SSL error: sslv3 alert certificate unknown (in ssl3_read_bytes) With Autobahn Python Twisted on Ubuntu

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

sudo python3

It produced this output:
2020-02-10 01:13:58+0000 Log opened.

2020-02-10 01:13:58+0000 BroadcastServerFactory (TLS) starting on 9000

2020-02-10 01:13:58+0000 Starting factory <main.BroadcastServerFactory object at 0x7f6583a77780>

2020-02-10 01:14:00+0000 SSL error: sslv3 alert certificate unknown (in ssl3_read_bytes)

My web server is (include version):
Apache. (Although this is a Python secure websocket server issue).
I am using Twisted Autobahn.

The operating system my web server runs on is (include version):
Ubuntu 18.

Here’s Mac
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

Here’s my code. A whole lot of things, trying to get it working:

if __name__ == '__main__':
   import os
   from certifi import where
   os.environ['SSL_CERT_FILE'] = where()
   privkey=open('/etc/letsencrypt/live/', 'rt').read()
   certif=open('/etc/letsencrypt/live/', 'rt').read()
   fullchain=open('/etc/letsencrypt/live/', 'rt').read()

   from autobahn.twisted.websocket import WebSocketServerFactory
   KEYPATH2 = "/etc/letsencrypt/live/"
   tls_crt = os.path.join(KEYPATH2, "fullchain.pem")
   fullchain = os.path.join(KEYPATH2, "fullchain.pem")
   tls_key = os.path.join(KEYPATH2, "privkey.pem")
   contextFactory2 = twisted.internet.ssl.DefaultOpenSSLContextFactory(

   contextFactory3 = certificateOptionsFromFiles(

   ServerFactory = BroadcastServerFactory
   factory = ServerFactory("wss://") #!!!!!!!!!!!!!!!!!!    
   factory.protocol = MyServerProtocol
   autobahn.twisted.websocket.listenWS(factory, contextFactory3)
   #reactor.listenSSL(9000, factory, contextFactory)

When I try with:
reactor.listenTCP(9000, factory) instead of
autobahn.twisted.websocket.listenWS(factory, contextFactory3)

and try to connect from Starscream on an iOS client, I get the following error:
dropping connection to peer tcp4:myip:50765 with abort=True: WebSocket opening handshake timeout (peer did not finish the opening handshake in time)

privkey = privkey.pem [yes]
certif = cert.pem [yes]
fullchain = fullchain.pem [not so sure about this - maybe it should use chain.pem file instead]

Also, I would try using fullchain.pem instead of cert.pem as in lines below:

I tried those two suggestions, and also switched from using contextFactory3 to contextFactory2 and get the same error:

sudo python3
2020-02-10 12:14:13+0000 [-] Log opened.
2020-02-10 12:14:13+0000 [-] BroadcastServerFactory (TLS) starting on 9000
2020-02-10 12:14:13+0000 [-] Starting factory <__main__.BroadcastServerFactory object at 0x7fcfb761b780>
2020-02-10 12:14:15+0000 [-] SSL error: sslv3 alert certificate unknown (in ssl3_read_bytes)```

Wait, what does your SSL config look like for your domain virtual host or your global apache settings?

By current industry standards SSLv3 should be disabled, preferably anything below TLSv1.2:
SSL Protocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1. 1

1 Like

Well, this is with Twisted/Python, not Apache, isn’t it? https works OK as far as I know. It’s port 9000 running with Autobahn (

For Apache, I tried:

openssl s_client -connect -ssl3

and got:

s_client: Option unknown option -ssl3


Thank you.

Should this test be for port 9000 (instead of 443)?

Testing both, I see that Apache answers on :443 and shows TLSv1.2:

curl -Iki
HTTP/1.1 200 OK
Date: Mon, 10 Feb 2020 16:44:22 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Type: text/html; charset=UTF-8

New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305

While :9000 also shows TLSv1.2 but a different cipher:

 curl -Iki
HTTP/1.1 405 HTTP method 'HEAD' not allowed

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Hi there, I solved my problem via someone on Twisted IRC.

In Starscream websocket client, they are by default looking for cert pinning. This solved it:

OpenSSL reports weird errors. Apparently it is not using ssl v3 even though it reports using it.

1 Like

Thanks for jumping in to help.

1 Like

Simplified server sample code for anyone who stumbles across this:

   contextFactory = certificateOptionsFromFiles(
   ServerFactory = BroadcastServerFactory
   factory = ServerFactory("wss://")   
   factory.protocol = MyServerProtocol
   reactor.listenSSL(9001, factory, contextFactory)

Client code:

        var request = URLRequest(url: URL(string: "wss://")!)
        request.timeoutInterval = 10
        // Sets the timeout for the connection
        self.socket = WebSocket(request: request, certPinner: nil)
        socket!.delegate = self

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.