On 26/05/15 04:17, Jerry OELoo wrote: > Hi. > I found there is a website which has https support. > https://www.ib-channel.net/miegin/web/jsp/B02-01.jsp > and browser can show its certificate chain. > but when I use openssl to connect website, it returns fail. > > openssl s_client -connect www.ib-channel.net:443 > CONNECTED(00000003) > write:errno=104 > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 305 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > --- > > So what is wrong that openssl can not get website's certificate? Thanks! > This appears to be the server hang on over long ClientHello bug. Some buggy servers cannot cope if the ClientHello is longer than 255 bytes. I get a hang if I attempt to connect to the above site however if I pass "-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=100" to Configure it all works fine. It also works fine if I use "-no_tls1_2" with s_client to disable TLS1.2 support, or if I set a custom (reduced length) cipher list. Matt
