Can't wget from github, sslv3 handshake error

We have a script that downloads mod security from github that has recently started failing. The servers run CentOS 6 but RHEL 6 probably has the same issue. The output is:

# wget https://github.com/downloads/SpiderLabs/ModSecurity/modsecurity-apache_2.7.1.tar.gz
--2014-07-22 18:49:46--  https://github.com/downloads/SpiderLabs/ModSecurity/modsecurity-apache_2.7.1.tar.gz
Resolving github.com... 192.30.252.129
Connecting to github.com|192.30.252.129|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://cloud.github.com/downloads/SpiderLabs/ModSecurity/modsecurity-apache_2.7.1.tar.gz [following]
--2014-07-22 18:49:47--  https://cloud.github.com/downloads/SpiderLabs/ModSecurity/modsecurity-apache_2.7.1.tar.gz
Resolving cloud.github.com... 54.230.99.219, 205.251.219.190, 54.230.97.212, ...
Connecting to cloud.github.com|54.230.99.219|:443... connected.
OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Unable to establish SSL connection.

Any ideas on how to fix or work around this?

Asked By: Kristofer

||

If I’m not mistaken you mean this repo. Try to get URL form Releases.

This case work for me:

$ wget https://github.com/SpiderLabs/ModSecurity/archive/v2.8.0.tar.gz

P.S. I also have the same error message when try to run your case;

$ wget https://github.com/downloads/SpiderLabs/ModSecurity/modsecurity-apache_2.7.1.tar.gz
Answered By: Anton Dozortsev

You can use the curl command to download it:

curl -LO https://github.com/downloads/SpiderLabs/ModSecurity/modsecurity-apache_2.7.1.tar.gz
Answered By: rajesh gupta

You should check your wget version.

I had the same problem with older versions of wget (< 1.15).

Answered By: Dan

Server side has disabled the SSLv3 encryption handshake, because of SSLv3 severe security issues.
Moreover, your wget client is an outdated version and still use as default this SSLv3 encryption. You have 2 options:

  • use –secure-protocol=TLSv1 flag in front of wget.
    wget --secure-protocol=TLSv1
  • install an updated version of wget that use as default TLSv1 protocol
Answered By: Vassilis Blazos

As for workaround, if you trust the host try specifying --no-check-certificate or add:

check_certificate = off

into your ~/.wgetrc (not recommended).

In some rare cases, it’s caused by your system time which could be out-of-sync therefore invalidating the certificates which was working before.

Answered By: kenorb

Try this:

update-crypto-policies --set LEGACY
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.