Thanks for the response Matt. The SSL 3 switch was one of many that were tried just for the sake of testing. I tried a few other switches, but am getting the same results.
I did a tcpdump of the attempted connection, and you can see that the initial connection is established, but the connection is immediately dropped after that.
We've been try to determine if this is an openssl issue (misconfiguration, incompatibility, or whatever), a wget issue, or a network issue somewhere along the path between the two servers. My support end had me try the "no-check-certificate" option to remove the certificate on my server from the equation.
It always fails after trying to initialize the SSL handshake
[root@hostname ~]# wget https://domain.name.com:8443 --debug
DEBUG output created by Wget 1.14 on linux-gnu.
URI encoding = âUTF-8â
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
--2017-10-11 08:45:19-- https://domain.name.com:8443/
Resolving domain.name.com (domain.name.com)... <ip.address>
Caching domain.name.com => <ip.address>
Connecting to domain.name.com (domain.name.com)|<ip.address>|:8443... connected.
Created socket 3.
Releasing 0x0000000002744320 (new refcount 1).
Initiating SSL handshake.
SSL handshake failed.
Closed fd 3
Unable to establish SSL connection.
wget https://domain.name.com:8443 --no-check-certificate --debug
[root@hostname ~]# wget https://domain.name.com:8443 --no-check-certificate --debug
DEBUG output created by Wget 1.14 on linux-gnu.
URI encoding = âUTF-8â
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
--2017-10-11 08:49:26-- https://domain.name.com:8443/
Resolving domain.name.com (domain.name.com)... <ip.address>
Caching domain.name.com => <ip.address>
Connecting to domain.name.com (domain.name.com)|<ip.address>|:8443... connected.
Created socket 3.
Releasing 0x00000000017b0340 (new refcount 1).
Initiating SSL handshake.
SSL handshake failed.
Closed fd 3
Unable to establish SSL connection.
DEBUG output created by Wget 1.14 on linux-gnu.
URI encoding = âUTF-8â
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
--2017-10-11 08:45:19-- https://domain.name.com:8443/
Resolving domain.name.com (domain.name.com)... <ip.address>
Caching domain.name.com => <ip.address>
Connecting to domain.name.com (domain.name.com)|<ip.address>|:8443... connected.
Created socket 3.
Releasing 0x0000000002744320 (new refcount 1).
Initiating SSL handshake.
SSL handshake failed.
Closed fd 3
Unable to establish SSL connection.
wget https://domain.name.com:8443 --no-check-certificate --debug
[root@hostname ~]# wget https://domain.name.com:8443 --no-check-certificate --debug
DEBUG output created by Wget 1.14 on linux-gnu.
URI encoding = âUTF-8â
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
--2017-10-11 08:49:26-- https://domain.name.com:8443/
Resolving domain.name.com (domain.name.com)... <ip.address>
Caching domain.name.com => <ip.address>
Connecting to domain.name.com (domain.name.com)|<ip.address>|:8443... connected.
Created socket 3.
Releasing 0x00000000017b0340 (new refcount 1).
Initiating SSL handshake.
SSL handshake failed.
Closed fd 3
Unable to establish SSL connection.
On Wed, Oct 11, 2017 at 5:10 AM, Matt Caswell <matt@xxxxxxxxxxx> wrote:
On 11/10/17 03:57, Paul Greene wrote:
> [root@hostname ~]# wget https://domain.name.com:8443
> --secure-protocol=SSLv3 --debug
> DEBUG output created by Wget 1.14 on linux-gnu.
The "--secure-protocol=SSLv3" bit looks suspect. According to the wget
man page this forces only SSLv3 to be negotiated. If the server doesn't
support it (which is common) then you're out of luck. SSLv3 is very old,
insecure and generally should not be used. Setting "--secure-protocol"
to "auto" (the default) would be a better choice.
Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
