Hi, I was kind of curious about 'why?' would openssl s_client be trying to do the reverse DNS lookup?
In other words, when you do an: openssl s_client -connect xx.xx.xx.xx:443... why does openssl try to do a reverse DNS lookup on the xx.xx.xx.xx IP address, and why does it do that BEFORE (apparently) sending the client HELLO to the host? Thanks, Jim ---- oh...@cox.net wrote: > Hi, > > We think that we found the problem. > > The server end had a timeout, and apparently, openssl tries to do a reverse > DNS lookup after establishing the connection to the server, but before > sending the client HELLO, That reverse DNS lookup was failing, but taking > awhile to fail, so the server was sending the "unknown protocol" error, > because it was timing out. > > Jim > > > > > ---- oh...@cox.net wrote: > > Hi, > > > > I wanted to mention one other piece of information. Apparently, the server > > certificate in this case has the IP address of the server, rather than a > > hostname/FQDN, in the subject (i.e., CN=xx.xx.xx.xx,...). The server end > > is not our under our control, so we can't change that. > > > > Jim > > > > > > > > > > > > ---- oh...@cox.net wrote: > > > Hi, > > > > > > We are trying to use "openssl s_client" to test a server-authenticated > > > (1-way SSL) connection. > > > > > > The openssl s_client command is being run (on a Redhat machine) using the > > > IP address of the SSL-enabled server, i.e., something like: > > > > > > openssl s_client -connect xx.xx.xx.xx:443 .... > > > > > > The problem we're having is that the connection is failing about 80% of > > > the time. When it fails, we see the client Hello being sent, but then no > > > server Hello and an "unknown protocol". > > > > > > Now, here's the strange thing... If we add an entry in the /etc/hosts > > > with the IP address of the SSL server, and with ANY hostname (doesn't > > > matter what it is), then the connection succeeds all the time. > > > > > > I was wondering if anyone be able to explain why the connection would not > > > succeed SOME of the times if there isn't an entry in the client-side > > > /etc/hosts file, but then would work all the time if there's an entry in > > > /etc/hosts with the IP address of the SSL-enabled server (with ANY > > > hostname in the /etc/hosts entry)? > > > > > > Thanks, > > > Jim > > > ______________________________________________________________________ > > > OpenSSL Project http://www.openssl.org > > > User Support Mailing List openssl-users@openssl.org > > > Automated List Manager majord...@openssl.org > > > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
