rusacarr has asked for the wisdom of the Perl Monks concerning the following question:

Hello all, I'm asking for advice from the SSL/OpenSSL guru's here.

I've been writing several scripts to use OpenSSL/LWP/Crypt_SSLeay to POST requests to remote websites to upload and download files. All has been going well until my latest script to a new server. I have been having problems downloading files from this server where the SSL request does not receive a response for 10 minutes, then errors out with this:
Error while sending the Request to https://<i>hostname</i> -- 500 read failed: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

I have Googled a few forums and discovered that some believe this is due to a handshakeing issue in SSL and can be resolved under OpenSSL via a SSL_OP_TLS_ROLLBACK_BUG option flag.

My question is, "Can anybody help me understand what the real problem is, and how I can set an OpenSSL flag when I'm using an LWP->UserAgent/HTTP->Request setup to handle the transfers?"

I've read that this appears to be an issue where the server and client first agree on a higher SSL version number, then the client sends a latter request to the server with a lower version number, due to a bad response from the server. Under strict SSL validation, this is not allowed. Yet I've seen no mention of this topic on PerlMonks, so I wonder if I'm doing something wrong. I can post the code, but snippits would be better since it's fairly big. (automating EDI file transfers)

I'm running Win2k
ActivePerl v.5.8.0 for MSWin32-x86-multi-thread.
OpenSSL v.0.9.7b
Crypt-SSLeay v.0.51
LWP 5.68

Server response header says the server is: 

Server: Microsoft-IIS/5.0
Server: WebSphere Application Server/5.0

[download]

Thanks.

Here's snippets of the simplified code:

use strict;    # of course.
use warnings;
use Carp;
use LWP::UserAgent;
use LWP::Debug qw(+);
use HTTP::Request;
....
$ua = LWP::UserAgent->new(timeout => 90);
$ua->agent("ediscript/0.5 ");
#   Establish a memory resident, temporary cookie jar (database) to ho
+ld any used cookies.
$ua->cookie_jar({});
....
###  Code to construct XML content string
my $res = sendRequest($dnldContent, $dnldURL)

print $res;
....

sub sendRequest {
    my $reqXML = shift || return undef;
    my $reqURL = shift || return undef;

    my $req = HTTP::Request->new(POST => $reqURL);
    $req->content_type('text/xml');

    $req->content($reqXML);

    my $res = $ua->request($req);

    croak "Error while sending the Request to ", $res->request->uri, "
+ -- ", $res->status_line, "\n"
        unless $res->is_success;

    return $res->content;
}

[download]

Replies are listed 'Best First'.
Re: SSL Transfer error 'wrong version number'
by idsfa (Vicar) on Oct 10, 2003 at 04:04 UTC

    Well, this man page suggests that this occurs, as you say, when the client changes its SSL protocol values in a effort to be "helpful". Digging through Net::SSL suggests that this in fact is done by Crypt:SSLeay: 

    $args{SSL_Version} = 3;
# the new connect might itself be overridden with a REAL SSL
my $new_ssl = Net::SSL->new(%args);
$REAL{$self} = $REAL{$new_ssl} || $new_ssl;

    [download]

    But I'm still investigating. What are the allowed values for SSL on your IIS server? Also, do they match the values for your WebSphere?

    Remember, when you stare long into the abyss, you could have been home eating ice cream.
[reply]
[d/l]
      Unfortunately, the IIS and Websphere servers are not mine. They belong to a remote client I'm attempting to connect to, and download datafiles from. I'm writing the client.

      I have not been able to find a way using LWP to pass a low level call (for SSL_CTX_Set_Options()) down to Crypt, so thinking about just hacking the module itself to include it. As to what SSL values are allowed by the servers, I don't know since the client won't return my calls.

      I have added code to my script $ENV{HTTPS_VERSION} = 3; to attempt to force HTTPS into version 3 (I've also tried version 2), but it has no affect. I've also began setting an allowed protocol list for the UA object, $ua->protocols_allowed( ['https'] ); just to be safe.

      Thanks for the help, please let me know if/when you find anything. I'll update this node when I find anything.

      P.S. - Currently, there are 17 files available for me to download from the remote server, I can download 15 files perfectly, but there are 2 files (always the same) that lock up like this. Also, I discovered yesterday that since I'm doing this on a Windows platform that is sans alarm(), then my timeout logic will never work! Nice! Trying to convince my boss to go to Linux.

[reply]
[d/l]
[select]

        You may find stunnel a useful tool for diagnosing the issue. Net::APP even provides an example of using this inside of perl code. Not an ideal solution, but the diagnostics are better and might show you where the problem is.

        Remember, when you stare long into the abyss, you could have been home eating ice cream.
[reply]

Back to Seekers of Perl Wisdom