SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Hello everyone, I just completed installing Cardano components. When I go to the next step and try to download the configuration files i get this error:

[ec2-user@ip-172-31-26-45 ~]$ curl -O -J https://hydra.iohk.io/build/7370192/download/1/mainnet-config.json
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

How can I fix this?

If u want to download the file try with wget if curl doesn’t work

wget https://hydra.iohk.io/build/7370192/download/1/mainnet-config.json

Just tried it. Here is my new error:

OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Unable to establish SSL connection.

It’s something related with ssl (port 443)

then u can create the file manually

nano mainnet-config.json and copy inside all text copied from the URL

save the file

Ok thanks for the help. Let me see what I can do.

This works on my desktop without problem.

For this little text file, @Alexd1985’s solution – just create it by hand – is probably enough, but it might well be that the machine later needs to be able to do SSL connections using SSLv3 to machines with Let’s-encrypt-certificates, which is what hydra.iohk.io is using. (I don’t know enough about Cardano’s internals to know if it is strictly necessary in daily operation.)

It looks like one or several of openssl, wget, curl or ca-certificates are too old on this system. Is it fully updated (sudo yum update)?

SSL V3 is pretty old stuff - and really insecure. I suggest checking your openssl version and/or configuration. You should at least have openssl version 1.1.1; if you openssl version is ok, then check configuration in /etc. You’ll run into problems with your current configuration and there’s a good chance that you’ll get hacked if you don’t fix it.

Indeed, it’s old, but it was not the server config, but just a client connection.

Interesting that wget/curl/openssl even still try sslv3. Perhaps as a last resort? And we only get the error message of this last resort and not from the tries of the more modern protocols done before?

Thanks, im trying to set this up on a Mac using AWS Linux 2 AMI. I’m currently in iterm connected to my AWS.

Checking my SSL version is only 1.0.2k-fips. How do I update to a newer version of openssl?

As far as I can see, Amazon Linux uses yum as package manager.
So, it would be sudo yum update openssl.
But if already OpenSSL is so old, it might be the same for the other packages.
Maybe you would want to update everything: sudo yum update

Thanks. I did both sudo yum update openssl & sudo yum update. Iterm returns “No packages marked for update”

According to the AWS Forums, the reason may be that /etc/yum.conf contains releasever=<some very old version>, where it should contain releasever=latest. Change it with some editor, for example sudo nano /etc/yum.conf.

Don’t use any specific amazon optimized OS… try to install a fresh ubuntu linux version

Yep, that’s a much better idea.

Yes, you will probably get much more support when using a Debian-based Distro.

Ok, I am going to start fresh tomorrow. Thank you.

Thanks guys, I got it to work with Red Hat Enterprise Linux 8. Next, running the node.