Crypto negotiation failed

[gitressa]

I am getting a few of these:

Crypto negotiation failed: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type

It looks related to this issue: https://github.com/amphp/artax/issues/174

[dantleech]

Yeah, you might be able to solve this with the --insecure option, otherwise it sounds like this comment should be investigated (i.e. calling withSecurityContext(1)).

[gitressa]

Thanks for the suggestion. I tried adding the --insecure option, but I am still getting the "exception":"Crypto negotiation failed: message...

[dantleech]

Can you provide the URL(s) that produced this exception?

[gitressa]

Sure, here is a URL and the result: https://www.information.dk/2004/07/generation-punkere-yuppier
{"url":"https:\/\/www.information.dk\/2004\/07\/generation-punkere-yuppier","distance":3,"status":null,"request-time":0,"exception":"Crypto negotiation failed: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type"}

[gitressa]

I just tried again with --insecure, and it seems to work now, perhaps I wasn't using the correct version while testing? Closing this issue, since Fink works as expected.

[gitressa]

Actually, I am still getting these, even though the --insecure parameter is included. Here are a few URLs with this behaviour:

[
  {
    "exception": "Crypto negotiation failed: Connection reset by peer",
    "status": null,
    "url": "http://www.libertyellisfoundation.org/immigration-museum"
  },
  {
    "exception": "Crypto negotiation failed: Connection reset by peer",
    "status": null,
    "url": "http://www.rspca.org.uk"
  },
  {
    "exception": "Crypto negotiation failed: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:141A318A:SSL routines:tls_process_ske_dhe:dh key too small",
    "status": null,
    "url": "http://www.echr.coe.int/echr"
  },
  {
    "exception": "Crypto negotiation failed: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:141A318A:SSL routines:tls_process_ske_dhe:dh key too small",
    "status": null,
    "url": "http://www.portugalvirtual.pt"
  },
  {
    "exception": "Crypto negotiation failed: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type",
    "status": null,
    "url": "http://www.kristeligt-dagblad.dk/liv-sjael/sociale-medier-goer-sorgen-nemmere"
  }
]

[gitressa]

I did some more testing, and including the --insecure parameter does seem to make a difference, but only on the base URL, not remote URLs. With no --insecure parameter, I get this result, since SSL is not set up in my local Lando system:

[
  {
    "distance": 0,
    "exception": "Crypto negotiation failed: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed",
    "status": null,
    "url": "https://links.lndo.site"
  }
]

Once I include the --insecure parameter, Fink ignores the local SSL issue, and continues to check also external URLs, but then fail on them with Crypto negotiation failed, as seen in my previous post.

[dantleech]

Interesting will have a look 👍

[gitressa]

Sounds good, let me know if I can help debug. I just tried the links (all of them redirect from HTTP to HTTPS) with HTTPS, but got the same result, so the redirect doesn't seem to be an issue.

[dantleech]

Can reproduce, it is likely related to OpenSSL versions (> 1.1 supports setting security levels, and the client defaults to 2). The PR #84 adds an option to set the security level and defaults to 1 if OpenSSL supports it (and this should mean that the above URLs work again).

Please re-open if this is not the case.

[gitressa]

Thanks, it works fine. I just tried the latest Master with the PR #84, and I no longer get these:

- Crypto negotiation failed: Connection reset by peer
- Crypto negotiation failed: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type
- Crypto negotiation failed: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

[gitressa]

Now also available in the latest 0.8.0 release of Fink.

[gitressa]

This might have re-emerged ... quite a few of the status: null results are actually 301s:

{"distance":3,"exception":"Crypto negotiation failed: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed","referrer":"https:\/\/example.org\/page","referrer_title":"Producentforeningens hjemmesiden","referrer_xpath":"\/html\/body\/div\/div\/div\/section\/div[2]\/section[2]\/div\/div\/div\/div[2]\/span[2]\/p[142]\/span\/span\/a[1]","request_time":0,"status":null,"url":"http:\/\/pro-f.dk","timestamp":"2019-06-02T20:29:25+02:00"}

$ curl -I -m 4 http://pro-f.dk
HTTP/1.1 301 Moved Permanently
Date: Sun, 02 Jun 2019 19:00:09 GMT
Server: Apache/2.4.7 (Ubuntu)
Location: https://pro-f.dk/
Content-Type: text/html; charset=iso-8859-1

{"distance":3,"exception":"There were too many redirects","referrer":"https:\/\/example.org\/page","referrer_title":"Rising Scores on Intelligence Tests.","referrer_xpath":"\/html\/body\/div\/div\/div\/section\/div[2]\/section[2]\/div\/div\/div\/div[1]\/span[2]\/div\/p[24]\/a","request_time":0,"status":null,"url":"http:\/\/www.americanscientist.org\/issues\/feature\/rising-scores-on-intelligence-tests\/1","timestamp":"2019-06-02T20:30:09+02:00"}

$ curl -I -m 4 http://www.americanscientist.org/issues/feature/rising-scores-on-intelligence-tests/1
HTTP/1.1 301 Moved Permanently
Server: nginx/1.6.2
Date: Sun, 02 Jun 2019 19:00:08 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: https://www.americanscientist.org/issues/feature/rising-scores-on-intelligence-tests/1

{"distance":20,"exception":"Crypto negotiation failed: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed","referrer":"https:\/\/example.org\/pages?page=19","referrer_title":"USNEI - U.S. Network For Education Information -- https:\/\/example.org\/page","referrer_xpath":"\/html\/body\/div\/div\/div\/section\/div[2]\/div\/div\/div\/div[3]\/div[2]\/div\/a[6]","request_time":0,"status":null,"url":"http:\/\/www.ed.gov\/about\/offices\/list\/ous\/international\/usnei\/edlite-index.html","timestamp":"2019-06-02T20:34:41+02:00"}

$ curl -I -m 4 http://www.ed.gov/about/offices/list/ous/international/usnei/edlite-index.html
HTTP/1.1 301 Moved Permanently
Date: Sun, 02 Jun 2019 19:00:08 GMT
Server: Varnish
X-Varnish: 9293798
Location: https://www.ed.gov/about/offices/list/ous/international/usnei/edlite-index.html
Content-Length: 0
Connection: keep-alive

{"distance":3,"exception":"There were too many redirects","referrer":"https:\/\/example.org\/page","referrer_title":"Timeline of Kennedy Tragedies.","referrer_xpath":"\/html\/body\/div\/div\/div\/section\/div[2]\/section[2]\/div\/div\/div\/div[1]\/span[2]\/div\/p[35]\/a","request_time":0,"status":null,"url":"http:\/\/www.infoplease.com\/spot\/kennedytimeline.html","timestamp":"2019-06-02T20:30:30+02:00"}

$ curl -I -m 4 http://www.infoplease.com/spot/kennedytimeline.html
HTTP/1.1 301 Moved Permanently
Age: 625398
Cache-Control: max-age=1209600
Content-Length: 260
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 26 May 2019 13:16:52 GMT
Expires: Sun, 09 Jun 2019 13:16:52 GMT
Location: https://www.infoplease.com/spot/kennedytimeline.html
Server: nginx
Via: varnish
X-Cache: HIT
X-Cache-Hits: 22
X-Content-Type-Options: nosniff
X-Request-ID: v-86eecec0-7fb8-11e9-9ab0-1f29bfabbb72
Connection: keep-alive

{"distance":3,"exception":"Crypto negotiation failed: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed","referrer":"https:\/\/example.org\/page","referrer_title":"HomeCare Online.","referrer_xpath":"\/html\/body\/div\/div\/div\/section\/div[2]\/section[2]\/div\/div\/div\/div[1]\/span[2]\/div\/p[16]\/a","request_time":0,"status":null,"url":"http:\/\/www.nahc.org","timestamp":"2019-06-02T20:30:03+02:00"}

$ curl -I -m 4 http://www.nahc.org
HTTP/1.1 301 Moved Permanently
Date: Sun, 02 Jun 2019 18:54:55 GMT
Server: Apache
X-Powered-By: PHP/5.6.31
X-Frame-Options: SAMEORIGIN
Location: https://www.nahc.org/
Content-Type: text/html; charset=UTF-8

Perhaps I can bypass it by lowering the required security level?