Skip to content

Instantly share code, notes, and snippets.

@f100024

f100024/gist:bd970dc5b7ae3a9c0ecf11d478907f58

Last active April 11, 2019 14:02
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save f100024/bd970dc5b7ae3a9c0ecf11d478907f58 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save f100024/bd970dc5b7ae3a9c0ecf11d478907f58 to your computer and use it in GitHub Desktop.
Download ZIP
Unknown SSL protocol error in connection to any site through HTTPS using strongswan-client on debian 9 (stretch) ## Prerequisities
Raw
gistfile1.md

Unknown SSL protocol error in connection to any site through HTTPS using strongswan-client on debian 9 (stretch)

Prerequisites


debian 9.5 (stretch)
charon-cmd, strongSwan 5.5.1

# ifconfig

enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 0.0.0.0  netmask 255.255.252.0  broadcast 0.0.0.0
        inet6 fe80::a00:27ff:fec0:bf5d  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:c0:bf:5d  txqueuelen 1000  (Ethernet)
        RX packets 48539  bytes 7074323 (6.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 162  bytes 13771 (13.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        
VPN server has been setup using https://github.com/Stanback/alpine-strongswan-vpn approach

After connection to stronswan VPN some websites retured timeout also similar behavior has been detected with curl

$ curl -v https://packagist.org/
*   Trying 54.38.136.239...
* TCP_NODELAY set
* Connected to packagist.org (54.38.136.239) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to packagist.org:443 
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to packagist.org:443

But without VPN connection everything looks good:


$ curl -v https://packagist.org/
*   Trying 54.38.136.239...
* TCP_NODELAY set
* Connected to packagist.org (54.38.136.239) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=packagist.org
*  start date: Aug 19 09:17:28 2018 GMT
*  expire date: Nov 17 09:17:28 2018 GMT
*  subjectAltName: host "packagist.org" matched cert's "packagist.org"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x561cba2f1dc0)
> GET / HTTP/1.1
> Host: packagist.org
> User-Agent: curl/7.52.1
> Accept: */*

Checked mobile client of strongswan for Android 7. It also worked. And all requests have been success. With similar problem faced guys described in this issues:

In this example host used SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 For some websites connection worked fine for example https://yandex.ru

curl -v https://yandex.ru
* Rebuilt URL to: https://yandex.ru/
*   Trying 77.88.55.80...
* TCP_NODELAY set
* Connected to yandex.ru (77.88.55.80) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=RU; O=Yandex LLC; OU=ITO; L=Moscow; ST=Russia; CN=yandex.com.tr
*  start date: May 18 20:26:24 2017 GMT
*  expire date: May 18 20:26:24 2019 GMT
*  subjectAltName: host "yandex.ru" matched cert's "yandex.ru"
*  issuer: C=RU; O=Yandex LLC; OU=Yandex Certification Authority; CN=Yandex CA
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: yandex.ru
> User-Agent: curl/7.52.1
> Accept: */*
> 
< HTTP/1.1 302 Found
< Date: Thu, 13 Sep 2018 13:14:02 GMT
< Cache-Control: no-cache,no-store,max-age=0,must-revalidate
< Location: https://yandex.ua/portal/mda/?retpath=https%3A%2F%2Fyandex.ua%3Fnr%3D17787&ip=::ffff:195.242.151.17&sk=y61d7ea5a23a06e73fe95d96991f9a5e8&mda_sign=yu%3A1044454951536844442%3Bmda%3A0%3Byp%3A%3Bgid%3A%3Bmy%3A.1536844443.389eb6caa5
< Expires: Thu, 13 Sep 2018 13:14:03 GMT
< Last-Modified: Thu, 13 Sep 2018 13:14:03 GMT
< P3P: policyref="/w3c/p3p.xml", CP="NON DSP ADM DEV PSD IVDo OUR IND STP PHY PRE NAV UNI"
< Set-Cookie: mda=0; Expires=Fri, 11-Jan-2019 13:14:02 GMT; Domain=.yandex.ru; Path=/
< Set-Cookie: yandexuid=1044454951536844442; Expires=Sun, 10-Sep-2028 13:14:02 GMT; Domain=.yandex.ru; Path=/
< Set-Cookie: i=iwam6xJPeqwPM0m5uKJsRceRVBUT2ZnX9c/k4ZwJvUDc0kBrgSO/ytJ9q9Znv5EB8qSjTj2MEVK4OK1/HndMACBs9EA=; Expires=Sun, 10-Sep-2028 13:14:02 GMT; Domain=.yandex.ru; Path=/; Secure; HttpOnly
< X-Content-Type-Options: nosniff
< Content-Length: 0
< 
* Curl_http_done: called premature == 0
* Connection #0 to host yandex.ru left intact

In this case host used SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256 is differ from SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 which has been used with https://packagist.org/

Ok. Checked host https://news.yandex.ru/ which didn't worked

$ curl -v https://news.yandex.ru
* Rebuilt URL to: https://news.yandex.ru/
*   Trying 213.180.204.12...
* TCP_NODELAY set
* Connected to news.yandex.ru (213.180.204.12) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to news.yandex.ru:443 
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to news.yandex.ru:443

And check this without VPN:

$ curl -v https://news.yandex.ru
* Rebuilt URL to: https://news.yandex.ru/
*   Trying 87.250.250.12...
* TCP_NODELAY set
* Connected to news.yandex.ru (87.250.250.12) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=RU; O=Yandex LLC; OU=ITO; L=Moscow; ST=Russian Federation; CN=news.yandex.ru
*  start date: Nov  1 11:17:35 2017 GMT
*  expire date: Nov  1 11:17:35 2019 GMT
*  subjectAltName: host "news.yandex.ru" matched cert's "news.yandex.ru"
*  issuer: C=RU; O=Yandex LLC; OU=Yandex Certification Authority; CN=Yandex CA
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: news.yandex.ru
> User-Agent: curl/7.52.1
> Accept: */*
> 
< HTTP/1.1 302 Moved temporarily
< Vary: Accept-Encoding
< Cache-Control: private, no-cache, no-store
< Location: https://news.yandex.ua/?redircnt=1536845816.1
< Set-Cookie: i=ShwkDdVgjvOD1sdilPPsJtmSsWMy7lcfM6iK+Wr9pXpSNIngYmcNQXZTFYcvSlR7VQmMQTD6FPmFR7nkqwNxPRTbxTc=; Expires=Sun, 10-Sep-2028 13:36:56 GMT; Domain=.yandex.ru; Path=/; Secure; HttpOnly
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Transfer-Encoding: chunked
< 
* Curl_http_done: called premature == 0
* Connection #0 to host news.yandex.ru left intact
Redirected to https://news.yandex.ua/?redircnt=1536845816.1

In both cases (https://news.yandex.ru/ and https://packagist.org/) used SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384

What does actualy mean this cipher ECDHE-RSA-AES256-GCM-SHA384:

ECDHE-RSA-AES256-GCM-SHA384
  |    |    |     |    |
  |    |    |     |  SHA384 - will be using as hash-function (using for generation session keys)
  |    |    |    GCM - payload will be encrypted with AES-256 in GCM mode
  |    |  AES256 - payload will be encrypted with AES-256
  |   RSA - for authentification during key exchange will be using RSA
ECDHE - common key will be generated according Diffie-Hellman

Resume:

TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 - not worked
TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 - not worked
TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256 - worked

In cases with where for authentification key exchange used RSA connection was timeout with:

curl: (35) Unknown SSL protocol error in connection to news.yandex.ru:443 

.IP "CURLE_SSL_CONNECT_ERROR (35)"
A problem occurred somewhere in the SSL/TLS handshake. You really want the
error buffer and read the message there as it pinpoints the problem slightly
more. Could be certificates (file formats, paths, permissions), passwords, and
others.

Solved with decresing MTU 1500 -> 1422

# ifconfig enp0s3 mtu 1422
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment