>From: owner-openssl-us...@openssl.org On Behalf Of Baker, Darryl >Sent: Thursday, 06 December, 2012 14:45
>I have a website I am monitoring and the tool uses the CURL library >which in turn uses the OpenSSL library. While all the browsers I've >tried accept the certificate OpenSSL does not. The results are below. <snip> ># openssl version >OpenSSL 1.0.1 14 Mar 2012 ># openssl s_client -connect anthemnhequote.insurix.com:443 >CONNECTED(00000003) >3077576328:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: >SSL handshake has read 0 bytes and written 226 bytes The problem is not in accepting the cert, the problem is you received no response (serverhello) at all, much less a cert. When I try with vanilla 1.0.1c it works, but only TLSv1.0. There have been reports of some server software failing because the clienthello for 1.2 is longer than in earlier versions (this occurs before it has a chance to negotiate the version down). Try specifying -tls1 or at least -no_tls1_2 . Maybe try -cipher listspec smaller than the default (one cipher the server likes is enough, I got DES-CBC3-SHA). Although the problem usually reported is at 255/256 bytes and 226 is less. Your browsers may not be using 1.2 at all, or they may be using it more conservatively than OpenSSL does (by default). If you want to check, get a network trace. I recommend www.wireshark.org on Windows or MacOSX. On Linux you can capture with tcpdump, but I find the display unhelpful and prefer to download to wireshark for display. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
