[openssl-users] Why no peer certificate available.
Matt Caswell
matt at openssl.org
Tue May 26 08:09:18 UTC 2015
On 26/05/15 04:17, Jerry OELoo wrote:
> Hi.
> I found there is a website which has https support.
> https://www.ib-channel.net/miegin/web/jsp/B02-01.jsp
> and browser can show its certificate chain.
> but when I use openssl to connect website, it returns fail.
>
> openssl s_client -connect www.ib-channel.net:443
> CONNECTED(00000003)
> write:errno=104
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 305 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
>
> So what is wrong that openssl can not get website's certificate? Thanks!
>
This appears to be the server hang on over long ClientHello bug. Some
buggy servers cannot cope if the ClientHello is longer than 255 bytes.
I get a hang if I attempt to connect to the above site however if I pass
"-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=100" to Configure it all works fine.
It also works fine if I use "-no_tls1_2" with s_client to disable TLS1.2
support, or if I set a custom (reduced length) cipher list.
Matt
More information about the openssl-users
mailing list