On Tue, May 26, 2015 at 4:09 AM, Matt Caswell <matt at openssl.org> wrote: > > > On 26/05/15 04:17, Jerry OELoo wrote: >> Hi. >> I found there is a website which has https support. >> https://www.ib-channel.net/miegin/web/jsp/B02-01.jsp >> and browser can show its certificate chain. >> but when I use openssl to connect website, it returns fail. >> >> openssl s_client -connect www.ib-channel.net:443 >> CONNECTED(00000003) >> write:errno=104 >> --- >> no peer certificate available >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 0 bytes and written 305 bytes >> --- >> New, (NONE), Cipher is (NONE) >> Secure Renegotiation IS NOT supported >> Compression: NONE >> Expansion: NONE >> --- >> >> So what is wrong that openssl can not get website's certificate? Thanks! >> > > This appears to be the server hang on over long ClientHello bug. Some > buggy servers cannot cope if the ClientHello is longer than 255 bytes. > > I get a hang if I attempt to connect to the above site however if I pass > "-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=100" to Configure it all works fine. > It also works fine if I use "-no_tls1_2" with s_client to disable TLS1.2 > support, or if I set a custom (reduced length) cipher list. > Good find. It sounds like an F5 or IronPort appliance. Do we know what the appliance is?
