Error in connecting to https website with sslv3 disabled

[outersky]

Failed to connect: HttpIoError(IoError { kind: OtherIoError, desc: "Error in OpenSSL", detail: Some("[UnknownError { library: "SSL routines", function: "SSL23_GET_SERVER_HELLO", reason: "sslv3 alert handshake failure" }]") })

[seanmonstar]

The site in question has another version enabled?

[shaleh]

I am getting this when enabling a https proxy using the new code.

$ cargo run --example client https://google.com/
     Running `/home/perryse/repos/rust/hyper-upstream/target/debug/examples/client https://google.com/`
thread '<main>' panicked at 'called `Result::unwrap()` on an `Err` value:  Ssl(OpenSslErrors([UnknownError { library: "SSL routines", function:  "SSL23_GET_SERVER_HELLO", reason: "unknown protocol" }]))', ../src/libcore/result.rs:746

note: Run with RUST_BACKTRACE=1 for a backtrace.
Process didn't exit successfully: /home/perryse/repos/rust/hyper-upstream/target/debug/examples/client https://google.com/ (exit code: 101)

Here is the diff I applied to the sample client.

diff --git a/examples/client.rs b/examples/client.rs                                                   
index 6d6a938..9c1edc8 100644                                                                          
--- a/examples/client.rs                                                                               
+++ b/examples/client.rs                                                                               
@@ -20,7 +20,8 @@ fn main() {                                                                          
         }                                                                                             
     };                                                                                                

-    let client = Client::new();                                                                       
+   let mut client = Client::new();                                                                   
+   client.set_proxy("https", "my-proxy-server", 8080);                                               

     let mut res = client.get(&*url)                                                                   
         .header(Connection::close())

[seanmonstar]

@shaleh hm, i wonder if these improved options would help? https://github.com/hyperium/hyper/tree/openssl-opts

[shaleh]

I will test it out tomorrow.

[shaleh]

No dice.

$ git log -n 2
commit 46bef474f815da055816b6e76700575b350382bf
Merge: eb2f90a 273e411
Author: Sean Perry <>
Date:   Wed Apr 27 08:12:02 2016 -0700

    Merge remote-tracking branch 'origin/openssl-opts' into shaleh/debug-proxy

commit 273e411a106dd8fd31efa8de7a969d0ffad64f47
Author: Sean McArthur <[email protected]>
Date:   Tue Apr 26 18:37:49 2016 -0700

    feat(ssl): improve default options for Openssl server and client

Here is the trace

$ RUST_BACKTRACE=1 cargo run --example client https://google.com/
Running `target/debug/examples/client https://google.com/`
thread '<main>' panicked at 'called `Result::unwrap()` on an `Err` value:   Ssl(OpenSslErrors([UnknownError { library: "SSL routines", function:  "SSL23_GET_SERVER_HELLO", reason: "unknown protocol" }]))', ../src/libcore/result.rs:746
stack backtrace:
   1:     0x7f746224c040 - sys::backtrace::tracing::imp::write::h3675b4f0ca767761Xcv
   2:     0x7f746224e7cb -  panicking::default_handler::_$u7b$$u7b$closure$u7d$$u7d$::closure.44519
   3:     0x7f746224e438 - panicking::default_handler::h18faf4fbd296d909lSz
   4:     0x7f74622423fc - sys_common::unwind::begin_unwind_inner::hfb5d07d6e405c6bbg1t
   5:     0x7f7462242888 - sys_common::unwind::begin_unwind_fmt::h8b491a76ae84af35m0t
   6:     0x7f746224b5f1 - rust_begin_unwind
   7:     0x7f746227decf - panicking::panic_fmt::h98b8cbb286f5298alcM
   8:     0x7f746209808d - result::unwrap_failed::h7894835727094893990
                    at ../src/libcore/macros.rs:29
   9:     0x7f7462095a32 - result::Result<T, E>::unwrap::h2608118172930375710
                    at ../src/libcore/result.rs:687
  10:     0x7f7462093ad9 - main::h699de4ed11b187dfkaa
                    at examples/client.rs:27
  11:     0x7f746224e094 - sys_common::unwind::try::try_fn::h14622312129452522850
  12:     0x7f746224b57b - __rust_try
  13:     0x7f746224db2b - rt::lang_start::h0ba42f7a8c46a626rKz
  14:     0x7f74620aa739 - main
  15:     0x7f7460df7ec4 - __libc_start_main
  16:     0x7f7462093628 - <unknown>
  17:                0x0 - <unknown>
Process didn't exit successfully: `target/debug/examples/client https://google.com/` (exit code: 101)

[shaleh]

Ok, this one is my fault. But may be helpful to others.

While trying to debug proxy support I had setup a proxy using scheme = HTTPS. But HTTPS is not actually supported. All traffic needs to go through HTTP, then HTTPS if needed. This was the cause of the odd ssl error. A quick way to debug this:

$ openssl s_client -connect my-proxy:8080
CONNECTED(00000004)
140284460365472:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

@seanmonstar I opened #774 to track the issue using a proxy.

[seanmonstar]

@shaleh so, the issue in this case was connecting to https://my-proxy:8080 when my-proxy doesn't support SSL?

[shaleh]

correct

[sfackler]

Seems like this can be closed.

[seanmonstar]

SSL was removed from hyper, see #985.