url_response v4.52 - failed to connect - SSL connect error 35 / wrong signature type
search cancel

url_response v4.52 - failed to connect - SSL connect error 35 / wrong signature type

book

Article ID: 271632

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM)

Issue/Introduction

Since upgrading the url_response probe to v4.52 we have been unable to connect to some HTTPS profiles.  We are seeing "SSL connect error 35" reported.

The full log looks like:

Aug  4 11:36:33:464 [5112] url_response: [PROFILENAME] attempt 1 of 3
Aug  4 11:36:33:464 [5112] url_response: [PROFILENAME] DBG: WARNING: failed to open cookie file "PROFILENAME_cookie"
Aug  4 11:36:33:464 [5112] url_response: [PROFILENAME] DBG:   Trying x.xx.x.xx:443...
Aug  4 11:36:33:479 [5112] url_response: [PROFILENAME] DBG: Connected to (hostname).com (x.xx.x.xx) port 443 (#0)
Aug  4 11:36:33:479 [5112] url_response: [PROFILENAME] DBG: ALPN: offers http/1.1
Aug  4 11:36:33:479 [5112] url_response: [PROFILENAME] DBG: [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
Aug  4 11:36:33:526 [5112] url_response: [PROFILENAME] DBG: [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2):
Aug  4 11:36:33:526 [5112] url_response: [PROFILENAME] DBG: [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
Aug  4 11:36:33:526 [5112] url_response: [PROFILENAME] DBG: [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11):
Aug  4 11:36:33:526 [5112] url_response: [PROFILENAME] DBG: [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, CERT verify (15):
Aug  4 11:36:33:526 [5112] url_response: [PROFILENAME] DBG: [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS alert, illegal parameter (559):
Aug  4 11:36:33:526 [5112] url_response: [PROFILENAME] DBG: OpenSSL/1.1.1t: error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type
Aug  4 11:36:33:526 [5112] url_response: [PROFILENAME] DBG: Closing connection 0
Aug  4 11:36:33:526 [5112] url_response: [https://(hostname/url)]: curl_easy_perform - SSL connect error (35)

Environment

  • Release: 20.4

Cause

The older version of url_response relies on an older version of curl+openssl, and that is why the older url_response probe works, but the new version is using updated libraries which ultimately results in a negotiation failure. This is most likely due the server using older/unsupported methods that the newest curl/openssl do not like (which usually means it is using an older version of OpenSSL on the server end.)

This same error can be reproduced outside the context of the UIM url_response probe by downloading the latest version of "curl" and testing the same URL as seen in the following screenshot:

Resolution

  • Ultimately this is related to a problem on the server side - most likely an older version of OpenSSL but it could be for other reasons.

  • We recommend upgrading OpenSSL to the latest version available.

  • Additionally, it may help to enable "secure renegotiation" on the server as this has been observed on servers with this disabled.

 

 

Additional Information

Powered by Wolken Software