If you get an error like this in one of your tools
OpenSSL: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
it means you are using a tool not yet properly supporting TLS 1.2 or higher.
Or in other words: update your tool set.
The reason is that – after turning off TLS 1.0 a while ago – more and more sites do the same for TLS 1.1.
A prime example of a site that warned on this in a clear way very early on is github:
- 2017-02-27: [WayBack] Discontinue support for weak cryptographic standards | GitHub Engineering
- 2018-02-01: [WayBack] Weak cryptographic standards removal notice | GitHub Engineering (including a list of incompatible clients)
- 2018-02-02: [WayBack] Weak cryptographic standards removal notice | The GitHub Blog
- 2018-02-23: [WayBack] Weak cryptographic standards removed | The GitHub Blog
Others have done this too, for instance:
- [WayBack] Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS
- [WayBack] Deprecating TLS 1.0 and 1.1 – Enhancing Security for Everyone
TLS 1.0 is vulnerable to many attacks, and certain configurations of TLS 1.1 as well (see for instance [WayBack] What are the main vulnerabilities of TLS v1.1? – Information Security Stack Exchange), which means that properly configuring the non-vulnerable TLS 1.1 over times gets more and more complex. An important reason to say goodbye to that as well, as TLS 1.2 (from 2008) is readily available for a long time. The much more recent TLS 1.3 (from 2018) will take a while to proliferate.
I ran in the above error because on one of my systems, an old version of wget
was luring around, so I dug up the easiest place to download recent Windows binaries for both win32 (x86) and win64 (x86_64):
[WayBack] eternallybored.org: GNU Wget for Windows having a table indicating the OpenSSL version for each wget build.
–jeroen
Reference: Transport Layer Security – Wikipedia: History and development