.2403.155):
SSL connection error
ERR_SSL_PROTOCOL_ERROR
And it happens on FF as well.
2 Server isn't running out of memory (no sign of OOM ran and top all seems ok as well)
3 No updates available for either Nginx (1.8.0) or OpenSSL (OpenSSL 1.0.1e 11 Feb 2013) running on Debian (7.8)
4 I do not have any special 3rd party libraries installed (just the standard nginx, mariadb, php via fpm setup no email server)
My log has these entries:
[crit] 15592#15592: *317414 SSL_do_handshake() failed (SSL: error:1408A0D7:SSL > routines:SSL3_GET_CLIENT_HELLO:required cipher missing) while SSL handshaking,
Server has NTP installed to make sure server time is in sync (right?).
When I experience the problem and give it a few minutes and reload the page it works again but it keeps happening. It doesn't seem to be happening often to other people looking at my logs.
The solution I ended up with:
I had multiple server blocks using the same SSL cert for a few special subdomains and removing that solved the problem completely..
So basically it seems I can only use the CERT in one block (even though its a wildcard cert).. I think the problem is not with the cert but with Nginx accessing the CERT files or something. Using the cert or a regex for multiple subdomains did work (so having only 1 server block with the cert but then defining the domain as *.domain.com)
You could try and look into this to solve it.
https://forum.nginx.org/read.php?2,256373