Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

OpenSSL connection timeout

31 views
Skip to first unread message

Ryo ONODERA

unread,
Jul 28, 2011, 11:51:01 AM7/28/11
to
Hi,

Using NetBSD/i386 5.99.55, I cannot connect to following servers
with OpenSSL 1.0.1-stable 05 Jun 2011.

Servers: (port: 443)
www.netbk.co.jp
pc.sbisonpo.co.jp
secure.nicovideo.jp


For example,

% openssl version
WARNING: can't open config file: /etc/openssl/openssl.cnf
OpenSSL 1.0.1-stable 05 Jun 2011

% uname -a
NetBSD hydrogen.elements.tetera.org 5.99.55 NetBSD 5.99.55 (LEAFGIRL4) #11: Wed Jul 20 01:20:26 JST 2011 ro...@hydrogen.elements.tetera.org:/usr/obj/sys/arch/i386/compile/LEAFGIRL4 i386

% openssl s_client -connect www.netbk.co.jp:443
WARNING: can't open config file: /etc/openssl/openssl.cnf
CONNECTED(00000006)

(timeout...)


But,

% openssl s_client -connect www.netbk.co.jp:443 -ssl3

works well.


Is this bug of NetBSD-current?

Thank you.


P.S.
I do not know OpenSSL 1.0.1-stable 05 Jun 2011 on non-NetBSD.

--
Ryo ONODERA // ryo...@yk.rim.or.jp
PGP fingerprint = 82A2 DC91 76E0 A10A 8ABB FD1B F404 27FA C7D1 15F3

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-...@muc.de

Matthias Drochner

unread,
Jul 29, 2011, 1:47:33 PM7/29/11
to

ryo...@yk.rim.or.jp said:
> Using NetBSD/i386 5.99.55, I cannot connect to following servers with
> OpenSSL 1.0.1-stable 05 Jun 2011.

I'm not a big expert in SSL/TLS things, but since noone else
did answer so far:
current OpenSSL seems to try TLS1.2 initially. It seems that
there are servers which just hang after such a connection
attempt instead of engaging in negotiation.

> % openssl s_client -connect www.netbk.co.jp:443 -ssl3
> works well.

tls1 too. tls1_1 fails immediately. tls1_2 hangs.

So either our openssl to too new for this world, or these
servers are too old/buggy...

best regards
Matthias

------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

Matthias Scheler

unread,
Jul 30, 2011, 4:02:02 AM7/30/11
to
On Fri, Jul 29, 2011 at 07:47:33PM +0200, Matthias Drochner wrote:
> current OpenSSL seems to try TLS1.2 initially. It seems that
> there are servers which just hang after such a connection
> attempt instead of engaging in negotiation.

Is it possible that the OpenSSL TLS 1.2 handshake is broken?

Kind regards

--
Matthias Scheler http://zhadum.org.uk/

0 new messages