Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unexpected version number: 250 #473

Closed
ip6li opened this issue Mar 3, 2017 · 17 comments

Comments

@ip6li
Copy link

commented Mar 3, 2017

I got on dev.ssllabs.com and www.ssllabs.com following error: "Unexpected version number: 250"

Test object is test.felsing.net, which is implemented with Nginx (git/master) and OpenSSL (git/master) and offers TLSv1.3. Firefox, Chrome/Chromium are able to negotiate TLSv1.3, Internet Explorer negotiates to TLSv1.2.

@stefanb

This comment has been minimized.

Copy link

commented Mar 6, 2017

I am having the same problem on one of my sites:

Assessment failed: Unexpected version number: 250

Both nginx and openssl built from master branches:
nginx revision:

nginx $ hg parent
changeset: 6922:a72886067bbb
tag: tip
user: Eran Kornblau erankor@gmail.com
date: Thu Mar 02 08:46:00 2017 -0500
summary: Added missing static specifiers.

OpenSSL revision:

openssl $ git describe
OpenSSL_1_1_0-pre6-1809-gd080866

@bhushan5640 bhushan5640 self-assigned this Mar 6, 2017

@stefanb

This comment has been minimized.

Copy link

commented Mar 6, 2017

Thank you @bhushan5640 for looking into it.

These sites with same problem can be observed on the "Recently Seen" list:

...
Those might help you verify your fix.

I can confirm that the issue is still present on the freshly rebuilt nginx:

nginx $ hg parent
changeset: 6923:fbdaad9b0e7b
tag: tip
user: Ruslan Ermilov ru@nginx.com
date: Mon Mar 06 11:09:47 2017 +0300
summary: Added missing "static" specifiers found by gcc -Wtraditional.

using latest OpenSSL revision:

openssl $ git describe
OpenSSL_1_1_0-pre6-1818-ge498d95

@hotaru2k3

This comment has been minimized.

Copy link

commented Mar 11, 2017

the same thing happens with Apache 2.4 and OpenSSL git/master with TLS 1.3 enabled.

tls13.cloudflare.com uses TLS 1.3 with chrome but doesn't have this issue, so not all TLS 1.3 sites are affected:
https://dev.ssllabs.com/ssltest/analyze.html?d=tls13.cloudflare.com

@Night1

This comment has been minimized.

Copy link

commented Mar 15, 2017

I see the same issue, Modding ciphers list to only serv TLSv1.2 has no effect.

built nginx and openssl from source with tls v1,3 enabled,

openssl: OpenSSL_1_1_0-pre6-1871-g2256f45 and same after update to OpenSSL_1_1_0-pre6-1891-ga5bb1aa

I've included build instructions;

nginx version: nginx/1.11.10 built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) built with OpenSSL 1.1.1-dev xx XXX xxxx TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/usr/local/nginx/nginx.pid --with-pcre=../pcre-8. 40 --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-openssl=../openssl --with-openssl-opt=enable-tls1_3 --with-http_gzip_static_m odule --with-http_addition_module --with-http_geoip_module --with-http_dav_module --with-http_stub_status_module --with-http_sub_module --with-http_ssl_module --wi th-stream --with-stream_ssl_module --with-mail=dynamic --with-http_v2_module --add-dynamic-module=/opt/nginx-ct --with-mail=dynamic

@bhushan5640

This comment has been minimized.

Copy link
Collaborator

commented Mar 17, 2017

We will deploy fix asap. Test used to fail while testing SSL v2.

Updated openssl responds unexpectedly while testing SSL v2 where we observe unexpected version number.

@Night1

This comment has been minimized.

Copy link

commented Mar 17, 2017

Thank you @bhushan5640,

Any idea why it triggers for some while not others?

@bhushan5640

This comment has been minimized.

Copy link
Collaborator

commented Mar 17, 2017

I see this issue Openssl specific. All other TLS 1.3 implementations seems to be working with SSL Labs.
https://github.com/tlswg/tls13-spec/wiki/Implementations

@Night1

This comment has been minimized.

Copy link

commented Mar 17, 2017

TLSv1.3 is still in draft, so odd behavior is expected.

I have an old build with openssl draft18, that works. so looks like when upgraded from draft18 to 19 fault came.

@Henrocker

This comment has been minimized.

Copy link

commented Mar 18, 2017

@Night1 Upgrading to draft-19 triggers the error, as well as the current draft-18 branch of openssl... My Website here also says Incorrect Version number 250 although I use openssl's branch: tls1.3-draft-18.

@bhushan5640 bhushan5640 added the bug label Mar 24, 2017

@bhushan5640

This comment has been minimized.

Copy link
Collaborator

commented Mar 24, 2017

Deployed fix on dev.ssllabs.com. Please verify.
Note: SSL Labs will not give results for hosts that support TLS 1.3 only for now.

@Henrocker

This comment has been minimized.

Copy link

commented Mar 24, 2017

Works, www.henrock.net is testable. Thank you!

@stefanb

This comment has been minimized.

Copy link

commented Mar 24, 2017

Works for me too! Thanks!

@Night1

This comment has been minimized.

Copy link

commented Mar 25, 2017

@bhushan5640
Thank you works fine :)

Is there an eta on TLSv1.3 support?

@bhushan5640

This comment has been minimized.

Copy link
Collaborator

commented Mar 27, 2017

@Night1 expect it soon :)

@Henrocker

This comment has been minimized.

Copy link

commented Jun 9, 2017

Thank you, that TLS1.3 gets tested as well now.

@Night1

This comment has been minimized.

Copy link

commented Jun 10, 2017

@bhushan5640 Great work on TLS1.3, any word on when/if draft 20 will be supported`?

@bhushan5640

This comment has been minimized.

Copy link
Collaborator

commented Jun 10, 2017

we will upgrade to draft 20 as soon as browsers start rolling out draft 20

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.