>From: owner-openssl-us...@openssl.org On Behalf Of Ben Schmidt >Sent: Thursday, 11 July, 2013 05:21
>I got a problem that I don't understand. When I try to check >the Cert of a website from a single specific host I get: >########### >$ openssl s_client -connect www.example.com:443 >CONNECTED(00000003) >--- wait >^C >########### (To be clear, you actually get a hang and have to do ^C aka control-C, right? It doesn't actually output "--- wait".) >from every other host it works just fine, routing and DNS >doesn't seem to be the Issue. When I "wget -S --spider >https://www.example.com"; from the host that gives me trouble >it works just fine, I see headers and redirects so the basic >HTTP/SSL Session works. >The OS being used is debian 7.1 amd64, openssl Version 1.0.1e, <snip rest> >Could someone please point in a direction on where to look at? >I am basically running out of Ideas to check. Are the successful client openssl's 1.0.1*, or lower? Is wget on the trouble client using openssl or gnutls? If both answers are the second, and the problem occurs only with 1.0.1* openssl client, this could be a case of the commonly reported problem that 1.0.1* supports TLSv1.1 and v1.2 and s_client sends v1.2 hello by default, and that is sufficiently longer than earlier versions (due to more ciphers and more extensions) that some servers mishandle it, sometimes by hanging. In that case, or any case, first try adding -state to your s_client command. If that shows "write client hello" but not "read server hello" try -no_tls1_2, or more rigidly -tls1_1 or -tls1 or even -ssl3 depending on what the server is capable of (look at what the successful s_client's got). Any of these should produce a shorter hello. Alternatively try specifying a single cipher that the server supports (again look at a successful s_client) or a small list including such; that makes the hello quite a bit shorter. You can add -msg to display the message sent; if messages longer than about 100 hex hang while shorter ones work okay, you have probably confirmed the server problem (and may need to work around it, depending on who runs the server). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
