SSL error: sslv3 alert certificate unknown (in ssl3_read_bytes) With Autobahn Python Twisted on Ubuntu

andytriboletti · February 10, 2020, 1:19am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bernie-vs-trump.greenrobot.com

I ran this command:

sudo python3 server.py

It produced this output:
2020-02-10 01:13:58+0000 Log opened.

2020-02-10 01:13:58+0000 BroadcastServerFactory (TLS) starting on 9000

2020-02-10 01:13:58+0000 Starting factory <main.BroadcastServerFactory object at 0x7f6583a77780>

2020-02-10 01:14:00+0000 SSL error: sslv3 alert certificate unknown (in ssl3_read_bytes)

My web server is (include version):
Apache. (Although this is a Python secure websocket server issue).
I am using Twisted Autobahn.

The operating system my web server runs on is (include version):
Ubuntu 18.

Here’s Mac
My hosting provider, if applicable, is:
Linode.

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

Here’s my code. A whole lot of things, trying to get it working:

if __name__ == '__main__':
   import os
   from certifi import where
   os.environ['SSL_CERT_FILE'] = where()
    
   log.startLogging(sys.stdout)
   privkey=open('/etc/letsencrypt/live/bernie-vs-trump.greenrobot.com/privkey.pem', 'rt').read()
   certif=open('/etc/letsencrypt/live/bernie-vs-trump.greenrobot.com/cert.pem', 'rt').read()
   fullchain=open('/etc/letsencrypt/live/bernie-vs-trump.greenrobot.com/fullchain.pem', 'rt').read()

   from autobahn.twisted.websocket import WebSocketServerFactory
   KEYPATH2 = "/etc/letsencrypt/live/bernie-vs-trump.greenrobot.com/"
   tls_crt = os.path.join(KEYPATH2, "fullchain.pem")
   fullchain = os.path.join(KEYPATH2, "fullchain.pem")
   tls_key = os.path.join(KEYPATH2, "privkey.pem")
    
   contextFactory2 = twisted.internet.ssl.DefaultOpenSSLContextFactory(
        
        "/etc/letsencrypt/live/bernie-vs-trump.greenrobot.com/privkey.pem",
        "/etc/letsencrypt/live/bernie-vs-trump.greenrobot.com/cert.pem",
    
    )

 
   contextFactory3 = certificateOptionsFromFiles(
    '/etc/letsencrypt/live/bernie-vs-trump.greenrobot.com/privkey.pem',
    '/etc/letsencrypt/live/bernie-vs-trump.greenrobot.com/fullchain.pem')
 

   ServerFactory = BroadcastServerFactory
   factory = ServerFactory("wss://bernie-vs-trump.greenrobot.com:9000") #!!!!!!!!!!!!!!!!!!    
   factory.protocol = MyServerProtocol
   autobahn.twisted.websocket.listenWS(factory, contextFactory3)
   #reactor.listenSSL(9000, factory, contextFactory)
   reactor.run()

andytriboletti · February 10, 2020, 1:24am

When I try with:
reactor.listenTCP(9000, factory) instead of
autobahn.twisted.websocket.listenWS(factory, contextFactory3)

and try to connect from Starscream on an iOS client, I get the following error:
dropping connection to peer tcp4:myip:50765 with abort=True: WebSocket opening handshake timeout (peer did not finish the opening handshake in time)

rg305 · February 10, 2020, 8:18am

privkey = privkey.pem [yes]
certif = cert.pem [yes]
fullchain = fullchain.pem [not so sure about this - maybe it should use chain.pem file instead]

Also, I would try using fullchain.pem instead of cert.pem as in lines below:

andytriboletti · February 10, 2020, 12:15pm

I tried those two suggestions, and also switched from using contextFactory3 to contextFactory2 and get the same error:

sudo python3 serverssl.py
2020-02-10 12:14:13+0000 [-] Log opened.
2020-02-10 12:14:13+0000 [-] BroadcastServerFactory (TLS) starting on 9000
2020-02-10 12:14:13+0000 [-] Starting factory <__main__.BroadcastServerFactory object at 0x7fcfb761b780>
2020-02-10 12:14:15+0000 [-] SSL error: sslv3 alert certificate unknown (in ssl3_read_bytes)```

ZetaRevan · February 10, 2020, 1:07pm

Wait, what does your SSL config look like for your domain virtual host or your global apache settings?

By current industry standards SSLv3 should be disabled, preferably anything below TLSv1.2:
SSL Protocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1. 1

andytriboletti · February 10, 2020, 1:26pm

Well, this is with Twisted/Python, not Apache, isn't it? https works OK as far as I know. It's port 9000 running with Autobahn (GitHub - crossbario/autobahn-python: WebSocket and WAMP in Python for Twisted and asyncio)

For Apache, I tried:

openssl s_client -connect bernie-vs-trump.greenrobot.com:443 -ssl3

and got:

s_client: Option unknown option -ssl3

From: How to Disable SSLv3 in Linux (Ubuntu, CentOS, RedHat, Debian)

Thank you.

rg305 · February 10, 2020, 4:43pm

Should this test be for port 9000 (instead of 443)?

Testing both, I see that Apache answers on :443 and shows TLSv1.2:

curl -Iki https://bernie-vs-trump.greenrobot.com:443/
HTTP/1.1 200 OK
Date: Mon, 10 Feb 2020 16:44:22 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Type: text/html; charset=UTF-8

New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305

While :9000 also shows TLSv1.2 but a different cipher:

 curl -Iki https://bernie-vs-trump.greenrobot.com:9000/
HTTP/1.1 405 HTTP method 'HEAD' not allowed

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384

andytriboletti · February 10, 2020, 4:46pm

Hi there, I solved my problem via someone on Twisted IRC.

In Starscream websocket client, they are by default looking for cert pinning. This solved it:

OpenSSL reports weird errors. Apparently it is not using ssl v3 even though it reports using it.

andytriboletti · February 10, 2020, 4:47pm

Thanks for jumping in to help.

andytriboletti · February 10, 2020, 5:06pm

Simplified server sample code for anyone who stumbles across this:

   contextFactory = certificateOptionsFromFiles(
    '/etc/letsencrypt/live/bernie-vs-trump.greenrobot.com/privkey.pem',
    '/etc/letsencrypt/live/bernie-vs-trump.greenrobot.com/cert.pem',
    '/etc/letsencrypt/live/bernie-vs-trump.greenrobot.com/fullchain.pem')
 
   ServerFactory = BroadcastServerFactory
   factory = ServerFactory("wss://0.0.0.0:9000")   
   factory.protocol = MyServerProtocol
   reactor.listenSSL(9001, factory, contextFactory)
   reactor.run()

Client code:

        var request = URLRequest(url: URL(string: "wss://bernie-vs-trump.greenrobot.com:9000")!)
        request.timeoutInterval = 10
        // Sets the timeout for the connection
        self.socket = WebSocket(request: request, certPinner: nil)
        socket!.delegate = self
        socket!.connect()

Topic		Replies	Views
Certificate verify failed (existing self-signed certificate) Help	13	11535	December 3, 2015
[SOLVED] 3081029376:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332 Help	3	62663	August 21, 2019
ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:1123) Help	4	5482	March 8, 2021
SSLForFree's and Certbot's SSL certs dont work in firefox websocket connection Help	14	1535	August 14, 2020
Certificate Verify Failed Help	12	13245	September 14, 2018

SSL error: sslv3 alert certificate unknown (in ssl3_read_bytes) With Autobahn Python Twisted on Ubuntu

Related topics