testlog attached, repro shown below. problem does not manifest when s_client is used without specifying a protocol or when ./config;make is run without options. gnutls does this:
$ gnutls-cli --port 443 my.usda.gov Resolving 'my.usda.gov'... Connecting to '199.134.226.12:443'... *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed GNUTLS ERROR: A TLS packet with unexpected length was received. $ so it seems like there is a server-side problem. unclear why it ever works, though. /bb --
openssl_testlog
Description: Binary data
$ /usr/local/ssl/bin/openssl s_client -host my.usda.gov -port 443 -tls1
CONNECTED(00000003)
2383:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:530:
$ /usr/local/ssl/bin/openssl s_client -host my.usda.gov -port 443 -ssl3
CONNECTED(00000003)
2384:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:530:
$ /usr/local/ssl/bin/openssl s_client -host my.usda.gov -port 443 -ssl2
CONNECTED(00000003)
depth=0 /C=US/ST=Missouri/L=Kansas City/O=U.S. Dept. of Agriculture/
OU=Terms of use at www.verisign.com/rpa (c)00/CN=my.usda.gov
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=Missouri/L=Kansas City/O=U.S. Dept. of Agriculture/
OU=Terms of use at www.verisign.com/rpa (c)00/CN=my.usda.gov
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=Missouri/L=Kansas City/O=U.S. Dept. of Agriculture/
OU=Terms of use at www.verisign.com/rpa (c)00/CN=my.usda.gov
verify error:num=21:unable to verify the first certificate
verify return:1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEYTCCA8qgAwIBAgIQR/dXYTFHbtplNhdDVHxjDTANBgkqhkiG9w0BAQUFADCB
ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy
aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy
dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg
SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w
NjA4MTIwMDAwMDBaFw0wODA4MTEyMzU5NTlaMIGlMQswCQYDVQQGEwJVUzERMA8G
A1UECBMITWlzc291cmkxFDASBgNVBAcUC0thbnNhcyBDaXR5MSIwIAYDVQQKFBlV
LlMuIERlcHQuIG9mIEFncmljdWx0dXJlMTMwMQYDVQQLFCpUZXJtcyBvZiB1c2Ug
YXQgd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMDAxFDASBgNVBAMUC215LnVzZGEu
Z292MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCuvTn+ZJZVwGmh3M2zCyf5
WM3x1epQaYlctTo2zSEsJtaMfQxVI3gwmlKKGqrRgORwqQsrwAYksP3u9XKiy8Ii
XpJR8+Bfs35ymYSsNq8MQzGFIjl3UFIPWKB3m9UqqCOHGMS62t77sSsKphoHKD7l
3aOM4VDZcK9auC5DVByt2wIDAQABo4IBeTCCAXUwCQYDVR0TBAIwADALBgNVHQ8E
BAMCBaAwRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL2NybC52ZXJpc2lnbi5jb20v
Q2xhc3MzSW50ZXJuYXRpb25hbFNlcnZlci5jcmwwRAYDVR0gBD0wOzA5BgtghkgB
hvhFAQcXAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20v
cnBhMCgGA1UdJQQhMB8GCWCGSAGG+EIEAQYIKwYBBQUHAwEGCCsGAQUFBwMCMDQG
CCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24u
Y29tMG0GCCsGAQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYF
Kw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlz
aWduLmNvbS92c2xvZ28uZ2lmMA0GCSqGSIb3DQEBBQUAA4GBALtJhBO5GowqJ7I2
JuoKGmRN6etHrYDullecOaB62lI6iLHznkPvXWPYN5RpSixUmhudmOEpc3kVCQIz
ygZrUA8OWlMV2JwNDOCTTNcXhoofUlYRgTjzy1LnUQfxQr1CsZ4FZArFkHpQ6P9O
z3mu1FY4Thnf65tc/vQF7RW+tZbG
-----END CERTIFICATE-----
subject=/C=US/ST=Missouri/L=Kansas City/O=U.S. Dept. of Agriculture/
OU=Terms of use at www.verisign.com/rpa (c)00/CN=my.usda.gov
issuer=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by
Ref. LIABILITY LTD.(c)97 VeriSign
---
No client certificate CA names sent
---
Ciphers common between both SSL endpoints:
DES-CBC3-MD5
---
SSL handshake has read 1243 bytes and written 239 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv2
Cipher : DES-CBC3-MD5
Session-ID: EC0600003D2068CEEF112F48AB3F0000
Session-ID-ctx:
Master-Key: 4AAD5841ABA17FF6EC5E09616486065F0472921777F392D2
Key-Arg : 0825807C36EEB573
Start Time: 1211044334
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
$ /usr/local/ssl/bin/openssl s_client -host my.usda.gov -port 443
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/ST=Missouri/L=Kansas City/O=U.S. Dept. of Agriculture/
OU=NITC/OU=Terms of use at www.verisign.com/rpa (c)00/CN=my.usda.gov
i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by
Ref. LIABILITY LTD.(c)97 VeriSign
1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by
Ref. LIABILITY LTD.(c)97 VeriSign
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
2 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEcDCCA9mgAwIBAgIQaH/jU80wFpBoH7BWkYZB2DANBgkqhkiG9w0BAQUFADCB
ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy
aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy
dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg
SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w
NjA4MTIwMDAwMDBaFw0wODA4MTEyMzU5NTlaMIG0MQswCQYDVQQGEwJVUzERMA8G
A1UECBMITWlzc291cmkxFDASBgNVBAcUC0thbnNhcyBDaXR5MSIwIAYDVQQKFBlV
LlMuIERlcHQuIG9mIEFncmljdWx0dXJlMQ0wCwYDVQQLFAROSVRDMTMwMQYDVQQL
FCpUZXJtcyBvZiB1c2UgYXQgd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMDAxFDAS
BgNVBAMUC215LnVzZGEuZ292MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJ
t2OyYE2M1OMxT75CNA9RDXe0Lbd4D/z89WHDJCV/9tqr9NUkQCL/iilJJsxWHJpT
YpPASWTXebpicsk3tp7gKFEE5ojS8TlQV+iEknTsUI2mtWGKdJGEEOkq4XF5f9Ws
LlZ8KhYWxPQ7KtLcM4ReNH5EyPvf/p6WR3JEiq1DYwIDAQABo4IBeTCCAXUwCQYD
VR0TBAIwADALBgNVHQ8EBAMCBaAwRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL2Ny
bC52ZXJpc2lnbi5jb20vQ2xhc3MzSW50ZXJuYXRpb25hbFNlcnZlci5jcmwwRAYD
VR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3
dy52ZXJpc2lnbi5jb20vcnBhMCgGA1UdJQQhMB8GCWCGSAGG+EIEAQYIKwYBBQUH
AwEGCCsGAQUFBwMCMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AudmVyaXNpZ24uY29tMG0GCCsGAQUFBwEMBGEwX6FdoFswWTBXMFUWCWlt
YWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgsexkuMCUWI2h0
dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMA0GCSqGSIb3DQEBBQUA
A4GBALyRQw0joA11H5umi274EWm9JKqCdQ/lBYyrtHhFi3bQNq7bDr4YkFyIhfZs
46342mMm7bkxUp6cKg8WnMQVzZnT0AGLJmDPYPpoogMHU30qBMqIapIyms6aFRPd
OFgVwULl2Y2/422a9ZHGhD3UMNDcBNCvcCBEIzI+l9Z+CnJr
-----END CERTIFICATE-----
subject=/C=US/ST=Missouri/L=Kansas City/O=U.S. Dept. of Agriculture/
OU=NITC/OU=Terms of use at www.verisign.com/rpa (c)00/CN=my.usda.gov
issuer=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by
Ref. LIABILITY LTD.(c)97 VeriSign
---
No client certificate CA names sent
---
SSL handshake has read 2765 bytes and written 337 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID:
E40F0000F0088EBB58585858585858585858585858585858F9112F4879400000
Session-ID-ctx:
Master-Key:
BEAE98C6F6C1E820EF6EA8A776D3D28ADA50B444D6B846BB2D230B0E699B0D5DB29F36A04313EC012B20999B78A52811
Key-Arg : None
Start Time: 1211044343
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate
chain)
---
$
