SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354

Question

When I go to https://www.dreambigwithbannerbank.com/ I get a SSL error.
I have removed the SSL and added it again. 
When I do: openssl s_client -connect 99.86.57.23:443 -servername dreambigwithbannerbank.com -debug
I get: SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354

This is an acm certificate, which seems to be missing the certificate chain on a few edge locations

Florian Turnwald · Answer

The error wrong version number is a classic indicator that the client (OpenSSL) expected an encrypted TLS response, but the server responded with unencrypted plain text (HTTP).

**The technical cause**

When you see this with AWS/ACM, it usually isn't a problem with the certificate itself, but a protocol mismatch at the Edge location or Load Balancer:
- HTTP vs HTTPS: The server is likely sending an HTTP error page or a redirect over Port 443. OpenSSL sees the "H-T-T-P" characters, doesn't recognize them as a TLS version, and throws this error.
- CloudFront Misconfiguration: Check your Origin Protocol Policy. If CloudFront is trying to connect to your origin via HTTP while expecting HTTPS (or vice versa), the handshake will fail.
- SNI Requirement: Ensure that the client supports SNI and that CloudFront is correctly associated with the ACM certificate for that specific CNAME.

**Verification:** Run your OpenSSL command again and look at the -debug output. If you see HTTP/1.1 or  in the hex dump of the server's response, the server is incorrectly serving plain text on a secure port.

Hope this helps!

SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354

Add your answer

Relevant content