Hello, > We use curl to retrieve webpages, and recently started receiving an > intermittent (40-60% of the time) error when retrieving a page from the > CIA. About two weeks ago, they switched to running https only, with the > http URLs being forwarded to the https equivalents. > > The error we receive is: > > $ curl 'https://www.cia.gov/about-cia/faqs/' > curl: (35) Unknown SSL protocol error in connection to www.cia.gov:443 > > Using the --trace option, I see this: > > == Info: About to connect() to www.cia.gov port 443 (#0) > == Info: Trying 198.81.129.100... == Info: connected > == Info: Connected to www.cia.gov (198.81.129.100) port 443 (#0) > == Info: successfully set certificate verify locations: > == Info: CAfile: /etc/ssl/certs/ca-certificates.crt > CApath: none > == Info: SSLv2, Client hello (1): > => Send SSL data, 124 bytes (0x7c) > 0000: 01 03 01 00 63 00 00 00 10 00 00 39 00 00 38 00 ....c......9..8. > 0010: 00 35 00 00 88 00 00 87 00 00 84 00 00 16 00 00 .5.............. > 0020: 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f .........3..2../ > 0030: 00 00 45 00 00 44 00 00 41 00 00 07 05 00 80 03 ..E..D..A....... > 0040: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 ................ > 0050: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 [EMAIL PROTECTED] > 0060: 00 00 06 04 00 80 00 00 03 02 00 80 c9 f7 89 ff ................ > 0070: 74 f1 92 59 c8 a0 f1 ba ab c0 dd 89 t..Y........ > == Info: Unknown SSL protocol error in connection to www.cia.gov:443 > == Info: Closing connection #0 I think that this is CIA webserver problem. You may test this with: $ openssl s_client -connect www.cia.gov:443 -state -debug -msg [[-ssl3] [-tls1]] and in any combination after some successful connection you will get failed connections. For example: $ openssl s_client -connect www.cia.gov:443 -state -debug -msg CONNECTED(00000003) SSL_connect:before/connect initialization write to 0x9b5bdb0 [0x9b5bdf8] (142 bytes => 142 (0x8E)) 0000 - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00 ......c... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ 0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00 ..3..2../.....f. 0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00 .............c.. 0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40 b..a...........@ 0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00 ..e..d..`....... 0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 e1 99 ................ 0070 - 17 7c d8 8d 06 53 4e a1-cf 05 40 af 27 57 da e1 .|[EMAIL PROTECTED]'W.. 0080 - 51 26 ea f1 50 f9 f6 ba-47 7d 70 74 00 35 Q&..P...G}pt.5 >>> SSL 2.0 [length 008c], CLIENT-HELLO 01 03 01 00 63 00 00 00 20 00 00 39 00 00 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f 03 00 80 00 00 66 00 00 05 00 00 04 01 00 80 08 00 80 00 00 63 00 00 62 00 00 61 00 00 15 00 00 12 00 00 09 06 00 40 00 00 65 00 00 64 00 00 60 00 00 14 00 00 11 00 00 08 00 00 06 04 00 80 00 00 03 02 00 80 e1 99 17 7c d8 8d 06 53 4e a1 cf 05 40 af 27 57 da e1 51 26 ea f1 50 f9 f6 ba 47 7d 70 74 00 35 SSL_connect:SSLv2/v3 write client hello A read from 0x9b5bdb0 [0x9b61358] (7 bytes => 0 (0x0)) 4176:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
As you see after sending client_hello remote server just quits connection, there is no alert information (for example about unsupported ciphers or something) but simply connection is dropped: -> read from 0x9b5bdb0 [0x9b61358] (7 bytes => 0 (0x0)) I think that error is in remote site. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]