OpenSSL Issues – Troubleshooting in Debian Wheezy


I don't know what is exactly going on but I noticed that curl couldn't get secure pages without adding extra switches.

~# curl -v
* About to connect() to port 443 (#0)
*   Trying
* connected
* Connected to ( port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
(hangs for a minute)
* Unknown SSL protocol error in connection to
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to

Now, when I add -1 (force tlsv1) or -3 (force sslv3) curl works flawlessly. The problem is that other programs seem to have similar issues, like python scripts.

When I try openssl it hangs like curl

openssl s_client  -connect

no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 320 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

The same happens if I use -tls1_2, but it works If I use -ssl3 switch

Additional Data:

OpenSSL> version
OpenSSL 1.0.1e 11 Feb 2013

Does anybody know how to fix this and make curl or openssl work with default settings? I have another machine with Debian lenny that can run both commands flawlessly without any switch.



Best Answer

If you run this site against SSLLabs test, you'll see it's intolerant to long handshakes, a problem that certainly affects your version of OpenSSL.

Reducing the cipher list size should help, for example:

openssl s_client -cipher RSA -connect

(You can use the --ciphers option for curl.)