Request execution error: SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE [v7.25.1+]

[thetreythomas]

Describe the bug When making an API request, I receive the error below:

Error: write EPROTO 2771201016:error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE:../../third_party/boringssl/src/ssl/tls_record.cc:587:SSL alert number 40 2771201016:error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO:../../third_party/boringssl/src/ssl/handshake.cc:588:

To Reproduce Steps to reproduce the behavior:

1. Update to 7.26 from 7.25.3
2. Perform an API call

Expected behavior Using build 7.25.3, these API calls that are now failing with 7.26.0 work just fine.

I read through the release notes for 7.26.0, and I didn't really see anything that would create an SSL issue. Were there any build dependencies that got updated from one version to the next?

These API calls are going over HTTPs, but using Basic Auth and no certs. I have the SSL cert verification turned off.

App information (please complete the following information):

• Native App
• Postman Version 7.26.0
• OS: Windows 64bit

[halfluke]

I had :BAD_ALERT:../../third_party/boringssl/src/ssl/tls_record.cc:573 in an assessment when proxying postman through burp, and I solved thanks to an expert colleague, by disabling TLSv1.3 on the burp listener itself

Based on this it seems the issue is with the implementation of TLS 1.3 used by Postman?

In my case, I was talking to an API which required client certs for authentication (which were added to Burp), Burp was carrying out the requests fine but in most (but not all) cases PM wasn't able to parse the response which Burp served. In a lot of cases, if I kept hammering the "Send" button then every so often a request would get through.

Anyway, disabling 1.3 on Burp's listener fixed it for me.

if it was only with Burp I would say that somehow java and tls 1.3 do not get along well so far, but if it's also with Postman without Burp, no idea...

[hanneheingard]

Hello, I am facing the same issue. I simply removed a certificate from the list of certificates in Postman and added it again with the exact same credentials and now I get: Error: write EPROTO 1216298392:error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE:../../third_party/boringssl/src/ssl/tls_record.cc:587:SSL alert number 40

Pls fix asap as this is very blocking!

[brandon1024]

I've got a bit more information to add that might help PM developers.

I'm making requests against an OpenADR VTN. The OpenADR spec requires TLS v1.2 with the following cipher suites:

• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, or
• TLS_RSA_WITH_AES_128_CBC_SHA256

To establish a connection with the VTN, the client needs the following certificates and key:

• trusted root CA certificate (OpenADR)
• intermediate CA certificate (VEN)
• client certificate and client private key

I can verify that the connection can be established using s_client:

$ openssl s_client -cert TEST_RSA_VEN_210121191926_cert.pem -key TEST_RSA_VEN_210121191926_privkey.pem -connect localhost:8000
CONNECTED(00000003)
---
Certificate chain
 0 s:C = CA, O = Siemens Canada Limited, OU = TEST OpenADR Alliance RSA VTN Certificate, CN = eip.docker.drms.siemens.ca
   i:C = US, O = OpenADR Alliance, OU = RSA VTN CA0001, CN = TEST OpenADR Alliance RSA VTN CA
 1 s:C = US, O = OpenADR Alliance, OU = RSA VTN CA0001, CN = TEST OpenADR Alliance RSA VTN CA
   i:C = US, O = OpenADR Alliance, OU = RSA Root CA0001, CN = TEST OpenADR Alliance RSA Root CA
 2 s:C = US, O = OpenADR Alliance, OU = RSA Root CA0001, CN = TEST OpenADR Alliance RSA Root CA
   i:C = US, O = OpenADR Alliance, OU = RSA Root CA0001, CN = TEST OpenADR Alliance RSA Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEajCCAtKgAwIBAgIJALx3n9FIUw+kMA0GCSqGSIb3DQEBCwUAMGwxCzAJBgNV
BAYTAlVTMRkwFwYDVQQKExBPcGVuQURSIEFsbGlhbmNlMRcwFQYDVQQLEw5SU0Eg
VlROIENBMDAwMTEpMCcGA1UEAxMgVEVTVCBPcGVuQURSIEFsbGlhbmNlIFJTQSBW
VE4gQ0EwHhcNMjEwMTIxMTkxODM5WhcNMjMwMTIxMTkxODM5WjCBhzELMAkGA1UE
BhMCQ0ExHzAdBgNVBAoMFlNpZW1lbnMgQ2FuYWRhIExpbWl0ZWQxMjAwBgNVBAsM
KVRFU1QgT3BlbkFEUiBBbGxpYW5jZSBSU0EgVlROIENlcnRpZmljYXRlMSMwIQYD
VQQDDBplaXAuZG9ja2VyLmRybXMuc2llbWVucy5jYTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBALzaorYGvxCcf5Oe11yVyOuUl4e+mDNLkMVGIC5ZcmPg
CfO4ymHCQ0Tgtq2FsGjcj8vvDldTfMXgpv+CW4DW9AAY2DGJ6291MYjzCQoY2rYq
9q06zGBKGmTI4eo/jqFrNz4UDr4KUO1ZJgoLiZ4svyZZdPmFCIQT9fzFqglvV3zf
IVC0ztDkMm7J6R+Is5yWAWgV3WL0VPzeXMLNoBAhLiz0WJhA81suqCwXJTTocx+m
ANTicxy9HOcCP5JLU3YhvwS+c0grpwJiVCodgtwgYB/YF21Mm1vvJoRCGGz1zkR6
6+gfQ6Xeiyx/YNEa6nJu77ha5erfFy4ARpJmMh+8g4kCAwEAAaNzMHEwDgYDVR0P
AQH/BAQDAgWgMB8GA1UdIwQYMBaAFLrUIA+Xct+xq1W3/A1PxJwYcS9hMCUGA1Ud
EQQeMByCGmVpcC5kb2NrZXIuZHJtcy5zaWVtZW5zLmNhMBcGA1UdIAQQMA4wDAYK
KwYBBAGCxC8BATANBgkqhkiG9w0BAQsFAAOCAYEASNzCZe0hiPtUwwSh5abHjWVx
tpBhrJJbpf0dIBL3LaLbzmTxfEjG5RqU5zj6SGE4DbI2JhlInFD8jn5ZoFAIOEvT
iO07+/uxX6yBk7KP2iyzqQrfFoRlXbYzY2xl58HNgcRMS1kDAlkKxW7/hb0pNo71
3aIfsGc5MUoBostqTHfpm4Gi6RnW/BkJvawagNqyB/VvYXzcRgckbo1TOb66c1nM
u5X7so81/Iey7ol01wfAy5x8E37sf31m7jybL4P1+WHXjlKFQXITNuv13mA8ToIm
ZmATXGWtZEdoli2eOMoSpEErw/12Vnv0LvU9FkUQn7edRW2sliUwMrjKMRNlUoX5
kwJvHYh/H2QFDuQbGMKqDV3p6wpGSThSokT//qPaFiiSvEIz2bsVg2ARktEm3Uha
RfEUd4cbgE96TI4aT29HdU3tlYgJsmM7lYbkrXZlnydaR36IYl/3hmKQk0eii/h5
IlPuH//hatsx+8D+plD3gcQTsI66uge+ijeM92mr
-----END CERTIFICATE-----
subject=C = CA, O = Siemens Canada Limited, OU = TEST OpenADR Alliance RSA VTN Certificate, CN = eip.docker.drms.siemens.ca

issuer=C = US, O = OpenADR Alliance, OU = RSA VTN CA0001, CN = TEST OpenADR Alliance RSA VTN CA

---
Acceptable client certificate CA names
C = US, O = OpenADR Alliance, OU = RSA Root CA0001, CN = TEST OpenADR Alliance RSA Root CA
CN = ca_docker.drms.siemens.ca, OU = EnergyIP, O = EnergyIP, DC = eMeter, DC = com
Client Certificate Types: ECDSA sign, RSA sign, DSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
---
SSL handshake has read 4431 bytes and written 2020 bytes
Verification: OK
---
New, TLSv1.2, Cipher is AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-SHA256
    Session-ID: 0F4C5ADB5AF0B46F52990F1128FF63F5706DF2887C7675FBB892EAFD0884FF8C
    Session-ID-ctx:
    Master-Key: EAB20E25065CFD1AFBE5A9A8B86E10E4D0B49AE6F1E95E04BEE0478E8954989DD5EDF31DCDF680A0963EC08813E120C0
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1611346684
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

I can successfully make requests against the VTN with curl:

$ curl --cacert ${CA_CERT} --cert ${CLIENT_CERT} --key ${CLIENT_KEY} -H "Content-Type: application/xml;charset=UTF-8" -XPOST --data @payload.xml https://eip.docker.drms.siemens.ca:8000/OpenADR2/Simple/2.0b/OadrPoll

After reading @xk0der comment, it's likely that Postman simply doesn't support these cipher suites anymore. If this is the case, we should open a greater discussion about whether this was a regression or an intentional change. I'm not sure if this was intentional or not, but this leaves people like myself out of luck (I can't change the OpenADR spec lol).

I haven't confirmed this for myself yet, perhaps @xk0der could provide instructions on how to list Postman's supported cipher suites? (thanks :smiley:)

[Valentyna]

I just want to add that I'm seeing this issue when making repetitive requests with different cipher suits. Even when repeat request with the same suit - it could work at first, but then started showing the error

[victorbello]

I don't know if this could help anyone at all, but I was battling this issue and came across this thread. After much fighting, I figured out it was my internet provider's advanced security blocking my request (Xfinity). I went into their app and turned it off momentarily to be able to do what I needed to do, it worked like a charm. Hope this helps someone.

[Major-Mike]

For what it is worth, wanted to share I am on 8.0.6 and this is occurring, here is the error:

Error: write EPROTO 2485744664:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:../../third_party/boringssl/src/ssl/tls_record.cc:242:

I have read all the comments and I can add that it is not an HTTP vs. HTTPS issue and it is not a provider issue, tested on multiple. TIA.

[LukeV111]

This issue can happen if you're using https on a localhost endpoint. Change it to http and you should be fine.

[Ochaun]

Google led me here with a slightly different error Error: 744677592:error:10000066:SSL routines:OPENSSL_internal:BAD_ALERT:../../third_party/boringssl/src/ssl/tls_record.cc:573:

I'm on a windows box with a self-signed cert that is in my Trusted Root Certification Authority store on my local machine. SSL-verification is off. Version 7.36.5

[ramGit22]

I changed https protocol to http while sending request and the problem was solved.

[Hemang-Dwivedi]

Do we have a solution for this? I am running to the same issue: Error: write EPROTO 2801304216:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:../../third_party/boringssl/src/ssl/tls_record.cc:242: If anyone has any idea why please inform

[thetreythomas]

@Hemang-Dwivedi - With the particular error you are receiving, the majority of the time, the cause is going to be a server side issue.

The API you are trying to access, can it be accessed both via http and https? Does it work with http? You'll see comments above about "just change it to http". That's all well and good, unless you are actually needing it to work over https.

I've personally never run into this error, so I don't know where in the TLS handshake it's failing. If you have openssl installed on your system, try running the below command and see what it says:

openssl s_client -connect <hostname>:<port> -msg

To see a working example, run the command:

openssl s_client -connect postman-echo.com:443 -msg

It's possible this error could also mean that the TLS versions between Postman and your server are not able to negotiate. I do not know much C++, but looking at the Github file for this, it seems like this is what is being checked... https://github.com/google/boringssl/blob/master/ssl/tls_record.cc#L242

Starting back with Postman v7.26, they deprecated TLS 1.0 and 1.1 support. If your server is using an OpenSSL version less than 1.0.1, you will not have TLS 1.2 support, which means Postman will never connect to it over https.

Below is an updated chart with the current cipher suites and TLS versions Postman supports (As of August 2021)

Info on Recommended, Secure, Weak meanings: https://ciphersuite.info/page/faq/

TLS 1.3 Supported Cipher Suites

IANA Name	OpenSSL Name	TLSv Support	Considered Strength	Info Link
TLS_AES_128_GCM_SHA256	Same	1.3	Recommended	https://ciphersuite.info/cs/TLS_AES_128_GCM_SHA256/
TLS_AES_256_GCM_SHA384	Same	1.3	Recommended	https://ciphersuite.info/cs/TLS_AES_256_GCM_SHA384/
TLS_CHACHA20_POLY1305_SHA256	Same	1.3	Recommended	https://ciphersuite.info/cs/TLS_CHACHA20_POLY1305_SHA256/

TLS 1.2 Supported Cipher Suites

IANA Name	OpenSSL Name	TLSv Support	Considered Strength	Info Link
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384	ECDHE-ECDSA-AES256-GCM-SHA384	1.2	Recommended	https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384/
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256	ECDHE-ECDSA-AES128-GCM-SHA256	1.2	Recommended	https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256/
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	ECDHE-ECDSA-CHACHA20-POLY1305	1.2	Recommended	https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256/
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	ECDHE-RSA-AES256-GCM-SHA384	1.2	Secure	https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384/
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	ECDHE-RSA-AES128-GCM-SHA256	1.2	Secure	https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256/
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	ECDHE-RSA-CHACHA20-POLY1305	1.2	Secure	https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256/
TLS_RSA_WITH_AES_256_GCM_SHA384	AES256-GCM-SHA384	1.2	Weak	https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_GCM_SHA384/
TLS_RSA_WITH_AES_128_GCM_SHA256	AES128-GCM-SHA256	1.2	Weak	https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_GCM_SHA256/
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	ECDHE-RSA-AES256-SHA	1.0, 1.1, 1.2	Weak	https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA/
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	ECDHE-RSA-AES128-SHA	1.0, 1.1, 1.2	Weak	https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA/
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA	ECDHE-ECDSA-AES256-SHA	1.0, 1.1, 1.2	Weak	https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA/
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA	ECDHE-ECDSA-AES128-SHA	1.0, 1.1, 1.2	Weak	https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA/
TLS_RSA_WITH_AES_256_CBC_SHA	AES256-SHA	1.0, 1.1, 1.2	Weak	https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_CBC_SHA/
TLS_RSA_WITH_AES_128_CBC_SHA	AES128-SHA	1.0, 1.1, 1.2	Weak	https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_CBC_SHA/
TLS_RSA_WITH_3DES_EDE_CBC_SHA	DES-CBC3-SHA	1.0, 1.1	Weak	https://ciphersuite.info/cs/TLS_RSA_WITH_3DES_EDE_CBC_SHA/

Below is some good reading / resources if you are bored or would like to learn more:

Cypher Suites Demystified

The Illustrated TLS 1.2 Connection

The Illustrated TLS 1.3 Connection

[Hemang-Dwivedi]

I am pretty sure the problem is not with the code as i am able to access it from the browser

On Wed, 1 Sept 2021 at 19:22, Trey @.***> wrote:

@Hemang-Dwivedi https://github.com/Hemang-Dwivedi - With the particular error you are receiving, the majority of the time, the cause is going to be a server side issue.

The API you are trying to access, can it be accessed both via http and https? Does it work with http? You'll see comments above about "just change it to http". That's all well and good, unless you are actually needing it to work over https.

I've personally never run into this error, so I don't know where in the TLS handshake it's failing. If you have openssl installed on your system, try running the below command and see what it says:

openssl s_client -connect : -msg

To see a working example, run the command:

openssl s_client -connect postman-echo.com:443 -msg

It's possible this error could also mean that the TLS versions between Postman and your server are not able to negotiate. I do not know much C++, but looking at the Github file for this, it seems like this is what is being checked... https://github.com/google/boringssl/blob/master/ssl/tls_record.cc#L242

Starting back with Postman v7.26, they deprecated TLS 1.0 and 1.1 support. If your server is using an OpenSSL version less that 1.0.1, you will not have TLS 1.2 support, which means Postman will never connect to it over https.

Below is an updated chart with the current cipher suites and TLS versions Postman supports (As of August 2021)

Info on Recommended, Secure, Weak meanings: https://ciphersuite.info/page/faq/ TLS 1.3 Supported Cipher Suites IANA Name OpenSSL Name TLSv Support Considered Strength Info Link TLS_AES_128_GCM_SHA256 Same 1.3 Recommended https://ciphersuite.info/cs/TLS_AES_128_GCM_SHA256/ TLS_AES_256_GCM_SHA384 Same 1.3 Recommended https://ciphersuite.info/cs/TLS_AES_256_GCM_SHA384/ TLS_CHACHA20_POLY1305_SHA256 Same 1.3 Recommended https://ciphersuite.info/cs/TLS_CHACHA20_POLY1305_SHA256/ TLS 1.2 Supported Cipher Suites IANA Name OpenSSL Name TLSv Support Considered Strength Info Link TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 1.2 Recommended https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384/ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 1.2 Recommended https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256/ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-CHACHA20-POLY1305 1.2 Recommended https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256/ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE-RSA-AES256-GCM-SHA384 1.2 Secure https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384/ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 1.2 Secure https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256/ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE-RSA-CHACHA20-POLY1305 1.2 Secure https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256/ TLS_RSA_WITH_AES_256_GCM_SHA384 AES256-GCM-SHA384 1.2 Weak https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_GCM_SHA384/ TLS_RSA_WITH_AES_128_GCM_SHA256 AES128-GCM-SHA256 1.2 Weak https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_GCM_SHA256/ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE-RSA-AES256-SHA 1.0, 1.1, 1.2 Weak https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA/ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE-RSA-AES128-SHA 1.0, 1.1, 1.2 Weak https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA/ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE-ECDSA-AES256-SHA 1.0, 1.1, 1.2 Weak https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA/ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE-ECDSA-AES128-SHA 1.0, 1.1, 1.2 Weak https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA/ TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA 1.0, 1.1, 1.2 Weak https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_CBC_SHA/ TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA 1.0, 1.1, 1.2 Weak https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_CBC_SHA/ TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA 1.0, 1.1 Weak https://ciphersuite.info/cs/TLS_RSA_WITH_3DES_EDE_CBC_SHA/

Below is some good reading / resources if you are bored or would like to learn more:

Cypher Suites Demystified https://joehonton.medium.com/cipher-suites-demystified-ada2e97be9c9

The Illustrated TLS 1.2 Connection https://tls.ulfheim.net/

The Illustrated TLS 1.3 Connection https://tls13.ulfheim.net/

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/postmanlabs/postman-app-support/issues/8612#issuecomment-910306308, or unsubscribe https://github.com/notifications/unsubscribe-auth/APFHMIJUOK5BYBEVPRZGINTT7YVYPANCNFSM4NZOFFHA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[Hemang-Dwivedi]

I resolved the issue

On Wed, 1 Sept 2021 at 19:47, Hemang Dwivedi @.***> wrote:

I am pretty sure the problem is not with the code as i am able to access it from the browser

On Wed, 1 Sept 2021 at 19:22, Trey @.***> wrote:

@Hemang-Dwivedi https://github.com/Hemang-Dwivedi - With the particular error you are receiving, the majority of the time, the cause is going to be a server side issue.

The API you are trying to access, can it be accessed both via http and https? Does it work with http? You'll see comments above about "just change it to http". That's all well and good, unless you are actually needing it to work over https.

I've personally never run into this error, so I don't know where in the TLS handshake it's failing. If you have openssl installed on your system, try running the below command and see what it says:

openssl s_client -connect : -msg

To see a working example, run the command:

openssl s_client -connect postman-echo.com:443 -msg

It's possible this error could also mean that the TLS versions between Postman and your server are not able to negotiate. I do not know much C++, but looking at the Github file for this, it seems like this is what is being checked... https://github.com/google/boringssl/blob/master/ssl/tls_record.cc#L242

Starting back with Postman v7.26, they deprecated TLS 1.0 and 1.1 support. If your server is using an OpenSSL version less that 1.0.1, you will not have TLS 1.2 support, which means Postman will never connect to it over https.

Below is an updated chart with the current cipher suites and TLS versions Postman supports (As of August 2021)

Info on Recommended, Secure, Weak meanings: https://ciphersuite.info/page/faq/ TLS 1.3 Supported Cipher Suites IANA Name OpenSSL Name TLSv Support Considered Strength Info Link TLS_AES_128_GCM_SHA256 Same 1.3 Recommended https://ciphersuite.info/cs/TLS_AES_128_GCM_SHA256/ TLS_AES_256_GCM_SHA384 Same 1.3 Recommended https://ciphersuite.info/cs/TLS_AES_256_GCM_SHA384/ TLS_CHACHA20_POLY1305_SHA256 Same 1.3 Recommended https://ciphersuite.info/cs/TLS_CHACHA20_POLY1305_SHA256/ TLS 1.2 Supported Cipher Suites IANA Name OpenSSL Name TLSv Support Considered Strength Info Link TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 1.2 Recommended https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384/ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 1.2 Recommended https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256/ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-CHACHA20-POLY1305 1.2 Recommended https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256/ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE-RSA-AES256-GCM-SHA384 1.2 Secure https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384/ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 1.2 Secure https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256/ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE-RSA-CHACHA20-POLY1305 1.2 Secure https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256/ TLS_RSA_WITH_AES_256_GCM_SHA384 AES256-GCM-SHA384 1.2 Weak https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_GCM_SHA384/ TLS_RSA_WITH_AES_128_GCM_SHA256 AES128-GCM-SHA256 1.2 Weak https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_GCM_SHA256/ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE-RSA-AES256-SHA 1.0, 1.1, 1.2 Weak https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA/ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE-RSA-AES128-SHA 1.0, 1.1, 1.2 Weak https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA/ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE-ECDSA-AES256-SHA 1.0, 1.1, 1.2 Weak https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA/ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE-ECDSA-AES128-SHA 1.0, 1.1, 1.2 Weak https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA/ TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA 1.0, 1.1, 1.2 Weak https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_CBC_SHA/ TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA 1.0, 1.1, 1.2 Weak https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_CBC_SHA/ TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA 1.0, 1.1 Weak https://ciphersuite.info/cs/TLS_RSA_WITH_3DES_EDE_CBC_SHA/

Below is some good reading / resources if you are bored or would like to learn more:

Cypher Suites Demystified https://joehonton.medium.com/cipher-suites-demystified-ada2e97be9c9

The Illustrated TLS 1.2 Connection https://tls.ulfheim.net/

The Illustrated TLS 1.3 Connection https://tls13.ulfheim.net/

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/postmanlabs/postman-app-support/issues/8612#issuecomment-910306308, or unsubscribe https://github.com/notifications/unsubscribe-auth/APFHMIJUOK5BYBEVPRZGINTT7YVYPANCNFSM4NZOFFHA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[thetreythomas]

@Hemang-Dwivedi - What was your solution?

It might help someone who finds this page.

[Hemang-Dwivedi]

Switching from https to http worked, but it didn't before

On Wed, 1 Sep 2021, 19:54 Trey, @.***> wrote:

@Hemang-Dwivedi https://github.com/Hemang-Dwivedi - What was your solution?

It might help someone who finds this page.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/postmanlabs/postman-app-support/issues/8612#issuecomment-910336865, or unsubscribe https://github.com/notifications/unsubscribe-auth/APFHMIOEMUKV2ATYJWDOBNDT7YZQ7ANCNFSM4NZOFFHA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[jeffRTC]

Hitting same issue. Damn it! Seems happening with new version..

[thetreythomas]

@xk0der Any new details you can provide on what Postman is trying to do for all these issues?

@mccannt - You mentioned way back in Nov 2020

Yes, I believe we have found the source of the issue and are working to resolve it. There are some dependencies around this we need to address to fix the issue. Hang tight.

Any new information or updates on this comment?

@jeffRTC - Which issue are you running into? If you look through this long thread, there are 6 different issues from what I found. And each one is likely to have it's own cause and solution.

OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO:../../third_party/boringssl/src/ssl/handshake.cc:588:

OPENSSL_internal:WRONG_VERSION_NUMBER:../../third_party/boringssl/src/ssl/tls_record.cc:242:

OPENSSL_internal:BAD_ALERT:../../third_party/boringssl/src/ssl/tls_record.cc:573:

OPENSSL_internal:SERVER_ECHOED_INVALID_SESSION_ID:../../third_party/boringssl/src/ssl/handshake_client.cc:646

OPENSSL_internal:SSLV3_ALERT_BAD_CERTIFICATE:../../third_party/boringssl/src/ssl/tls_record.cc:587:SSL alert number 42

OPENSSL_internal:UNSUPPORTED_PROTOCOL:../../third_party/boringssl/src/ssl/handshake_client.cc:581:

[5ox]

Postman randomly fails on Amazon's API Gateway when using SSL. This makes using Postman with the Amazon API gateway challenging. (Postman Version 8.11.1 / PostmanRuntime/7.28.4)

Error: write EPROTO 140207169435704:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:../../third_party/boringssl/src/ssl/tls_record.cc:242

I read every single comment and hope this extra datapoint on a known endpoint may help with this issue. The Amazon API Gateway endpoint supports the SSL. Amazon API Gateway uses TLS 1.2. Using a regional not edge gateway. SSL certificate verification is enabled in Postman.

The API call works fine with SSL (https) calling direct from a Python script and only fails when using Postman.

[bilalelmahdaoui]

I used http instead of https and it worked for me.

[Clopma]

Please people, stop saying that using http instead of https works, of course a SSL-related problem doesn't occur with http.

[pr0vieh]

in our case adding "https://" solved the problem looks like the preceding https:// is ignored in some cases or versions

[gregamb]

in our case adding "https://" solved the problem looks like the preceding https:// is ignored in some cases or versions

That solved it for me as well using v9.14.0. Based on my experience, this regression was introduced after v7.28.0

It does appear the newer versions are not using hardcoded https prefix in the certificate screen

[Mincoslav]

Google led me here even though my error was this: "Error: write EPROTO 51666824:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:../../third_party/boringssl/src/ssl/tls_record.cc:242:" the solution for me was to remember to add a "/" at the end of my url.

[Muralisumanth]

It worked for me by adding all the below CRT File/ KEY File/ PFX File and corresponding Passphrase. Thanks

[vishnupeas]

I used http instead of https and it worked for me.

idk how but this worked for me

[git-bharani]

I'm running with the same error while GET the API using Postman, but it works well in the browser. It would be great if anyone could help me to solve this.

Note: I have tried HTTP instead of HTTPS but it won't work for me.

Error: write EPROTO 64687752:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:../../../../src/third_party/boringssl/src/ssl/tls_record.cc:242:

[ebkhalilzadeh]

I'm running with the below error when I GET this URL using the Postman V10.13.4:

Error: write EPROTO 67616904:error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE:../../../../src/third_party/boringssl/src/ssl/tls_record.cc:594:SSL alert number 40
67616904:error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO:../../../../src/third_party/boringssl/src/ssl/handshake.cc:644:

[extsalt]

any update on this?

[lvanderbijl-kry]

We've got the exact same issue connecting to a cloud-fronted amazon api gateway endpoint.

Amusingly, it works with the VS Code Postman plugin - but not with the standalone postman application.

Another factor might be that the endpoint is only available behind a vpn

[CollinsLord]

check if you're not using http port for https request e.g(port 1001 for HTTP and port 1002 for HTTPS) you're probably making request with port 1001 with using https

[antony]

Error: write EPROTO 4887629992:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:../../../../src/third_party/boringssl/src/ssl/tls_record.cc:242:

I get this same error with postman desktop on an Apple Mac M1. The destination server is Vercel and uses SSL and is correctly configured to serve HTTPS.

If I make the request by grabbing the CURL request that Postman gives me, it works without issue. So this is a postman specific issue.

The request in question is a POST request, It doesn't seem to occur on the same server, if I use an endpoint which uses GET instead.

[elliotberry]

Same thing on m1 mac with the McMaster-Carr API (https://www.mcmaster.com/help/api/). Their cert is seemingly legit. Woof.

[CoonHouse]

We've got the exact same issue connecting to a cloud-fronted amazon api gateway endpoint.

Every time I make a CloudFront distribution for my API (API-Gateway), I run in this issue again, remembering me to set the "Alternate Domain Name"

[inodeas]

Lol. Bandwagoning I guess!

Same issue occurring when targeting on Open AI API endpoint : https://api.openai.com/v1/chat/completions

Postman version : 7.37.3

Error message :

Error: write EPROTO 52625416:error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE:........\src\third_party\boringssl\src\ssl\tls_record.cc:594:SSL alert number 40

[dev-minjin-chou]

Same issue here, postman version: 11.13.1

Error message:

Error: 47450799456256:error:10000458:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNRECOGNIZED_NAME:../../../../src/third_party/boringssl/src/ssl/tls_record.cc:592:SSL alert number 112

[Kos-M]

Had similar issue , my issue was that in headers of that request had http host but in url had https as expected. when removed Host header all worked.. as expected.

Cheers :sunglasses: