Unable to establish SSL connection upon wget on Ubuntu 14.04 LTS

xanderlopez picture xanderlopez · Feb 27, 2015 · Viewed 146.3k times · Source

I tried to download an image through wget but I got an error: Unable to establish SSL connection.

wget https://www.website.com/image.jpg
--2015-02-26 01:30:17--  https://www.website.com/image.jpg
Resolving www.website.com (www.website.com)... xx.xxx.xx.xx
Connecting to www.website.com (www.website.com)|xx.xxx.xx.xx|:443... connected.
Unable to establish SSL connection.

My test case:

  1. Using Ubuntu 12.04.4 LTS (GNU/Linux 3.8.0-44-generic x86_64), GNU Wget 1.13.4 built on linux-gnu, I was able to download the image using the code above. No error.
  2. Using Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64), GNU Wget 1.15 built on linux-gnu, I was not able to download the image using the code above.

Another variable is that the www.website.com uses TLS 1.0. I don't have an idea how this affects wget. But if I wget an image from TLS 1.2 websites I don't get any ssl connection errors from both test cases.

Is Ubuntu 14.04 or wget 1.15 not compatible with TLS 1.0 websites? Do I need to install/download any library/software to enable this connection?

Answer

Steffen Ullrich picture Steffen Ullrich · Feb 27, 2015

... right now it happens only to the website I'm testing. I can't post it here because it's confidential.

Then I guess it is one of the sites which is incompatible with TLS1.2. The openssl as used in 12.04 does not use TLS1.2 on the client side while with 14.04 it uses TLS1.2 which might explain the difference. To work around try to explicitly use --secure-protocol=TLSv1. If this does not help check if you can access the site with openssl s_client -connect ... (probably not) and with openssl s_client -tls1 -no_tls1_1, -no_tls1_2 ....

Please note that it might be other causes, but this one is the most probable and without getting access to the site everything is just speculation anyway.

The assumed problem in detail: Usually clients use the most compatible handshake to access a server. This is the SSLv23 handshake which is compatible to older SSL versions but announces the best TLS version the client supports, so that the server can pick the best version. In this case wget would announce TLS1.2. But there are some broken servers which never assumed that one day there would be something like TLS1.2 and which refuse the handshake if the client announces support for this hot new version (from 2008!) instead of just responding with the best version the server supports. To access these broken servers the client has to lie and claim that it only supports TLS1.0 as the best version.

Is Ubuntu 14.04 or wget 1.15 not compatible with TLS 1.0 websites? Do I need to install/download any library/software to enable this connection?

The problem is the server, not the client. Most browsers work around these broken servers by retrying with a lower version. Most other applications fail permanently if the first connection attempt fails, i.e. they don't downgrade by itself and one has to enforce another version by some application specific settings.