OpenSSL: wrong version number
Diagnose and fix 'wrong version number' SSL error when OpenSSL connects to a non-TLS port or through a misconfigured proxy.
OpenSSL produces "wrong version number" when it receives non-TLS data at the start of a connection — typically because it connected to a plain HTTP port or a proxy is interfering with the TLS handshake.
When OpenSSL Produces This Error
OpenSSL displays "wrong version number" during
openssl s_client -connect when the first bytes received do not match any TLS record format. The error message reads:
SSL routines:ssl3_get_record:wrong version number.
What Causes "wrong version number" in OpenSSL
OpenSSL expects a TLS ServerHello as the first response from the server. The "wrong version number" error occurs when OpenSSL receives HTTP plaintext, an SMTP greeting, or other non-TLS data instead.
Connecting to a non-TLS port is the most common cause. Running
openssl s_client -connect example.com:80 connects to the HTTP port, which responds with plaintext — not TLS. The correct HTTPS port is 443.
A corporate HTTP proxy performing content inspection can strip TLS and return an HTTP redirect or error page before the TLS handshake completes, triggering the "wrong version number" error.
How to Fix "wrong version number" in OpenSSL
- Verify the target port supports TLS. Use port 443 for HTTPS:
openssl s_client -connect example.com:443 -servername example.com- For SMTP with STARTTLS, use the
-starttlsflag:
openssl s_client -connect mail.example.com:587 -starttls smtp- Check for proxy interference by connecting directly (bypass proxy if possible) and comparing results.
How to Verify the Fix
OpenSSL completes the TLS handshake and displays the server certificate instead of the error.
Related OpenSSL Errors
OpenSSL: unable to get local issuer certificate— the TLS handshake completes but certificate verification fails.