SSL error: sslv3 alert certificate unknown (in ssl3_read_bytes) With Autobahn Python Twisted on Ubuntu

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bernie-vs-trump.greenrobot.com

I ran this command:

sudo python3 server.py

It produced this output:
2020-02-10 01:13:58+0000 Log opened.

2020-02-10 01:13:58+0000 BroadcastServerFactory (TLS) starting on 9000

2020-02-10 01:13:58+0000 Starting factory <main.BroadcastServerFactory object at 0x7f6583a77780>

2020-02-10 01:14:00+0000 SSL error: sslv3 alert certificate unknown (in ssl3_read_bytes)

My web server is (include version):
Apache. (Although this is a Python secure websocket server issue).
I am using Twisted Autobahn.

The operating system my web server runs on is (include version):
Ubuntu 18.

Here’s Mac
My hosting provider, if applicable, is:
Linode.

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

Here’s my code. A whole lot of things, trying to get it working:

if __name__ == '__main__':
   import os
   from certifi import where
   os.environ['SSL_CERT_FILE'] = where()
    
   log.startLogging(sys.stdout)
   privkey=open('/etc/letsencrypt/live/bernie-vs-trump.greenrobot.com/privkey.pem', 'rt').read()
   certif=open('/etc/letsencrypt/live/bernie-vs-trump.greenrobot.com/cert.pem', 'rt').read()
   fullchain=open('/etc/letsencrypt/live/bernie-vs-trump.greenrobot.com/fullchain.pem', 'rt').read()

   from autobahn.twisted.websocket import WebSocketServerFactory
   KEYPATH2 = "/etc/letsencrypt/live/bernie-vs-trump.greenrobot.com/"
   tls_crt = os.path.join(KEYPATH2, "fullchain.pem")
   fullchain = os.path.join(KEYPATH2, "fullchain.pem")
   tls_key = os.path.join(KEYPATH2, "privkey.pem")
    
   contextFactory2 = twisted.internet.ssl.DefaultOpenSSLContextFactory(
        
        "/etc/letsencrypt/live/bernie-vs-trump.greenrobot.com/privkey.pem",
        "/etc/letsencrypt/live/bernie-vs-trump.greenrobot.com/cert.pem",
    
    )

 
   contextFactory3 = certificateOptionsFromFiles(
    '/etc/letsencrypt/live/bernie-vs-trump.greenrobot.com/privkey.pem',
    '/etc/letsencrypt/live/bernie-vs-trump.greenrobot.com/fullchain.pem')
 

   ServerFactory = BroadcastServerFactory
   factory = ServerFactory("wss://bernie-vs-trump.greenrobot.com:9000") #!!!!!!!!!!!!!!!!!!    
   factory.protocol = MyServerProtocol
   autobahn.twisted.websocket.listenWS(factory, contextFactory3)
   #reactor.listenSSL(9000, factory, contextFactory)
   reactor.run()

When I try with:
reactor.listenTCP(9000, factory) instead of
autobahn.twisted.websocket.listenWS(factory, contextFactory3)

and try to connect from Starscream on an iOS client, I get the following error:
dropping connection to peer tcp4:myip:50765 with abort=True: WebSocket opening handshake timeout (peer did not finish the opening handshake in time)

privkey = privkey.pem [yes]
certif = cert.pem [yes]
fullchain = fullchain.pem [not so sure about this - maybe it should use chain.pem file instead]

Also, I would try using fullchain.pem instead of cert.pem as in lines below:

I tried those two suggestions, and also switched from using contextFactory3 to contextFactory2 and get the same error:

sudo python3 serverssl.py
2020-02-10 12:14:13+0000 [-] Log opened.
2020-02-10 12:14:13+0000 [-] BroadcastServerFactory (TLS) starting on 9000
2020-02-10 12:14:13+0000 [-] Starting factory <__main__.BroadcastServerFactory object at 0x7fcfb761b780>
2020-02-10 12:14:15+0000 [-] SSL error: sslv3 alert certificate unknown (in ssl3_read_bytes)```

Wait, what does your SSL config look like for your domain virtual host or your global apache settings?

By current industry standards SSLv3 should be disabled, preferably anything below TLSv1.2:
SSL Protocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1. 1

1 Like

Well, this is with Twisted/Python, not Apache, isn’t it? https works OK as far as I know. It’s port 9000 running with Autobahn (https://github.com/crossbario/autobahn-python/)

For Apache, I tried:

openssl s_client -connect bernie-vs-trump.greenrobot.com:443 -ssl3

and got:

s_client: Option unknown option -ssl3

From: https://bobcares.com/blog/how-to-disable-sslv3-in-linux/

Thank you.

Should this test be for port 9000 (instead of 443)?

Testing both, I see that Apache answers on :443 and shows TLSv1.2:

curl -Iki https://bernie-vs-trump.greenrobot.com:443/
HTTP/1.1 200 OK
Date: Mon, 10 Feb 2020 16:44:22 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Type: text/html; charset=UTF-8

New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305

While :9000 also shows TLSv1.2 but a different cipher:

 curl -Iki https://bernie-vs-trump.greenrobot.com:9000/
HTTP/1.1 405 HTTP method 'HEAD' not allowed

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Hi there, I solved my problem via someone on Twisted IRC.

In Starscream websocket client, they are by default looking for cert pinning. This solved it:

OpenSSL reports weird errors. Apparently it is not using ssl v3 even though it reports using it.

1 Like

Thanks for jumping in to help.

1 Like

Simplified server sample code for anyone who stumbles across this:

   contextFactory = certificateOptionsFromFiles(
    '/etc/letsencrypt/live/bernie-vs-trump.greenrobot.com/privkey.pem',
    '/etc/letsencrypt/live/bernie-vs-trump.greenrobot.com/cert.pem',
    '/etc/letsencrypt/live/bernie-vs-trump.greenrobot.com/fullchain.pem')
 
   ServerFactory = BroadcastServerFactory
   factory = ServerFactory("wss://0.0.0.0:9000")   
   factory.protocol = MyServerProtocol
   reactor.listenSSL(9001, factory, contextFactory)
   reactor.run()

Client code:

        var request = URLRequest(url: URL(string: "wss://bernie-vs-trump.greenrobot.com:9000")!)
        request.timeoutInterval = 10
        // Sets the timeout for the connection
        self.socket = WebSocket(request: request, certPinner: nil)
        socket!.delegate = self
        socket!.connect()

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.