Unable to establish SSL connection upon wget on Ubuntu 14.04 LTS
... right now it happens only to the website I'm testing. I can't post it here because it's confidential.
Then I guess it is one of the sites which is incompatible with TLS1.2. The openssl as used in 12.04 does not use TLS1.2 on the client side while with 14.04 it uses TLS1.2 which might explain the difference. To work around try to explicitly use
. If this does not help check if you can access the site with
--secure-protocol=TLSv1openssl s_client -connect ...
(probably not) and with openssl s_client -tls1 -no_tls1_1, -no_tls1_2 ...
.
Please note that it might be other causes, but this one is the most probable and without getting access to the site everything is just speculation anyway.
The assumed problem in detail: Usually clients use the most compatible handshake to access a server. This is the SSLv23 handshake which is compatible to older SSL versions but announces the best TLS version the client supports, so that the server can pick the best version. In this case wget would announce TLS1.2. But there are some broken servers which never assumed that one day there would be something like TLS1.2 and which refuse the handshake if the client announces support for this hot new version (from 2008!) instead of just responding with the best version the server supports. To access these broken servers the client has to lie and claim that it only supports TLS1.0 as the best version.
Is Ubuntu 14.04 or wget 1.15 not compatible with TLS 1.0 websites? Do I need to install/download any library/software to enable this connection?
The problem is the server, not the client.
Most browsers work around these broken servers by retrying with a lower version. Most other applications fail permanently if the first connection attempt fails, i.e. they don't downgrade by itself and one has to enforce another version by some application specific settings.
wget Unable to establish SSL connection on bash script install
Telling by
OpenSSL: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
this might be caused by github droping support for ancient TLS version protocols https://github.blog/2018-02-01-crypto-removal-notice/ and a fairly outdated wget+openssl installation.
Try forcing a specific modern TLS protocol and see how it goes
wget --secure-protocol=TLSv1_2 https://github.com/kermitt2/grobid/archive/0.6.1.zip
or try to upgrade your installation
As a rule of thumb, start your scripts with
set -ex
So that they
- stop if any instruction fails
- echo the instruction that is being executed
Unable to establish SSL connection, how do I fix my SSL cert?
SSL23_GET_SERVER_HELLO:unknown protocol
This error happens when OpenSSL receives something other than a ServerHello
in a protocol version it understands from the server. It can happen if the server answers with a plain (unencrypted) HTTP. It can also happen if the server only supports e.g. TLS 1.2 and the client does not understand that protocol version. Normally, servers are backwards compatible to at least SSL 3.0 / TLS 1.0, but maybe this specific server isn't (by implementation or configuration).
It is unclear whether you attempted to pass --no-check-certificate
or not. I would be rather surprised if that would work.
A simple test is to use wget
(or a browser) to request http://example.com:443
(note the http://
, not https://
); if it works, SSL is not enabled on port 443. To further debug this, use openssl s_client
with the -debug
option, which right before the error message dumps the first few bytes of the server response which OpenSSL was unable to parse. This may help to identify the problem, especially if the server does not answer with a ServerHello
message. To see what exactly OpenSSL is expecting, check the source: look for SSL_R_UNKNOWN_PROTOCOL
in ssl/s23_clnt.c
.
In any case, looking at the apache error log may provide some insight too.
wget for windows error: tlsv1 alert protocol version Unable to establish SSL connection
The problem is your version of wget
do not support new versions of TLS. And the web site need TLS v1.1 or 1.2. As you found you need new version of wget
As you use Windows next time maybe will be wise to use Power Shell which have incorporated version of wget
centos7 wget over ssl : Unable to establish SSL connection
According to the output you connect to 172.31.106.79 when trying to connect to www.facebook.com. This is not the IP address for facebook but an IP address reserved for use in internal networks. It looks like that you have some DNS server which returns the wrong IP address for www.facebook.com. This might be some captive portal or it might be an attack or maybe some firewall blocking facebook or similar.
To fix the problem make sure that you are using a network which is not affected by this problem.
Related Topics
How to Read The Password from The Text File in Perl
Linux Read Whitespaces and Special Characters
Why Is This Int $0X10 Bios Int Not Working on Linux
Ssl/Qsslsocket_Openssl.Cpp:1414: Error: Q_Ssl_Ctrl Was Not Declared in This Scope Error
Compare Time Using Date Command
Openssl Shows a Different Server Certificate While Browser Shows Correctly
Find Command Search Only Non Hidden Directories
/Usr/Bin/Ld: Cannot Find -Lglut
Linux Grep/Sed Certain Lines - Space Removal
Error When Compiling Linux Kernel 3.2 for Arm
How to Have Chef Reload Global Path
Linux Intel 64Bit Assembly Division
Command or Option for The Xgettext, Msginit, Msgfmt Sequence for Setting The Mime Type
Reading Microphone Data by Polling Using Alsa [Or V4L2]
Convert a Base64 Ldif File to Plaintext (For Import)
Perl-Mechanize Runs into Limitations - Several Debugging Attempts Started