url_response v4.52 - failed to connect - SSL connect error 35 / wrong signature type
search cancel

url_response v4.52 - failed to connect - SSL connect error 35 / wrong signature type

book

Article ID: 271632

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

Since upgrading the url_response probe to v4.52 we have been unable to connect to some HTTPS profiles.   We are seeing "SSL connect error 35" reported.

 

The full log looks like:

Aug  4 11:36:33:464 [5112] url_response: [PROFILENAME] attempt 1 of 3
Aug  4 11:36:33:464 [5112] url_response: [PROFILENAME] DBG: WARNING: failed to open cookie file "PROFILENAME_cookie"
Aug  4 11:36:33:464 [5112] url_response: [PROFILENAME] DBG:   Trying x.xx.x.xx:443...
Aug  4 11:36:33:479 [5112] url_response: [PROFILENAME] DBG: Connected to (hostname).com (x.xx.x.xx) port 443 (#0)
Aug  4 11:36:33:479 [5112] url_response: [PROFILENAME] DBG: ALPN: offers http/1.1
Aug  4 11:36:33:479 [5112] url_response: [PROFILENAME] DBG: [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
Aug  4 11:36:33:526 [5112] url_response: [PROFILENAME] DBG: [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2):
Aug  4 11:36:33:526 [5112] url_response: [PROFILENAME] DBG: [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
Aug  4 11:36:33:526 [5112] url_response: [PROFILENAME] DBG: [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11):
Aug  4 11:36:33:526 [5112] url_response: [PROFILENAME] DBG: [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, CERT verify (15):
Aug  4 11:36:33:526 [5112] url_response: [PROFILENAME] DBG: [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS alert, illegal parameter (559):
Aug  4 11:36:33:526 [5112] url_response: [PROFILENAME] DBG: OpenSSL/1.1.1t: error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type
Aug  4 11:36:33:526 [5112] url_response: [PROFILENAME] DBG: Closing connection 0
Aug  4 11:36:33:526 [5112] url_response: [https://(hostname/url)]: curl_easy_perform - SSL connect error (35)

Environment

Release : 20.4

Cause

The older version of url_response relies on an older version of curl+openssl, and that is why the older url_response probe works, but the new version is using updated libraries which ultimately results in a negotiation failure - most likely because because the server is using older/unsupported methods that the newest curl/openssl do not like (which usually means it is using an older version of OpenSSL on the server end.)

 

This same error can be reproduced outside the context of url_response by downloading the latest version of "curl" and testing the same URL as seen in the following screenshot:

Resolution

Ultimately this is related to a problem on the server side - most likely an older version of OpenSSL but it could be for other reasons.  We recommend upgrading OpenSSL to the latest version available.

Additionally, it may help to enable "secure renegotiation" on the server as this has been observed on servers with this disabled.

 

 

Additional Information

https://updown.uservoice.com/knowledgebase/articles/1989757-what-does-the-wrong-signature-type-ssl-error-mea