[openssl-users] troubleshooting ssl errors

Paul Greene paul.greene.va at gmail.com
Wed Oct 11 13:27:33 UTC 2017


Thanks for the response Matt. The SSL 3 switch was one of many that were
tried just for the sake of testing. I tried a few other switches, but am
getting the same results.

I did a tcpdump of the attempted connection, and you can see that the
initial connection is established, but the connection is immediately
dropped after that.

We've been try to determine if this is an openssl issue (misconfiguration,
incompatibility, or whatever), a wget issue, or a network issue somewhere
along the path between the two servers. My support end had me try the
"no-check-certificate" option to remove the certificate on my server from
the equation.

It always fails after trying to initialize the SSL handshake


[root at hostname ~]# wget https://domain.name.com:8443 --debug
DEBUG output created by Wget 1.14 on linux-gnu.

URI encoding = âUTF-8â
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
--2017-10-11 08:45:19--  https://domain.name.com:8443/
Resolving domain.name.com (domain.name.com)... <ip.address>
Caching domain.name.com => <ip.address>
Connecting to domain.name.com (domain.name.com)|<ip.address>|:8443...
connected.
Created socket 3.
Releasing 0x0000000002744320 (new refcount 1).
Initiating SSL handshake.
SSL handshake failed.
Closed fd 3
Unable to establish SSL connection.


wget https://domain.name.com:8443 --no-check-certificate --debug

[root at hostname ~]# wget https://domain.name.com:8443 --no-check-certificate
--debug
DEBUG output created by Wget 1.14 on linux-gnu.

URI encoding = âUTF-8â
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
--2017-10-11 08:49:26--  https://domain.name.com:8443/
Resolving domain.name.com (domain.name.com)... <ip.address>
Caching domain.name.com => <ip.address>
Connecting to domain.name.com (domain.name.com)|<ip.address>|:8443...
connected.
Created socket 3.
Releasing 0x00000000017b0340 (new refcount 1).
Initiating SSL handshake.
SSL handshake failed.
Closed fd 3
Unable to establish SSL connection.

On Wed, Oct 11, 2017 at 5:10 AM, Matt Caswell <matt at openssl.org> wrote:

>
>
> On 11/10/17 03:57, Paul Greene wrote:
> > [root at hostname ~]# wget https://domain.name.com:8443
> > --secure-protocol=SSLv3 --debug
> > DEBUG output created by Wget 1.14 on linux-gnu.
>
> The "--secure-protocol=SSLv3" bit looks suspect. According to the wget
> man page this forces only SSLv3 to be negotiated. If the server doesn't
> support it (which is common) then you're out of luck. SSLv3 is very old,
> insecure and generally should not be used. Setting "--secure-protocol"
> to "auto" (the default) would be a better choice.
>
> Matt
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171011/c825a040/attachment-0001.html>


More information about the openssl-users mailing list