An error occurs when openssl is used in C :SSL connection failed:sslv3 alert handshake failure

This error usually indicates that the SSL connection failed, possibly because of a protocol or password suite mismatch between the client and server. The SSL/TLS protocol version and password suite must be agreed between the client and server, otherwise the link will fail.

In this code, SSLv23_client_method() indicates encryption using one of the highest versions of the SSLv2, SSLv3, TLSv1, and so on protocols, which can cause links to fail. Because SSLv3 and TLSv1 have been widely recognized as insecure protocols, many servers have disabled them. A more secure protocol, such as TLSv1.2 or TLSv1.3, is recommended.

You can try using TLSv1.2_client_method() or TLSv1.3_client_method() instead of SSLv23_client_method() to see if you can resolve this problem. If you still have problems, you can try checking that the SSL/TLS version and password suite configuration are consistent between the client and server, or you can try opening the debug log for more information.

Using GPT and my own thinking, this error usually means that the SSL/TLS handshake process has failed, where the SSLv3 handshake failure may be due to security issues related to SSLv3 version, Therefore, SSLv3 is generally not recommended. In this case, it is recommended that you try to use a more secure TLS protocol version such as TLSv1.0, TLSv1.1, or TLSv1.2.

Here are the suggested solutions:

1 Try using TLSv1.0, TLSv1.1, or TLSv1.2 protocol versions, which are more secure than SSLv3. You can specify supported TLS versions using the SSL_CTX_set_options function.

2 Ensure that the target server supports the SSL/TLS protocol version you are using. You can run the openssl s_client command to test the supported protocol version of the target server. For example, to test TLSv1.2 support, use the following command:

openssl s_client-connect servername: port-tls1_2
3 If the target server supports only SSLv3, you may need to contact the server administrator to upgrade SSL/TLS support.

4 Check whether the certificate is correct. If the certificate is invalid or does not match the server, the SSL handshake may fail.
If you want to try using a more secure version of the TLS protocol, such as TLSv1.0, TLSv1.1, or TLSv1.2, you can use the following code:

int init_SSL(int tcp_fd, SSL **ssl, SSL_CTX **ctx)
{
    int n, ret;
    /* 初始化https的SSL加密协议 */
    //加载错误字符串资源
    SSL_load_error_strings();
    //初始化SSL库
    SSL_library_init();
    //新建SSL会话
    *ctx = SSL_CTX_new(TLSv1_2_client_method()); // 使用TLSv1.2协议
    if (*ctx == NULL)
    {
        fprintf(stderr, "init SSL CTX failed:%s\n",
                ERR_reason_error_string(ERR_get_error()));
        return -1;    
    }

    //根据会话新建SSL加密
    *ssl = SSL_new(*ctx);
    if (*ssl == NULL)
    {
        fprintf(stderr, "new SSL with created CTX failed:%s\n",
                ERR_reason_error_string(ERR_get_error()));
        return -1;
    }

    //绑定文件描述符，tcp_fd是连接完服务器的文件描述符
    ret = SSL_set_fd(*ssl, tcp_fd);
    if (ret == 0)
    {
        fprintf(stderr, "add SSL to tcp socket failed:%s\n",
                ERR_reason_error_string(ERR_get_error()));
        return -1;    
    }

    /* 利用SSL加密连接服务器 */
    ret = SSL_connect(*ssl);
    if (ret != 1)
    {
        fprintf(stderr, "SSL connection failed:%s\n",
                ERR_reason_error_string(ERR_get_error()));
        return -1;    
    }

    return 0;
}

After this modification, the program establishes an SSL connection to the server using the TLSv1.2 protocol version. Note that you can specify supported TLS versions using the SSL_CTX_set_options function. For example, to support both TLSv1.0, TLSv1.1, and TLSv1.2, use the following code:

SSL_CTX_set_options(*ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);

If it helps you, please give it, thank you.

This answer quotes ChatGPT

The error message "SSL connection failed:sslv3 alert handshake failure" you encounter indicates that the SSL handshake fails, which may be caused by incompatible SSL/TLS versions or certificate issues. To solve this problem, you can try the following steps:

1. Check SSL/TLS version
According to the error message, you are trying to use SSLv3 for handshaking, but SSLv3 is deprecated and no longer supported by modern browsers and servers. You should try to use a more modern and secure protocol, such as TLSv1.2 or TLSv1.3. You can select the SSL/TLS version by using a method in SSL_CTX_new(), such as SSL_CTX_new(TLS_client_method()).

2. Check the certificate
SSL handshake requires a server certificate to authenticate the server, and a client certificate to authenticate the client(if required by the server). If the certificates are invalid or do not match, the handshake fails. Make sure that your server certificate is valid and that your client code is configured correctly to use it. You can try using the openssl s_client command to test the server certificate and SSL/TLS connection to verify that they are correct.

3. Check Other configurations
There are other configuration issues that can cause SSL handshakes to fail, such as having certain options in the SSL protocol enabled or disabled. You can try adjusting the SSL/TLS configuration options to your needs to see if you can resolve the problem.

This error indicates that the SSL connection failed because the negotiation between the client and server failed. The SSL certificate on the server is not trusted, or the SSL certificate on the server has expired.

To solve this problem, try the following:

1. Ensure that the version of TLS used by the client and server is the same.

2. Check whether the SSL certificate on the server is valid and has not expired.

3. Try using a different SSL protocol, such as TLS 1.1 or 1.2.

4. If all else fails, try reinstalling the SSL certificate on the server.

According to the error message "SSL connection failed:sslv3 alert handshake failure", This error is usually caused by an SSL handshake failure and may be due to the following reasons:
1, the server does not support SSLv3 or TLSv1 protocols, or they have been disabled so that the client cannot perform the handshake. You can try another protocol version, such as TLSv1.1 or TLSv1.2, or contact your server administrator for more information.
2. The certificate verification fails. You can try to load the certificate chain using the SSL_CTX_load_verify_locations function before SSL_connect, and set the authentication method using the SSL_CTX_set_verify function.
3. The protocol versions of the client and server do not match. You can use the SSL_set_options function to enable adaptive protocol versions(such as SSL_OP_NO_SSLv2) so that the client can select the most suitable protocol version
4. The client time is inconsistent with the server time. During the SSL handshake, the client and server need to compare timestamps to check the validity of the certificate. Ensure that the time on the client is the same as that on the server.
In your code, you have used SSLv23_client_method() to create an SSL session, which means it will support protocol versions SSLv2, SSLv3, TLSv1, etc. You can try using another protocol version, such as TLSv1.2, to see if you can fix the problem. For example, using the TLSv1.2 client method:

*ctx = SSL_CTX_new(TLSv1_2_client_method());

Alternatively, you can try to enable the adaptive protocol version by adding the following code before SSL_connect:

SSL_set_options(*ssl, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);

Finally, you should check that the certificate validation is correct. The certificate chain specified in the SSL_CTX_load_verify_locations function should contain the root certificate of the server certificate, or you can set the authentication using the SSL_CTX_set_verify function. For example, to disable certificate validation:

SSL_CTX_set_verify(*ctx, SSL_VERIFY_NONE, NULL);