Last Updated
Viewed 14 Times
        

I am trying to use a Python program for mass downloading images from a website.
But I always get this error:

IOError: [Errno socket error] [Errno 1] _ssl.c:510: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

I tried looking at another post with this error but they expect you to already know a lot about this stuff. And I know nothing, so please explain like I'm a beginner.

$ch = curl_init();
$clientId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
$secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";

curl_setopt($ch, CURLOPT_URL, "https://api.sandbox.paypal.com/v1/oauth2/token");
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,false);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_USERPWD, $clientId.":".$secret);
curl_setopt($ch, CURLOPT_POSTFIELDS, "grant_type=client_credentials");
$result = curl_exec($ch);
if (curl_errno($ch)) {
    echo 'Error:' . curl_error($ch);
}
curl_close ($ch);

this code working on localhost but when i am testing on my live server it will give me this error Error:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure then i tried this

<?php
$ch = curl_init(); 
curl_setopt($ch, CURLOPT_URL, "https://tlstest.paypal.com/"); 
curl_setopt($ch, CURLOPT_CAINFO, dirname(__FILE__) . '/cacert.pem');
var_dump(curl_exec($ch));
if ($err = curl_error($ch)) {
var_dump($err);
echo "DEBUG INFORMATION:\n###########";
echo "CURL VERSION";
echo json_encode(curl_version(), JSON_PRETTY_PRINT);
}?>

github.com/paypal/TLS-update/tree/master/php this will again work on localhost and on live it gives me this

error bool(false)
string(67) "Unknown SSL protocol error in connection to tlstest.paypal.com:443 "
DEBUG INFORMATION:
###########CURL VERSION

my server have these certificates

Server Key and Certificate #1

Subject *.secure.xxxxxxxx.com


Fingerprint SHA1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx


Pin SHA256: S4/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


Common names    *.secure.xxxxxxxx.com   MISMATCH


Alternative names   *.secure.xxxxxxx.com



Key RSA 2048 bits (e 65537)


Weak key (Debian)   No


Issuer  Symantec Class 3 Secure Server CA - G4


AIA: xxxxxxx/ss.crt


Signature algorithm SHA256withRSA


Extended Validation No


Certificate Transparency    Yes (certificate)


OCSP Must Staple    No


Revocation information  CRL, OCSP


CRL: xxxxxx/ss.crl


OCSP: xxxxxxxxx


Revocation status   Good (not revoked)

Trusted No   NOT TRUSTED (Why?)

#2

Subject Symantec Class 3 Secure Server CA - G4


Fingerprint SHA1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


Pin SHA256: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


Key RSA 2048 bits (e 65537)


Issuer  VeriSign Class 3 Public Primary Certification Authority - G5


Signature algorithm SHA256withRSA

#3

Subject VeriSign Class 3 Public Primary Certification Authority - G5


Fingerprint SHA1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


Pin SHA256: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Key RSA 2048 bits (e 65537)


Issuer  VeriSign, Inc. / Class 3 Public Primary Certification Authority

Signature algorithm SHA1withRSA   WEAK

**Protocols**


TLS 1.2 Yes


TLS 1.1 Yes


TLS 1.0 Yes


SSL 3   No


SSL 2   No

enter image description here

checked requirements at

it is giving this SSLhandshakeException. When app run on Android5.1 (android versions >= 4.4)it gives the exception. I tested it on Android 4.3, it works fine. What could be the cause of this ? Please help

W/System.err(14221): javax.net.ssl.SSLHandshakeException: Handshake failed
W/System.err(14221):    at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:390)
W/System.err(14221):    at com.android.org.conscrypt.OpenSSLSocketImpl.waitForHandshake(OpenSSLSocketImpl.java:623)
W/System.err(14221):    at com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:585)
W/System.err(14221):    at org.apache.http.impl.io.SocketInputBuffer.<init>(SocketInputBuffer.java:75)
W/System.err(14221):    at org.apache.http.impl.SocketHttpClientConnection.createSessionInputBuffer(SocketHttpClientConnection.java:88)
W/System.err(14221):    at org.apache.http.impl.conn.DefaultClientConnection.createSessionInputBuffer(DefaultClientConnection.java:175)
W/System.err(14221):    at org.apache.http.impl.SocketHttpClientConnection.bind(SocketHttpClientConnection.java:111)
W/System.err(14221):    at org.apache.http.impl.conn.DefaultClientConnection.openCompleted(DefaultClientConnection.java:134)
W/System.err(14221):    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
W/System.err(14221):    at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:169)
W/System.err(14221):    at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:124)
W/System.err(14221):    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:365)
W/System.err(14221):    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:768)
W/System.err(14221):    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:700)
W/System.err(14221):    at com.up.testjavasdkdemo.ssltest.HttpHandler.makeRequestWithRetries(HttpHandler.java:75)
W/System.err(14221):    at com.up.testjavasdkdemo.ssltest.HttpHandler.doInBackground(HttpHandler.java:132)
W/System.err(14221):    at android.os.AsyncTask$2.call(AsyncTask.java:292)
W/System.err(14221):    at java.util.concurrent.FutureTask.run(FutureTask.java:237)
W/System.err(14221):    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
W/System.err(14221):    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
W/System.err(14221):    at java.lang.Thread.run(Thread.java:818)
W/System.err(14221): Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0xb7c985b0: Failure in SSL library, usually a protocol error
W/System.err(14221): error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:770 0xae157cc5:0x00000000)
W/System.err(14221):    at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
W/System.err(14221):    at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:318)
W/System.err(14221):    ... 20 more
I/SSLTest (14221): onFailure:javax.net.ssl.SSLHandshakeException: Handshake failed  strMsg:Handshake failed
W/System.err(14221): javax.net.ssl.SSLHandshakeException: Handshake failed
W/System.err(14221):    at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:390)
W/System.err(14221):    at com.android.org.conscrypt.OpenSSLSocketImpl.waitForHandshake(OpenSSLSocketImpl.java:623)
W/System.err(14221):    at com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:585)
W/System.err(14221):    at org.apache.http.impl.io.SocketInputBuffer.<init>(SocketInputBuffer.java:75)
W/System.err(14221):    at org.apache.http.impl.SocketHttpClientConnection.createSessionInputBuffer(SocketHttpClientConnection.java:88)
W/System.err(14221):    at org.apache.http.impl.conn.DefaultClientConnection.createSessionInputBuffer(DefaultClientConnection.java:175)
W/System.err(14221):    at org.apache.http.impl.SocketHttpClientConnection.bind(SocketHttpClientConnection.java:111)
W/System.err(14221):    at org.apache.http.impl.conn.DefaultClientConnection.openCompleted(DefaultClientConnection.java:134)
W/System.err(14221):    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
W/System.err(14221):    at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:169)
W/System.err(14221):    at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:124)
W/System.err(14221):    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:365)
W/System.err(14221):    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:768)
W/System.err(14221):    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:700)
W/System.err(14221):    at com.up.testjavasdkdemo.ssltest.HttpHandler.makeRequestWithRetries(HttpHandler.java:75)
W/System.err(14221):    at com.up.testjavasdkdemo.ssltest.HttpHandler.doInBackground(HttpHandler.java:132)
W/System.err(14221):    at android.os.AsyncTask$2.call(AsyncTask.java:292)
W/System.err(14221):    at java.util.concurrent.FutureTask.run(FutureTask.java:237)
W/System.err(14221):    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
W/System.err(14221):    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
W/System.err(14221):    at java.lang.Thread.run(Thread.java:818)
W/System.err(14221): Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0xb7c985b0: Failure in SSL library, usually a protocol error
W/System.err(14221): error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:770 0xae157cc5:0x00000000)
W/System.err(14221):    at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
W/System.err(14221):    at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:318)
W/System.err(14221):    ... 20 more

Attemping to renew a certificate that expired earlier this month and I can't seem to get it to work.

  • Apache Tomcat 7.0.34
  • Centos
  • Java 1.7.0_65
  • (Root Cert) I've tried Both gdroot-g2_cross.crt (Java Root) And gdroot-g2.crt seperately and neither worked
  • (intermed Cert) gdig2.crt
  • (tomcat Cert) The one I was given by GoDaddy
  • All newly SHA2
  • Instructions Used

Step by step what I have done

  1. Generate CSR using the already existing keystore via :
    keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore tomcat.keystore
  2. Submit the new CSR to GoDaddy
  3. Receive Certificates from GoDaddy
  4. Unzip them to my desired directory
  5. Delete the old certificates from the keystore via : keytool -delete -alias root -keystore tomcat.keystore (This was done with intermed and tomcat as well)
  6. Add the new certificates to the keystore via: keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file newrootfile.crt (Again I did this with intermed and tomcat)
  7. Check the server.xml (It is still pointed to the right keystore because I reused one)
  8. Restart Tomcat
  9. No errors in catalina.out, no errors when importing certs.
  10. Attempt to bring up page gets Secure Connection Failed: FireFox(SSL_Error_no_cypher_overlap), Chrome (ERR_SSL_Version_Or_Cypher_Mismatch)
  11. Spend the last five days trying different things
    • Creating new keystore instead of using old one
      -No errors again, but instead of Secure Connection Failed I get Unable to connect
    • Using different root certs from the GoDaddy Repository
  12. Found out how to use openssl to check a connection

(Server is a virtual machine that has saved states so when I break it I can go back to when it was working) With old SHA1 (expired):

$ openssl s_client -connect myhost:443

CONNECTED(00000003)
---
Certificate chain
...
...
-----BEGIN CERTIFICATE-----
...
...
-----END CERTIFICATE-----
.....
.....
----
No client certificate CA names sent
----
SSL handshake has read 4586 bytes and written 461 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA256
server public key is 2048 bit
....
SSL-Session:
   Protocol : TLSv1.2
   Cipher : DHE-RSA-AES256-SHA256
   ....
   Verify return code: 10 (certificate has expired)
---
closed

With new SHA2:

$ openssl s_client -connect myhost:443

CONNECTED(00000003)
140219291584328:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741
---
no peer certificate available
--
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 263 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation is NOT supported
Compression: NONE
Expansion: NONE

server.xml

<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.security.SecurityListener" />
<Listener className="org.apache.catalina.core.AprLifecycleListener" "SSLEngine="on" />
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
  <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="path/to/users" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector executor="tomcatThreadPool" port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" />
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
   maxThreads="200" scheme="https" secure="true" clientAuth="false"
   sslProtocol="TLS" keystoreFile="path/to/keystore" 
   keystorePass="mykeystorepass" compression="on" />

Everything was previously set up by a developer before I began work here years ago, so I assume that he set up the server.xml correctly because it has been working for the past two years.

Any thoughts on how to rectify this?

cc