Can't connect to host using OpenSSL in C++

Question

When I try to connect to some hosts(not all) through HTTPS using OpenSSL in C++ I gets OpenSSL error error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure. I'm using TLS_client_method SSL method. But if I use openssl test executable, it's ok - openssl s_client -connect host:443 -tls1_2. My connect code here:

const SSL_METHOD* method = TLS_client_method();
inet->ssl_ctx = SSL_CTX_new(method);
inet->ssl = SSL_new(inet->ssl_ctx);
SSL_set_fd(inet->ssl, s);
int err = SSL_connect(inet->ssl);

Why? Maybe I need some .pem/.pm files? I don't know, but I saw it somewhere.

Answer 1

Your code does not use the SNI extension when connecting to the server, i.e. does not include the hostname of the server into the TLS handshake. Multi-domain sites usually require SNI and might fail or return some unrelated certificate when SNI is not provided. This is also true for CDN like Cloudflare where different domains are accessible by the same IP address but should result in different certificates.

... I tried to connect to hostiman.ru

This is for example the case with hostiman.ru. With SNI (as set by newer s_client versions by default):

$ openssl s_client -connect hostiman.ru:443 -tls1_2
CONNECTED(00000005)
...
depth=0 C = US, ST = CA, L = San Francisco, O = "Cloudflare, Inc.", CN = sni.cloudflaressl.com
...
   Cipher    : ECDHE-ECDSA-CHACHA20-POLY1305

Without SNI it instead looks like this:

$ openssl s_client -connect hostiman.ru:443 -tls1_2 -noservername
CONNECTED(00000005)
140420123775424:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1528:SSL alert number 40
...
    Cipher    : 0000

To setup SNI in the client use SSL_set_tlsext_host_name, i.e.

inet->ssl = SSL_new(inet->ssl_ctx);
SSL_set_tlsext_host_name(inet->ssl, servername)