Ssl3_Get_Record wrong version number
Since I work in MegaCorp I found a new level of security policy; for me this is
a low point: I not only can't ssh
home; since I changed my DynDNS provider from
dym.com to afraid.org, I can't even access my webserver because the proxy denies
me access citing: Your request was denied because of its content categorization:
"Dynamic DNS Host;Suspicious"
. So I can access lots of questionable contents
using Google cache but not my own photos, fine.
At the beginning, the classical trick of making the ssh
server to listen in the
port 443 worked fine, but at some point Network Operations managed to close that
hole. This change was not communicated, so it's not clear that it was completely
on purpose. I once asked for the Network Usage Policy, if it exists, but the
unofficial answer was on the lines of «I'm not sure you really want to ask».
So, I managed to pierce the firewall again with a further trick: wrapping ssh
traffic in a SSL connection.
This makes the traffic look like regular https
traffic (remember, the s
stands
for SSL/TLS) but it encrypts the traffic twice.
Everything was smooth again, until the server crashed due to a lack of power.
After I powered it on again, I found that I couldn't connect anymore. This morning I
decided to take a couple of minutes to figure out why. The ssh
client tells me
this:
$ ssh -v -o 'ProxyCommand openssl s_client -connect %h:%p -quiet 2>/dev/null' -p 443 foo.afraid.org OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /home/user/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Executing proxy command: exec openssl s_client -connect foo.afraid.org:443 -quiet 2>/dev/null debug1: permanently_drop_suid: 1004 debug1: identity file /home/user/.ssh/identity type -1 debug1: identity file /home/user/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024 debug1: identity file /home/user/.ssh/id_dsa type -1 ssh_exchange_identification: Connection closed by remote host
Not much info, really. Form the server side I have this:
SSL_accept: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
Nice, a cryptic error message, at least for me. Strange enough, openssl
by
itself manages to connect alright:
$ openssl s_client -connect foo.afraid.org:443 -ssl3 CONNECTED(00000003) [...] SSH-2.0-OpenSSH_6.2p2 Debian-6
That's the ssh
server saying hi. After some DDG'ing1 I find this post in
serverfault.
The first answer itself is not very helpful, but the second one is actually the
OP saying how he solved it. It's telling stunnel
to accept any version of SSL
client while telling SSL to ignore
SSLv2. I don't
understand how it fixes it, but it works, yay!
-
DuckDuckGo is getting better by the day. ↩