Try this.. ./openssl s_client -tls1 -connect www.cia.gov:443
On 10/24/07, Lutz Jaenicke <[EMAIL PROTECTED]> wrote: > > Isolating the problem is more or less simple: > openssl s_client -connect www.cia.gov:443 > shows the intermittent failures as well, so we can rule out all > applications (curl, wget, ...). Has to be some basic thing. > > I tend to observe the failure with s_client not on the first attempt but > on the nth attempt in a row. I would guess(!) that it may be some > DoS protection measure that prevents too many new connections > (from the same site). > Firefox (and other browsers) would use session caching so that the > server could see that it is actually the same client coming in again. > This of course could only be seen after the client hello with a > proposed session to be reused comes in and could not be done at > the firewall level. > Again: this is just a GUESS! > > Best regards, > Lutz > > Alex Lam wrote: > > That's TLSv1, not SSLv2. > > > > 0000: 01 03 01 00 63 00 00 00 10 00 00 39 00 00 38 00 ....c......9..8. > > 0010: 00 35 00 00 88 00 00 87 00 00 84 00 00 16 00 00 .5.............. > > 0020: 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f .........3..2../ > > 0030: 00 00 45 00 00 44 00 00 41 00 00 07 05 00 80 03 ..E..D..A....... > > 0040: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 ................ > > 0050: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 [EMAIL PROTECTED] > > 0060: 00 00 06 04 00 80 00 00 03 02 00 80 c9 f7 89 ff ................ > > 0070: 74 f1 92 59 c8 a0 f1 ba ab c0 dd 89 t..Y........ > > > > On 10/23/07, *Jake Goulding* <[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>> wrote: > > > > Hey all: > > > > We use curl to retrieve webpages, and recently started receiving an > > intermittent (40-60% of the time) error when retrieving a page > > from the > > CIA. About two weeks ago, they switched to running https only, > > with the > > http URLs being forwarded to the https equivalents. > > > > The error we receive is: > > > > $ curl 'https://www.cia.gov/about-cia/faqs/' > > curl: (35) Unknown SSL protocol error in connection to > > www.cia.gov:443 <http://www.cia.gov:443> > > > > Using the --trace option, I see this: > > > > == Info: About to connect() to www.cia.gov <http://www.cia.gov> > > port 443 (#0) > > == Info: Trying 198.81.129.100.. . == Info: connected > > == Info: Connected to www.cia.gov <http://www.cia.gov> > > (198.81.129.100 <http://198.81.129.100>) port 443 (#0) > > == Info: successfully set certificate verify locations: > > == Info: CAfile: /etc/ssl/certs/ca- certificates.crt > > CApath: none > > == Info: SSLv2, Client hello (1): > > => Send SSL data, 124 bytes (0x7c) > > 0000: 01 03 01 00 63 00 00 00 10 00 00 39 00 00 38 00 > ....c......9..8. > > 0010: 00 35 00 00 88 00 00 87 00 00 84 00 00 16 00 00 > > .5.............. > > 0020: 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f > .........3..2../ > > 0030: 00 00 45 00 00 44 00 00 41 00 00 07 05 00 80 03 > ..E..D..A....... > > 0040: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 > > ................ > > 0050: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 > [EMAIL PROTECTED] > > 0060: 00 00 06 04 00 80 00 00 03 02 00 80 c9 f7 89 ff > ................ > > 0070: 74 f1 92 59 c8 a0 f1 ba ab c0 dd 89 t..Y........ > > == Info: Unknown SSL protocol error in connection to > > www.cia.gov:443 <http://www.cia.gov:443> > > == Info: Closing connection #0 > > > > Unfortunately, I don't grok SSL hex :-) . > > > > I have tried this and received the same error with the following > > versions: > > curl-7.12.1-8.rhel4 / openssl-0.9.7a-43.14 > > curl-7.12.1-11.el4 / openssl-0.9.7a-43.16 > > curl-7.16.1 / openssl-0.9.8e > > curl-7.17.0 / openssl-0.9.8f > > > > Firefox does not seem to have any issues with this page. > > > > I asked the curl mailing list about this error, and got the > following > > response: > > > > > This is apparently has nothing to do with curl. I got the same > > > intermittent errors with lynx, w3m, wget, you name it. I am using > > > OpenSSL 0.9.8g 19 Oct 2007. > > > > Any help would be greatly appreciated. Please let me know if I can > > provide more information. > > > > Thanks! > > > ______________________________________________________________________ > > > > OpenSSL Project > http://www.openssl.org > > User Support Mailing > > List openssl-users@openssl.org > > <mailto:openssl-users@openssl.org> > > Automated List Manager > > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] >
