Unable to establish SSL connection upon wget on Ubuntu 14.04 LTS
... right now it happens only to the website I'm testing. I can't post it here because it's confidential.
Then I guess it is one of the sites which is incompatible with TLS1.2. The openssl as used in 12.04 does not use TLS1.2 on the client side while with 14.04 it uses TLS1.2 which might explain the difference. To work around try to explicitly use
. If this does not help check if you can access the site with
--secure-protocol=TLSv1openssl s_client -connect ...
(probably not) and with openssl s_client -tls1 -no_tls1_1, -no_tls1_2 ...
.
Please note that it might be other causes, but this one is the most probable and without getting access to the site everything is just speculation anyway.
The assumed problem in detail: Usually clients use the most compatible handshake to access a server. This is the SSLv23 handshake which is compatible to older SSL versions but announces the best TLS version the client supports, so that the server can pick the best version. In this case wget would announce TLS1.2. But there are some broken servers which never assumed that one day there would be something like TLS1.2 and which refuse the handshake if the client announces support for this hot new version (from 2008!) instead of just responding with the best version the server supports. To access these broken servers the client has to lie and claim that it only supports TLS1.0 as the best version.
Is Ubuntu 14.04 or wget 1.15 not compatible with TLS 1.0 websites? Do I need to install/download any library/software to enable this connection?
The problem is the server, not the client.
Most browsers work around these broken servers by retrying with a lower version. Most other applications fail permanently if the first connection attempt fails, i.e. they don't downgrade by itself and one has to enforce another version by some application specific settings.
Unable to establish SSL connection, how do I fix my SSL cert?
SSL23_GET_SERVER_HELLO:unknown protocol
This error happens when OpenSSL receives something other than a ServerHello
in a protocol version it understands from the server. It can happen if the server answers with a plain (unencrypted) HTTP. It can also happen if the server only supports e.g. TLS 1.2 and the client does not understand that protocol version. Normally, servers are backwards compatible to at least SSL 3.0 / TLS 1.0, but maybe this specific server isn't (by implementation or configuration).
It is unclear whether you attempted to pass --no-check-certificate
or not. I would be rather surprised if that would work.
A simple test is to use wget
(or a browser) to request http://example.com:443
(note the http://
, not https://
); if it works, SSL is not enabled on port 443. To further debug this, use openssl s_client
with the -debug
option, which right before the error message dumps the first few bytes of the server response which OpenSSL was unable to parse. This may help to identify the problem, especially if the server does not answer with a ServerHello
message. To see what exactly OpenSSL is expecting, check the source: look for SSL_R_UNKNOWN_PROTOCOL
in ssl/s23_clnt.c
.
In any case, looking at the apache error log may provide some insight too.
Wget over SSL gives: Unable to establish SSL connection
try wget --no-check-certificate https://example.com/xyz
wget ssl alert handshake failure
It works from here with same OpenSSL version, but a newer version of wget (1.15). Looking at the Changelog there is the following significant change regarding your problem:
1.14: Add support for TLS Server Name Indication.
Note that this site does not require SNI. But www.coursera.org
requires it.
And if you would call wget with -v --debug
(as I've explicitly recommended in my comment!) you will see:
$ wget https://class.coursera.org
...
HTTP request sent, awaiting response...
HTTP/1.1 302 Found
...
Location: https://www.coursera.org/ [following]
...
Connecting to www.coursera.org (www.coursera.org)|54.230.46.78|:443... connected.
OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Unable to establish SSL connection.
So the error actually happens with www.coursera.org
and the reason is missing support for SNI. You need to upgrade your version of wget.
Related Topics
How to Pass Parameters to a Bash Script
Write a Bash Shell Script That Consumes a Constant Amount of Ram for a User Defined Time
How to Convert Linux 32-Bit Gcc Inline Assembly to 64-Bit Code
Symbols from Convenience Library Not Getting Exported in Executable
Docker: Are Docker Links Deprecated
Changing Environment Variable of a Running Process
Using Software Floating Point on X86 Linux
How to Debug Linux Kernel Modules with Qemu
Why Do Shells Ignore Sigint and Sigquit in Backgrounded Processes
Linux X64: Why Does R10 Come Before R8 and R9 in Syscalls
Why Doesn't "Sort File1 > File1" Work
Return Code When Oom Killer Kills a Process
Why Percent Signs (%) Do Not Work in Crontab
Why Doesn't the Cd Command Work in My Shell Program
Delete All Files Older Than 30 Days, Based on File Name as Date
Bash: Integer Expression Expected