SSL Fails at 1.4.36 and 1.4.35

Discussion in 'OpenLiteSpeed Bug Reports' started by fidojones, Aug 11, 2018.

  1. fidojones

    fidojones New Member

    I'm using version by version all 1.4 releases and in last two versions 1.4.36 and 1.4.35 and obtaining this error:

    With CURL or W3m linux command line browsers:

    * TCP_NODELAY set
    * Connected to ( port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    * CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: none
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    * TLSv1.2 (IN), TLS alert, Server hello (2):
    * error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
    * stopped the pause stream!
    * Closing connection 0
    curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

    In firefox:

    In chrome:

    If I downgraded to 1.4.34 all works fine. All works fine from 1.4.34 and below

    Debugging with openssl I obtain this (The certificates used are from Let'sencrypt):

    No client certificate CA names sent
    Peer signing digest: SHA256
    Server Temp Key: X25519, 253 bits
    SSL handshake has read 2200 bytes and written 269 bytes
    Verification error: unable to verify the first certificate
    New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 2F080BF8523485C1264E5683F70F104FA76D2A738815DA0CF67DE6357478B06E
    Master-Key: ED8B3C3C8641C17A5BEAAC407146687E483029904B86C9FB63A6DBE58AA117EA6D03C88CCC78F81C3176E96B85E8215F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 216000 (seconds)
    TLS session ticket:

    Start Time: 1534013128
    Timeout : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: yes
  2. lsqtwrk

    lsqtwrk New Member


    Could you please post your configuration file or content ? or step of reproduce ?

    Best regards,
  3. fidojones

    fidojones New Member

    I installed a new test server today, debian 9 stretch clean. I installed openlitespeed 1.4.36 clean. Configure a simple virtualhost without php. I added a simple letsencrypt SSL and same result you could call here I attached my configuration.

    Attached Files:

  4. David

    David New Member


    I did a installation with the latest openlitespeed package on debian 9 and it is good for SSL.
    MY config is (Beside the default conf)
    listener Defaultssl {
    address *:443
    secure 1
    map Example *
    keyFile /usr/local/lsws/conf/example.key
    certFile /usr/local/lsws/conf/example.crt​

    and vhost for ssl is
    vhssl {
    keyFile /usr/local/lsws/conf/example.key
    certFile /usr/local/lsws/conf/example.crt​

    or do not set ssl in Vhost.

    So do you install from source code or from the package?

  5. fidojones

    fidojones New Member

    Mi openlitespeed is compiled, and yes if you see my config files, I had the same config as you. I have three servers working now with openlitespeed 1.4.34 version and they are working perfect. For example if working with SSL perfect with 1.4.34. If I upgrade to 1.4.35 or 1.4.36 it stop working without touch config.
  6. David

    David New Member

    Do you have any ciphers setting in the config?
  7. fidojones

    fidojones New Member

    Dear David I attached a simple config in previous post if you want to check it. And no, I don't have any ciphers defined. This morning I did a clean installation to test if some config were wrong. And with the default config it fails with the same result. In the last two versions 1.4.35 and 1.4.36 a lot of changes in SSL where introduced. may be there is a bug (I reported another bugs in the past, that really were bugs).
  8. David

    David New Member

  9. David

    David New Member

    BTW, if you want to do the re-installation with ols1clk, please rename your previous installation directory.
    Such as
    ./>mv /use/local/lsws /use/local/lsws_bak
    Because ols1clk will always install to this directory.
  10. fidojones

    fidojones New Member

    Dear david I tested the ols1clk and it works FINE, but if you compiled it it doesn't. So I think the bug is when you compile it. Perhaps when you compile it from source and openlitespeed download openssl 1.1.1 beta library the problem it's there. I don't know what version of openssl library is compiled in debian packages but the error is there. Another people have the same problem you can check it:

    (this is exactly my error)
  11. David

    David New Member

    The source code compiling and the RPM actually are the same. They both are using openssl-1.1.1.
    Actually I always use openssl 1.1.1 for testing on different platforms and never saw such issue.
    I will keep checking if can find something wrong.
    Please try to use RPM package or try to build boringSSL if you can, then you can use boringSSL while doing the configure.
    Btw, branch v1_5 code is a little bit out of date. I will release a new V1.5.0RC later to sync all of the v1_4 changes.
  12. David

    David New Member

    Sorry, I did not see what your platform is.
    Can you tell me that and I will try to do test on the same platform?
  13. fidojones

    fidojones New Member

    Well I compiled 1.4.36 with Boring SSL and now it works fine, without touching anything.

    ./configure --with-bssl=../boringssl --with-group=nogroup
    make install

    If I compile with:

    ./configure --with-group=nogroup
    make install

    The compilation scripts download openssl (1.1.1-pre8)

    "Will build latest stable openssl libraries for you, this may take several minutes .."

    And restart server it gives an "SSL_ERROR_NO_CYPHER_OVERLAP"

    So the problem is with openssl. So the but exists, if you want try to compile in a clean system. If you want I can give you access to my test debian 9 machine, to test the error.
  14. David

    David New Member

    Thank you for your feedback.
    I have a Debian 9 platform to test and did some test, I will re-test on it to verify there is a bug or not.
    And I am glad that you can build BoringSSL and use it in openlitespeed, this way is good.
  15. Meaple

    Meaple New Member

    I thought I'd piggyback off this thread since I'm having the same issue.

    I've noticed in 1.4.35 and 1.4.36 I get the same error as OP, certainly in Chrome and in Firefox I get the error "SSL_ERROR_INTERNAL_ERROR_ALERT". OpenSSL version in 1.4.34 and below uses 1.0.2 but 1.4.35> is using 1.1.1 pre8. For now, I am using older ciphers to allow some browsers to connect.

    I'm currently on OpenLitespeed 1.4.36 with OpenSSL 1.1.1 pre8 on Amazon Linux 2018.03. My standard OpenSSL version currently installed is 1.0.2k. I am using OpenLitespeed from the CentOS 6 based repo. The way I see it, I need to compile a new version of OpenSSL and replace it with the OpenSSL 1.1.1 pre8 version that OpenLitespeed uses but I am not sure how OLS is plugged into OpenSSL.

    The only thing to note about the config. No config changed from version to version except I had to rebuild the config from scratch. Any guidance is appreciated.
  16. David

    David New Member

    You can download the latest code and exact to new DIR to build, just like,
    ./configure .......; make

    Then you can stop your server and copy the output file "src/openlitespeed" to "/usr/local/lsws/bin/", you may want to make a backup before you overwrite the binary.
    And now you can start the service.
  17. Meaple

    Meaple New Member

    The point is more of the fact that there is a repo to use and I should be able to use that without any difficulties. I do understand that I'm using Amazon Linux with a CentOS repo but Amazon Linux is based on CentOS anyway. I like using repos as I don't have to do much other than configuring the application itself once it's installed. And if Litespeed Tech is offering this to me, I'm certainly going to take it.

    Just to confirm, TLS1.2 and above does not exist in 1.4.36 at least, but I would assume since 1.4.35 as it is using the same OpenSSL version.

Share This Page