SSL Fails at 1.4.36 and 1.4.35

I'm using version by version all 1.4 releases and in last two versions 1.4.36 and 1.4.35 and obtaining this error:

With CURL or W3m linux command line browsers:

* Connected to ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

In firefox:

In chrome:

If I downgraded to 1.4.34 all works fine. All works fine from 1.4.34 and below

Debugging with openssl I obtain this (The certificates used are from Let'sencrypt):

No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
SSL handshake has read 2200 bytes and written 269 bytes
Verification error: unable to verify the first certificate
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 2F080BF8523485C1264E5683F70F104FA76D2A738815DA0CF67DE6357478B06E
Master-Key: ED8B3C3C8641C17A5BEAAC407146687E483029904B86C9FB63A6DBE58AA117EA6D03C88CCC78F81C3176E96B85E8215F
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 216000 (seconds)
TLS session ticket:

Start Time: 1534013128
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: yes


Active Member

I did a installation with the latest openlitespeed package on debian 9 and it is good for SSL.
MY config is (Beside the default conf)
listener Defaultssl {
address *:443
secure 1
map Example *
keyFile /usr/local/lsws/conf/example.key
certFile /usr/local/lsws/conf/example.crt​

and vhost for ssl is
vhssl {
keyFile /usr/local/lsws/conf/example.key
certFile /usr/local/lsws/conf/example.crt​

or do not set ssl in Vhost.

So do you install from source code or from the package?

Mi openlitespeed is compiled, and yes if you see my config files, I had the same config as you. I have three servers working now with openlitespeed 1.4.34 version and they are working perfect. For example if working with SSL perfect with 1.4.34. If I upgrade to 1.4.35 or 1.4.36 it stop working without touch config.
Dear David I attached a simple config in previous post if you want to check it. And no, I don't have any ciphers defined. This morning I did a clean installation to test if some config were wrong. And with the default config it fails with the same result. In the last two versions 1.4.35 and 1.4.36 a lot of changes in SSL where introduced. may be there is a bug (I reported another bugs in the past, that really were bugs).


Active Member
BTW, if you want to do the re-installation with ols1clk, please rename your previous installation directory.
Such as
./>mv /use/local/lsws /use/local/lsws_bak
Because ols1clk will always install to this directory.
Dear david I tested the ols1clk and it works FINE, but if you compiled it it doesn't. So I think the bug is when you compile it. Perhaps when you compile it from source and openlitespeed download openssl 1.1.1 beta library the problem it's there. I don't know what version of openssl library is compiled in debian packages but the error is there. Another people have the same problem you can check it:

(this is exactly my error)


Active Member
The source code compiling and the RPM actually are the same. They both are using openssl-1.1.1.
Actually I always use openssl 1.1.1 for testing on different platforms and never saw such issue.
I will keep checking if can find something wrong.
Please try to use RPM package or try to build boringSSL if you can, then you can use boringSSL while doing the configure.
Btw, branch v1_5 code is a little bit out of date. I will release a new V1.5.0RC later to sync all of the v1_4 changes.
Well I compiled 1.4.36 with Boring SSL and now it works fine, without touching anything.

./configure --with-bssl=../boringssl --with-group=nogroup
make install

If I compile with:

./configure --with-group=nogroup
make install

The compilation scripts download openssl (1.1.1-pre8)

"Will build latest stable openssl libraries for you, this may take several minutes .."

And restart server it gives an "SSL_ERROR_NO_CYPHER_OVERLAP"

So the problem is with openssl. So the but exists, if you want try to compile in a clean system. If you want I can give you access to my test debian 9 machine, to test the error.


Active Member
Thank you for your feedback.
I have a Debian 9 platform to test and did some test, I will re-test on it to verify there is a bug or not.
And I am glad that you can build BoringSSL and use it in openlitespeed, this way is good.
I thought I'd piggyback off this thread since I'm having the same issue.

I've noticed in 1.4.35 and 1.4.36 I get the same error as OP, certainly in Chrome and in Firefox I get the error "SSL_ERROR_INTERNAL_ERROR_ALERT". OpenSSL version in 1.4.34 and below uses 1.0.2 but 1.4.35> is using 1.1.1 pre8. For now, I am using older ciphers to allow some browsers to connect.

I'm currently on OpenLitespeed 1.4.36 with OpenSSL 1.1.1 pre8 on Amazon Linux 2018.03. My standard OpenSSL version currently installed is 1.0.2k. I am using OpenLitespeed from the CentOS 6 based repo. The way I see it, I need to compile a new version of OpenSSL and replace it with the OpenSSL 1.1.1 pre8 version that OpenLitespeed uses but I am not sure how OLS is plugged into OpenSSL.

The only thing to note about the config. No config changed from version to version except I had to rebuild the config from scratch. Any guidance is appreciated.


Active Member
You can download the latest code and exact to new DIR to build, just like,
./configure .......; make

Then you can stop your server and copy the output file "src/openlitespeed" to "/usr/local/lsws/bin/", you may want to make a backup before you overwrite the binary.
And now you can start the service.
The point is more of the fact that there is a repo to use and I should be able to use that without any difficulties. I do understand that I'm using Amazon Linux with a CentOS repo but Amazon Linux is based on CentOS anyway. I like using repos as I don't have to do much other than configuring the application itself once it's installed. And if Litespeed Tech is offering this to me, I'm certainly going to take it.

Just to confirm, TLS1.2 and above does not exist in 1.4.36 at least, but I would assume since 1.4.35 as it is using the same OpenSSL version.
And finally 1.4.39 solved all, works fine again:

V1.4.39 (Stable)

Server Core
  • [Update] Reverted default OpenSSL v1.1.1 back to the more stable v1.1.0i.