3
0
I want to monitor the index of a site periodically on our local network out of browsers. I tried to download it by wget
in Windows10:
> wget --no-check-certificate --no-hsts --content-on-error --ignore-length --unlink --server-response --show-progress --verbose https://172.*.*.*:*/app
But it couldn't fetch the page. Here is the result:
--2019-02-02 16:56:01-- https://172.*.*.*:*/app
Connecting to 172.*.*.*:*... connected.
OpenSSL: error:2406F079:random number generator:RAND_load_file:Cannot open file
Unable to establish SSL connection.
I also tried with other tools like urlwatch and curl. None of them were able to get access to that page! Is there any idea? Here is the error given by urlwatch:
HTTPSConnectionPool(host='172.*.*.*', port=*):
Max retries exceeded with url: /app
(Caused by SSLError(SSLError(1,
'[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1056)')))
It looks like your clients are trying to negotiate SSL version 3. This is an old protocol, and most webservers have disabled support for it in preference to TLS 1.0/1.1/1.2/1.3 Can you use
openssl
and its s_client connect functionality to check that you can successfully negotiate a SSL connection to that system? Tryopenssl s_client -connect 172.*.*.*:<port>
– ssnobody – 2019-03-22T21:39:32.903Check the file
– harrymc – 2019-03-23T08:19:55.887openssl.cnf
for aRANDFILE=...
configuration line and remove if found. Or are you using PowerShell wherewget
is an alias for Invoke-WebRequest? If you aren't, then you should consider using it.@ssnobody: 'sslv3 alert handshake failure' only means the alert code (40) was first defined by sslv3; it does not mean sslv3 protocol was tried (or used). Although we can't be sure 'urlwatch' is using the same OpenSSL 'wget' is, the 'wget' is definitely using 1.1.1, and post-POODLE versions of OpenSSL (1.1.0 and 1.1.1) don't even compile sslv3 capability by default. That said, I concur with trying
s_client
if possible, and although a host accessed by address probably isn't using SNI, if < 1.1.1 consider adding-servername $host
-- mini: browser can access this server by address? – dave_thompson_085 – 2019-03-24T13:03:23.407@harrymc: some commandline utilities use RANDFILE from configfile, but libssl does not. The error message shown from 'wget' is definitely OpenSSL (used by real wget) not MS schannel (used indirectly by powershell). Although it might be a wget version not updated for OpenSSL 1.1.1, which returns error from RAND_load_file in (quite a few) cases where prior versions ignored the error and just returned 'no data', which is usually ignorable since RAND still autoseeds. – dave_thompson_085 – 2019-03-24T13:07:06.393
There is no reason in Windows 10 to use a third-party tool to download a file when this is built into PowerShell. You may use Invoke-WebRequest or Client.DownloadFile. Let me know if you wish me to post an answer.
– harrymc – 2019-03-24T20:25:35.797