Hello, I was trying to establish a secure connection from an old Linux box to an internal AD server (via LDAPS) but it was failing during the handshake. The AD server accepts SSL2, SSL3 and TLS1. See below the output: $ openssl s_client -connect myserver.rogers.com:636 -CAfile /home/myuser/openssl/certs/myserver_cert.pem CONNECTED(00000003) 182899955200:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 318 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated --- However, if I add any of the following command line options then it works: -ssl2, -ssl3, -tls1, -no_tls1, -no_tls1_1, -no_tls1_2. See below the output: $ openssl s_client -connect myserver.rogers.com:636 -CAfile /home/myuser/openssl/certs/myserver_cert.pem -tls1 CONNECTED(00000003) depth=1 C = CA, O = Rogers Inc., OU = Security, CN = Architecture verify return:1 depth=0 CN = MYSERVER.rogers.com verify return:1 --- Certificate chain 0 s:/CN=MSERVER.rogers.com i:/C=CA/O=Rogers Inc./OU=Security/CN=Architecture --- Server certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- subject=/CN=MYSERVER.rogers.com issuer=/C=CA/O=Rogers Inc./OU=Security/CN=Architecture --- Acceptable client certificate CA names ... Client Certificate Types: RSA sign, DSA sign --- SSL handshake has read 4746 bytes and written 404 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: 6D0500005CFB1BC5194D8B3BD939EADFD5AFF2E19D92CA010A54696403E63E99 Session-ID-ctx: Master-Key: 707D5B10E21FF30B29238D6637C19ACC79382208DBE8F72A05C605424B63258B1B1C4A83C67F17B8E0A62EF67B2B6703 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1438364635 Timeout : 7200 (sec) Verify return code: 0 (ok) --- This is the OpenSSL version I'm using: $ openssl version -a OpenSSL 1.0.2d 9 Jul 2015 built on: reproducible build, date unspecified platform: linux-x86_64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM OPENSSLDIR: "/home/myuser/openssl" My client box is an old Red Hat Enterprise Linux AS release 4 (Nahant Update 9). Below is a little extra info on it, in case it helps: $ uname -a Linux elxin009 2.6.9-100.ELsmp #1 SMP Tue Feb 1 12:04:42 EST 2011 x86_64 x86_64 x86_64 GNU/Linux $ ldd ~/bin/openssl libssl.so.1.0.0 => /home/myuser/lib/libssl.so.1.0.0 (0x0000002a95558000) libcrypto.so.1.0.0 => /home/myuser/lib/libcrypto.so.1.0.0 (0x0000002a956c9000) libdl.so.2 => /lib64/libdl.so.2 (0x00000035ebe00000) libz.so.1 => /home/myuser/lib/libz.so.1 (0x0000002a959e2000) libc.so.6 => /lib64/tls/libc.so.6 (0x00000035eb900000) /lib64/ld-linux-x86-64.so.2 (0x000000552aaaa000) One final additional information is that I tried to do the exact same thing from a CentOS 6.6 client server and it just worked without any issues using CentOS standard RPMs. However the OpenSSL version there is the following: $ openssl version -a OpenSSL 1.0.1e-fips 11 Feb 2013 built on: Mon Jun 15 18:29:40 UTC 2015 platform: linux-x86_64 options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/etc/pki/tls" engines: dynamic Since my ultimate goal is to connect to the server via LDAPS but apparently OpenLDAP doesn't let me force a particular protocol (TLS1) then I feel I'm stuck. Perhaps I will recompile OpenSSL without TLS to see if it works, but I really don't want to this way. Any ideas how I can make this work? Is this a bug during the handshake phase? Thank you, Felix ________________________________ This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice<http://www.rogers.com/web/content/emailnotice> Ce message est confidentiel. Notre transmission et r?ception de courriels se fait strictement suivant les modalit?s ?nonc?es dans l?avis publi? ? www.rogers.com/aviscourriel <http://www.rogers.com/aviscourriel> ________________________________