Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
"openssl s_client": "SSL handshake has read 0 bytes and written" and "no peer certificate available"
10,679 views
Skip to first unread message
Jochen Hayek
Sep 19, 2012, 4:32:23 AM9/19/12
to
Hi, there!
<lengthy_introduction_that_you_may_skip_without_loss>
My problem started recently with a migration from openSUSE-12.1 to openSUSE-12.2.
openSUSE-12.2 comes with curl-7.25.0 resp. libcurl/7.25.0,
and they in turn use OpenSSL/1.0.1c
Until "recently" this worked for me
(and it still does on a different platform with *older* versions of "everything"),
but now it breaks:
$ curl --verbose --insecure 'https://banking.postbank.de/rai/login'
* About to connect() to banking.postbank.de port 443 (#0)
* Trying 62.153.105.15...
* connected
* Connected to banking.postbank.de (62.153.105.15) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs/
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to banking.postbank.de:443
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to banking.postbank.de:443
</lengthy_introduction_that_you_may_skip_without_loss>
A web page on curl.haxx.se (http://curl.haxx.se/docs/sslcerts.html) teaches me,
that I should try this, in order to find out, whether the problem is with openssl:
$ openssl s_client -connect banking.postbank.de:443
Alright, I did a binary search on the "recent" releases of openssl:
0.9.8x, 1.0.0, 1.0.0j, 1.0.1, 1.0.1c
The last one, that did not break my request is 1.0.0j,
the first one, that breaks my request is 1.0.1 .
(I skipped the betas.)
And the problem report looks like this
("SSL handshake has read 0 bytes and written ..."):
$ /usr/local/src/openssl-1.0.1/apps/openssl s_client -connect banking.postbank.de:443
$ openssl s_client -connect banking.postbank.de:443
WARNING: can't open config file: /usr/local/openssl-1.0.1/openssl.cnf
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 321 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Here are the last few lines of "make test" for 1.0.0j and 1.0.1,
just in case you want to see them:
openssl-1.0.0j
ALL TESTS SUCCESSFUL.
make[1]: Leaving directory `/usr/local/src/openssl-1.0.0j/test'
OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
OpenSSL 1.0.0j 10 May 2012
built on: Tue Sep 18 14:21:04 CEST 2012
platform: linux-elf
options: bn(64,32) rc4(4x,int) des(ptr,risc1,16,long) idea(int) blowfish(idx)
compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM
OPENSSLDIR: "/usr/local/openssl-1.0.0j"
openssl-1.0.1
ALL TESTS SUCCESSFUL.
make[1]: Leaving directory `/usr/local/src/openssl-1.0.1/test'
OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Tue Sep 18 14:29:57 CEST 2012
platform: linux-elf
options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) idea(int) blowfish(idx)
compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/local/openssl-1.0.1"
Anybody any idea?
Any specific details I can provide you with?
Is it a bug or a feature?
A little lost ...
Jochen
P.S.
I posted this already yesterday through Google Groups as
https://groups.google.com/forum/?fromgroups=&hl=en#!topic/mailing.openssl.users/1bw48CGd5xQ ,
but it looks, as if this doesn't reach the mailing list,
so I post it here again.
I apologise for the redundancy.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
<lengthy_introduction_that_you_may_skip_without_loss>
My problem started recently with a migration from openSUSE-12.1 to openSUSE-12.2.
openSUSE-12.2 comes with curl-7.25.0 resp. libcurl/7.25.0,
and they in turn use OpenSSL/1.0.1c
Until "recently" this worked for me
(and it still does on a different platform with *older* versions of "everything"),
but now it breaks:
$ curl --verbose --insecure 'https://banking.postbank.de/rai/login'
* About to connect() to banking.postbank.de port 443 (#0)
* Trying 62.153.105.15...
* connected
* Connected to banking.postbank.de (62.153.105.15) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs/
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to banking.postbank.de:443
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to banking.postbank.de:443
</lengthy_introduction_that_you_may_skip_without_loss>
A web page on curl.haxx.se (http://curl.haxx.se/docs/sslcerts.html) teaches me,
that I should try this, in order to find out, whether the problem is with openssl:
$ openssl s_client -connect banking.postbank.de:443
Alright, I did a binary search on the "recent" releases of openssl:
0.9.8x, 1.0.0, 1.0.0j, 1.0.1, 1.0.1c
The last one, that did not break my request is 1.0.0j,
the first one, that breaks my request is 1.0.1 .
(I skipped the betas.)
And the problem report looks like this
("SSL handshake has read 0 bytes and written ..."):
$ /usr/local/src/openssl-1.0.1/apps/openssl s_client -connect banking.postbank.de:443
$ openssl s_client -connect banking.postbank.de:443
WARNING: can't open config file: /usr/local/openssl-1.0.1/openssl.cnf
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 321 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Here are the last few lines of "make test" for 1.0.0j and 1.0.1,
just in case you want to see them:
openssl-1.0.0j
ALL TESTS SUCCESSFUL.
make[1]: Leaving directory `/usr/local/src/openssl-1.0.0j/test'
OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
OpenSSL 1.0.0j 10 May 2012
built on: Tue Sep 18 14:21:04 CEST 2012
platform: linux-elf
options: bn(64,32) rc4(4x,int) des(ptr,risc1,16,long) idea(int) blowfish(idx)
compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM
OPENSSLDIR: "/usr/local/openssl-1.0.0j"
openssl-1.0.1
ALL TESTS SUCCESSFUL.
make[1]: Leaving directory `/usr/local/src/openssl-1.0.1/test'
OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Tue Sep 18 14:29:57 CEST 2012
platform: linux-elf
options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) idea(int) blowfish(idx)
compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/local/openssl-1.0.1"
Anybody any idea?
Any specific details I can provide you with?
Is it a bug or a feature?
A little lost ...
Jochen
P.S.
I posted this already yesterday through Google Groups as
https://groups.google.com/forum/?fromgroups=&hl=en#!topic/mailing.openssl.users/1bw48CGd5xQ ,
but it looks, as if this doesn't reach the mailing list,
so I post it here again.
I apologise for the redundancy.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Dr. Stephen Henson
Sep 19, 2012, 6:39:33 AM9/19/12
to
On Wed, Sep 19, 2012, Jochen Hayek wrote:
>
> Until "recently" this worked for me
> (and it still does on a different platform with *older* versions of "everything"),
> but now it breaks:
>
> $ curl --verbose --insecure 'https://banking.postbank.de/rai/login'
> * About to connect() to banking.postbank.de port 443 (#0)
> * Trying 62.153.105.15...
> * connected
> * Connected to banking.postbank.de (62.153.105.15) port 443 (#0)
> * successfully set certificate verify locations:
> * CAfile: none
> CApath: /etc/ssl/certs/
> * SSLv3, TLS handshake, Client hello (1):
> * Unknown SSL protocol error in connection to banking.postbank.de:443
> * Closing connection #0
> curl: (35) Unknown SSL protocol error in connection to banking.postbank.de:443
>
This is a problem with the server. OpenSSL 1.0.1 is the first release to
>
> Until "recently" this worked for me
> (and it still does on a different platform with *older* versions of "everything"),
> but now it breaks:
>
> $ curl --verbose --insecure 'https://banking.postbank.de/rai/login'
> * About to connect() to banking.postbank.de port 443 (#0)
> * Trying 62.153.105.15...
> * connected
> * Connected to banking.postbank.de (62.153.105.15) port 443 (#0)
> * successfully set certificate verify locations:
> * CAfile: none
> CApath: /etc/ssl/certs/
> * SSLv3, TLS handshake, Client hello (1):
> * Unknown SSL protocol error in connection to banking.postbank.de:443
> * Closing connection #0
> curl: (35) Unknown SSL protocol error in connection to banking.postbank.de:443
>
support TLS version 1.2 and some servers "hang" when connecting. The option
-no_tls1_2 or -tls1 should allow you to connect again.
This is discussed in PR#2771:
http://rt.openssl.org/Ticket/Display.html?id=2771&user=guest&pass=guest
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
Jochen Hayek
Sep 19, 2012, 7:49:27 AM9/19/12
to
>>>>> On Wed, 19 Sep 2012 12:39:33 +0200, "Dr. Stephen Henson" <...> said:
> This is a problem with the server. OpenSSL 1.0.1 is the first release to
> support TLS version 1.2 and some servers "hang" when connecting. The option
> -no_tls1_2 or -tls1 should allow you to connect again.
> This is discussed in PR#2771:
> http://rt.openssl.org/Ticket/Display.html?id=2771&user=guest&pass=guest
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
Your valuable advice solved my problem.
> This is a problem with the server. OpenSSL 1.0.1 is the first release to
> support TLS version 1.2 and some servers "hang" when connecting. The option
> -no_tls1_2 or -tls1 should allow you to connect again.
> This is discussed in PR#2771:
> http://rt.openssl.org/Ticket/Display.html?id=2771&user=guest&pass=guest
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
***Thanks*** a lot!
I would love to be able to sponsor you and the OpenSSL project, but right now I am not.
If thinks work out well, I will come back to this idea.
Kind regards,
Jochen
0 new messages