Openssl is unable to establish SSL connection, when I try to access a local site through third party tools like wget

I want to monitor the index of a site periodically on our local network out of browsers. I tried to download it by wget in Windows10:

> wget --no-check-certificate --no-hsts --content-on-error --ignore-length --unlink --server-response --show-progress --verbose https://172.*.*.*:*/app

But it couldn't fetch the page. Here is the result:

--2019-02-02 16:56:01--  https://172.*.*.*:*/app
Connecting to 172.*.*.*:*... connected.
OpenSSL: error:2406F079:random number generator:RAND_load_file:Cannot open file
Unable to establish SSL connection.

I also tried with other tools like urlwatch and curl. None of them were able to get access to that page! Is there any idea? Here is the error given by urlwatch:

HTTPSConnectionPool(host='172.*.*.*', port=*):
Max retries exceeded with url: /app
(Caused by SSLError(SSLError(1,
'[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1056)')))

mini

Posted 2019-02-05T08:51:33.820

Reputation: 51

It looks like your clients are trying to negotiate SSL version 3. This is an old protocol, and most webservers have disabled support for it in preference to TLS 1.0/1.1/1.2/1.3 Can you use openssl and its s_client connect functionality to check that you can successfully negotiate a SSL connection to that system? Try openssl s_client -connect 172.*.*.*:<port> – ssnobody – 2019-03-22T21:39:32.903

Check the file openssl.cnf for a RANDFILE=... configuration line and remove if found. Or are you using PowerShell where wget is an alias for Invoke-WebRequest? If you aren't, then you should consider using it.

– harrymc – 2019-03-23T08:19:55.887

@ssnobody: 'sslv3 alert handshake failure' only means the alert code (40) was first defined by sslv3; it does not mean sslv3 protocol was tried (or used). Although we can't be sure 'urlwatch' is using the same OpenSSL 'wget' is, the 'wget' is definitely using 1.1.1, and post-POODLE versions of OpenSSL (1.1.0 and 1.1.1) don't even compile sslv3 capability by default. That said, I concur with trying s_client if possible, and although a host accessed by address probably isn't using SNI, if < 1.1.1 consider adding -servername $host -- mini: browser can access this server by address? – dave_thompson_085 – 2019-03-24T13:03:23.407

@harrymc: some commandline utilities use RANDFILE from configfile, but libssl does not. The error message shown from 'wget' is definitely OpenSSL (used by real wget) not MS schannel (used indirectly by powershell). Although it might be a wget version not updated for OpenSSL 1.1.1, which returns error from RAND_load_file in (quite a few) cases where prior versions ignored the error and just returned 'no data', which is usually ignorable since RAND still autoseeds. – dave_thompson_085 – 2019-03-24T13:07:06.393

There is no reason in Windows 10 to use a third-party tool to download a file when this is built into PowerShell. You may use Invoke-WebRequest or Client.DownloadFile. Let me know if you wish me to post an answer.

– harrymc – 2019-03-24T20:25:35.797

Answers

Why You don't try curl instead ?

For your reference go to this site

It is very common to replace wget with curl under some scenarios. Probably this case is a good one to go with curl instead.

You can check this short example with Windows 10

If the problem persist, definitely You will require to update ssl to the latest version or use Open SSL library for Windows 10. To avoid risk installing third party installer, get further details from here.

The Git for Windows installation already contains the openssl.exe You need, You can get it from here. I have used this solution in the past and worked well.

Check this for your reference as well.

mario ruiz

Posted 2019-02-05T08:51:33.820

Reputation: 283

There is no reason in Windows to use a third-party tool to download a file, when such tools already exist natively, especially if that tool is badly adapted to Windows.

For downloading a file, you may use PowerShell with the methods of Invoke-WebRequest or Client.DownloadFile, and here are some examples:

    Invoke-WebRequest -Uri 'https://download.sysinternals.com/files/Handle.zip' -OutFile C:\handle.zip
    download.file("https://download.sysinternals.com/files/Handle.zip",destfile="C:\handle.zip")

harrymc

Posted 2019-02-05T08:51:33.820

Reputation: 306 093

Here is how you might call it from outside of powershell (so you can use it just like wget) --> "powershell.exe -Command (new-object System.Net.WebClient).DownloadFile('https://download.sysinternals.com/files/Handle.zip%27,%27c:%5Cmy_out_dir%5CHandle.zip')" <--

– Señor CMasMas – 2019-03-28T21:41:39.930