I ran across an interesting issue tonight doing a server upgrade. I built a new cc1.4xlarge instance at Amazon AWS to replace the older instance that powered our webserver roles. The new server ran Ubuntu 12.04, while the old one was on 10.04. After upgrading I noticed a few scripts failing to make an SSL handshake (my script through curl connecting to an https endpoint). What was weird is some SSL endpoints worked fine while others crashed with this error:

error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

I had no idea what to make of it, but some quick google research brought up a few interesting issues with the new openssl libraries in Ubuntu and apparently a new cipher byte restriction causing some weird issues. You can read more about the problems others are facing here:

https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/986147

https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/861137

Well, according to the bug reports which are marked as fixed, our servers should be fine. I checked and we are using the newest openssl package for Ubuntu: 1.0.1-4ubuntu5.3. This was a do or die situation. I HAD to figure this out or rollback the new server upgrade to the old OS.

The good news is I fixed it in our PHP scripts and here’s what I did:

curl_setopt($ch, CURLOPT_SSLVERSION, 1);

I noticed a few comments how if you forced SSL version 1 on the command line everything would work. I took that advice and ported it to the PHP/Curl version and everything works fine for now. Hopefully the issues get resolved in the future and I can remove the hack.