For any SSL connection, you have to assure that: 1- The cpu's can reach each other (the hostname "test.mydomain.com" must be also resolved). You may use ping, HTTP, FTP to check it out; 2- Certificates or CA chain from each endpoint must be inserted in the opposite side as trust cert; 3- The both sides must have at least one cipher in common; 4- No NAT or Firewall is filtering the messages.
I have never made a connection by openssl command line, so, I can't tell you how to check it out . I advice you to use some sniffer in at least one side, then you can reach the error, eg. where handshake is failuring, get the error code, etc... Using this you might be able to solve your problemm. As I saw your logs, perhaps one side doesn't trust in the opposite cert received. That may happen for many reasons. I've already got some cases that the hostname (in your case "test.mydomain.com") must match with certificate common name (CN). I hope it helps. Leonardo -----Mensagem original----- De: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] Em nome de Supratik Goswami Enviada em: terça-feira, 11 de setembro de 2012 10:15 Para: openssl-users@openssl.org Assunto: Re: HTTPS connection hangs during SSL handshake Is there no one in the community who can help me to find the cause of the problem ? On Tue, Sep 4, 2012 at 7:21 PM, Supratik Goswami <supratiksek...@gmail.com> wrote: > I am using OpenSSL version : openssl-1.0.0j in our production. > > I am facing a strange problem where the SSL connection simply hangs > during initial handshake when requested from our office IP address. > When I run the same command from another IP address it works fine. > > From office IP (Unsuccessful connection): > > [root@gateway ]# openssl s_client -connect test.mydomain.com:443 > CONNECTED(00000003) > > > From a different IP (Successful connection): > > ubuntu@ip-10-0-0-10 (Development):~$ openssl s_client -connect > test.mydomain.com:443 > CONNECTED(00000003) > depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert > Class 2 Policy Validation > Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com > verify error:num=19:self signed certificate in certificate chain > verify return:0 > --- > Certificate chain > 0 s:/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com > i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, > Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure > Certification Authority/serialNumber=07969287 > 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, > Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure > Certification Authority/serialNumber=07969287 > i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 > Certification Authority > 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 > Certification Authority > i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class > 2 Policy Validation > Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com > 3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class > 2 Policy Validation > Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com > i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class > 2 Policy Validation > Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com > --- > Server certificate > -----BEGIN CERTIFICATE----- > > REMOVED FOR SECURITY REASON > > -----END CERTIFICATE----- > subject=/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com > issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, > Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure > Certification Authority/serialNumber=07969287 > --- > No client certificate CA names sent > --- > SSL handshake has read 4827 bytes and written 435 bytes > --- > New, TLSv1/SSLv3, Cipher is RC4-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : RC4-SHA > Session-ID: > 276ADBFB75336E7E870C5E109B4C5F6AFB8328C8775029EF135C5DA6F8608533 > Session-ID-ctx: > Master-Key: > 22B470A67XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXB50ED6237BE9 > Key-Arg : None > Start Time: 1346765613 > Timeout : 300 (sec) > Verify return code: 19 (self signed certificate in certificate chain > > > > Any ideas ? > > > -- > Warm Regards > > Supratik -- Warm Regards Supratik ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
