[openssl-users] Why no peer certificate available.
Jeffrey Walton
noloader at gmail.com
Tue May 26 08:22:36 UTC 2015
On Tue, May 26, 2015 at 4:09 AM, Matt Caswell <matt at openssl.org> wrote:
>
>
> On 26/05/15 04:17, Jerry OELoo wrote:
>> Hi.
>> I found there is a website which has https support.
>> https://www.ib-channel.net/miegin/web/jsp/B02-01.jsp
>> and browser can show its certificate chain.
>> but when I use openssl to connect website, it returns fail.
>>
>> openssl s_client -connect www.ib-channel.net:443
>> CONNECTED(00000003)
>> write:errno=104
>> ---
>> no peer certificate available
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 0 bytes and written 305 bytes
>> ---
>> New, (NONE), Cipher is (NONE)
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> ---
>>
>> So what is wrong that openssl can not get website's certificate? Thanks!
>>
>
> This appears to be the server hang on over long ClientHello bug. Some
> buggy servers cannot cope if the ClientHello is longer than 255 bytes.
>
> I get a hang if I attempt to connect to the above site however if I pass
> "-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=100" to Configure it all works fine.
> It also works fine if I use "-no_tls1_2" with s_client to disable TLS1.2
> support, or if I set a custom (reduced length) cipher list.
>
Good find. It sounds like an F5 or IronPort appliance.
Do we know what the appliance is?
More information about the openssl-users
mailing list