Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[openssl-users] Why no peer certificate available.

2,192 views
Skip to first unread message

Jerry OELoo

unread,
May 25, 2015, 11:28:00 PM5/25/15
to
Hi.
I found there is a website which has https support.
https://www.ib-channel.net/miegin/web/jsp/B02-01.jsp
and browser can show its certificate chain.
but when I use openssl to connect website, it returns fail.

openssl s_client -connect www.ib-channel.net:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

So what is wrong that openssl can not get website's certificate? Thanks!

--
Rejoice,I Desire!
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Patrick Proniewski

unread,
May 26, 2015, 12:56:58 AM5/26/15
to
On 26 mai 2015, at 05:17, Jerry OELoo wrote:

> Hi.
> I found there is a website which has https support.
> https://www.ib-channel.net/miegin/web/jsp/B02-01.jsp
> and browser can show its certificate chain.
> but when I use openssl to connect website, it returns fail.


Openssl works great here:

$ openssl s_client -connect www.ib-channel.net:443
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/1.3.6.1.4.1.311.60.2.1.3=JP/businessCategory=Private Organization/serialNumber=0104-01-022916/C=JP/postalCode=108-8001/ST=Tokyo/L=Minato-ku/street=7-1, Shiba 5-chome/O=NEC Corporation/OU=NEC WOSC-IB005/CN=www.ib-channel.net
...
...

but it's kinda old:

$ openssl version
OpenSSL 0.9.8y 5 Feb 2013

A more current release shows the same error you posted:

$ apps/openssl version
OpenSSL 1.0.2a 19 Mar 2015

$ apps/openssl s_client -connect www.ib-channel.net:443
CONNECTED(00000003)
write:errno=54
---
no peer certificate available
---
...
...

Jeffrey Walton

unread,
May 26, 2015, 1:33:51 AM5/26/15
to
On Mon, May 25, 2015 at 11:17 PM, Jerry OELoo <oylj...@gmail.com> wrote:
> Hi.
> I found there is a website which has https support.
> https://www.ib-channel.net/miegin/web/jsp/B02-01.jsp
> and browser can show its certificate chain.
> but when I use openssl to connect website, it returns fail.
>
> openssl s_client -connect www.ib-channel.net:443
> CONNECTED(00000003)
> write:errno=104
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 305 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
>
> So what is wrong that openssl can not get website's certificate? Thanks!
>

I'm timing out from US/New York using Apple's downlevel version of
OpenSSL (0.9.8). But I'm succeeding with the latest version of OpenSSL
(1.0.2a). (It seems to be opposite of what Patrick is experiencing).

Also, you usually want to specify TLS and the server name. SSLv3 is
pretty much dead now. SNI also ensures the server selects the right
certificate at during channel setup.

openssl s_client -connect www.ib-channel.net:443 \
-tls1 -servername www.ib-channel.net

Jerry OELoo

unread,
May 26, 2015, 3:51:11 AM5/26/15
to
After I set -tls1 -servername, I can get certificate chain information.
But in my code. I have used SSL_set_tlsext_host_name() to set host
name, but it can not get certificate chain.
--
Rejoice,I Desire!

Matt Caswell

unread,
May 26, 2015, 4:10:47 AM5/26/15
to


On 26/05/15 04:17, Jerry OELoo wrote:
> Hi.
> I found there is a website which has https support.
> https://www.ib-channel.net/miegin/web/jsp/B02-01.jsp
> and browser can show its certificate chain.
> but when I use openssl to connect website, it returns fail.
>
> openssl s_client -connect www.ib-channel.net:443
> CONNECTED(00000003)
> write:errno=104
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 305 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
>
> So what is wrong that openssl can not get website's certificate? Thanks!
>

This appears to be the server hang on over long ClientHello bug. Some
buggy servers cannot cope if the ClientHello is longer than 255 bytes.

I get a hang if I attempt to connect to the above site however if I pass
"-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=100" to Configure it all works fine.
It also works fine if I use "-no_tls1_2" with s_client to disable TLS1.2
support, or if I set a custom (reduced length) cipher list.

Matt

Jeffrey Walton

unread,
May 26, 2015, 4:24:18 AM5/26/15
to
Good find. It sounds like an F5 or IronPort appliance.

Do we know what the appliance is?
0 new messages