Some time ago I came across this web-site with HTTPS connection problems: $ wget -S https://www.ihi.dk/ --23:34:50-- https://www.ihi.dk/ => `index.html' Connecting to www.ihi.dk:443... connected! Unable to establish SSL connection. Unable to establish SSL connection. $ But it works in my browser. So I try with the openssl client: $ openssl s_client -connect www.ihi.dk:443 CONNECTED(00000003) 592:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:216: $ Same problem 8-( Now it's time to force the SSL protocols manually: $ openssl s_client -ssl3 -connect www.ihi.dk:443 CONNECTED(00000003) depth=0 /C=DK/ST=Copenhagen/L=Copenhagen/O=International Health Insurance/CN=www.ihi.dk verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=DK/ST=Copenhagen/L=Copenhagen/O=International Health Insurance/CN=www.ihi.dk verify error:num=27:certificate not trusted verify return:1 depth=0 /C=DK/ST=Copenhagen/L=Copenhagen/O=International Health Insurance/CN=www.ihi.dk verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=DK/ST=Copenhagen/L=Copenhagen/O=International Health Insurance/CN=www.ihi.dk i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIICCjCCAXcCEAUS4W9dOIDJk7K/MmOykJUwDQYJKoZIhvcNAQEEBQAwXzELMAkG A1UEBhMCVVMxIDAeBgNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYD VQQLEyVTZWN1cmUgU2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTAw MDYxMzAwMDAwMFoXDTAxMDYyNjIzNTk1OVowdTELMAkGA1UEBhMCREsxEzARBgNV BAgTCkNvcGVuaGFnZW4xEzARBgNVBAcUCkNvcGVuaGFnZW4xJzAlBgNVBAoUHklu dGVybmF0aW9uYWwgSGVhbHRoIEluc3VyYW5jZTETMBEGA1UEAxQKd3d3LmloaS5k azBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC8OGOR/9UZ6EFk8oGLVB5C3VbXG5T4 V5zZJyPRFh7KTBtSnWQvGSxMBwES/n8kIowsX1cRZw2ot1aaU3X8k3KvAgMBAAEw DQYJKoZIhvcNAQEEBQADfgAM3sAMXClUWsrMM7Ztx/+HuqEi5rHs4MouKPmj93e0 U8eV2QqsuwDKIkUxqyLFdiWKCmGbMasAOAOyS1wL7CIu2QCsNFINNBQX4LD19WYg +Vh3QHGB4EewkidIZ0Q9AD+DKMqAC45cB6JmbJ512gA3u9z1vpmiL8ZimmXPAg== -----END CERTIFICATE----- subject=/C=DK/ST=Copenhagen/L=Copenhagen/O=International Health Insurance/CN=www.ihi.dk issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority --- No client certificate CA names sent --- SSL handshake has read 694 bytes and written 238 bytes --- New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA Server public key is 512 bit SSL-Session: Protocol : SSLv3 Cipher : DES-CBC3-SHA Session-ID: 114EFD511DE3F7FBDE1A8C917F7E4DC9CA7F66BA5D478FC82778ED923CBE43CA Session-ID-ctx: Master-Key: 509D485AC95363FA0F8C2786DFE1E90D78564CAF45F78082EFF81A8FED0E87C1D46B29 824AE396EB953907BA0D07EB73 Key-Arg : None Start Time: 991604431 Timeout : 7200 (sec) Verify return code: 0 (ok) --- HEAD / HTTP/1.0 HTTP/1.1 302 Found Server: Lotus-Domino/5.0.6 Date: Sun, 03 Jun 2001 22:30:51 GMT Location: ihihome.nsf/all/e_main Connection: close Content-Type: text/html Content-Length: 310 read:errno=0 $ BINGO ! Now I change line 54 in src/gen_sslfunc.c /* meth = SSLv23_client_method (); */ meth = SSLv3_client_method (); $ wget -S https://www.ihi.dk/ --23:35:36-- https://www.ihi.dk/ => `index.html' Connecting to www.ihi.dk:443... connected! HTTP request sent, awaiting response... 302 Found 2 Server: Lotus-Domino/5.0.6 3 Date: Sun, 03 Jun 2001 22:31:12 GMT 4 Location: ihihome.nsf/all/e_main 5 Connection: close 6 Content-Type: text/html 7 Content-Length: 310 8 Location: ihihome.nsf/all/e_main [following] --23:35:37-- https://www.ihi.dk/ihihome.nsf/all/e_main => `e_main' Connecting to www.ihi.dk:443... connected! HTTP request sent, awaiting response... 200 OK 2 Server: Lotus-Domino/5.0.6 3 Date: Sun, 03 Jun 2001 22:36:54 GMT 4 Connection: close 5 Content-Type: text/html; charset=US-ASCII 6 Content-Length: 1404 7 Last-Modified: Wed, 23 May 2001 14:23:36 GMT 8 0K . 100% @ 1.34 MB/s 23:35:37 (1.34 MB/s) - `e_main' saved [1404/1404] $ wget -S https://www.ihi.dk/ Now that was a really crude "solution". I'm not so familiar with openssl but isn't it supposed to just use the right SSL protocol. If this is the expected behavior and not a bug in openssl then we should allow the user to override the SSL protocol used (maybe a --ssl-version=ssl3 or something). Or even better circle throught them all till it "clicks" (if that's possible). $ openssl version OpenSSL 0.9.6 24 Sep 2000 -- Med venlig hilsen / Kind regards Hack Kampbjørn [EMAIL PROTECTED] HackLine +45 2031 7799
