[openssl-users] Why no peer certificate available.

Matt Caswell matt at openssl.org
Tue May 26 08:09:18 UTC 2015

On 26/05/15 04:17, Jerry OELoo wrote:
> Hi.
> I found there is a website which has https support.
> https://www.ib-channel.net/miegin/web/jsp/B02-01.jsp
> and browser can show its certificate chain.
> but when I use openssl to connect website, it returns fail.
> openssl s_client -connect www.ib-channel.net:443
> CONNECTED(00000003)
> write:errno=104
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 305 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
> So what is wrong that openssl can not get website's certificate? Thanks!

This appears to be the server hang on over long ClientHello bug. Some
buggy servers cannot cope if the ClientHello is longer than 255 bytes.

I get a hang if I attempt to connect to the above site however if I pass
"-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=100" to Configure it all works fine.
It also works fine if I use "-no_tls1_2" with s_client to disable TLS1.2
support, or if I set a custom (reduced length) cipher list.


More information about the openssl-users mailing list