OpenSSL issues in Debian Wheezy

ssl curl openssl debian-wheezy

I don't know what is exactly going on but I noticed that curl couldn't get secure pages without adding extra switches.

~# curl -v https://api.dreamhost.com
* About to connect() to api.dreamhost.com port 443 (#0)
*   Trying 75.119.208.14...
* connected
* Connected to api.dreamhost.com (75.119.208.14) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
(hangs for a minute)
* Unknown SSL protocol error in connection to api.dreamhost.com:443
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to api.dreamhost.com:443

Now, when I add -1 (force tlsv1) or -3 (force sslv3) curl works flawlessly. The problem is that other programs seem to have similar issues, like python scripts.

When I try openssl it hangs like curl

openssl s_client  -connect api.dreamhost.com:443
CONNECTED(00000003)
(HANGS)

write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

The same happens if I use -tls1_2, but it works If I use -ssl3 switch

Additional Data:

OpenSSL> version
OpenSSL 1.0.1e 11 Feb 2013

Does anybody know how to fix this and make curl or openssl work with default settings? I have another machine with Debian lenny that can run both commands flawlessly without any switch.

Thanks!

-Rodrigo


If you run this site against SSLLabs test, you'll see it's intolerant to long handshakes, a problem that certainly affects your version of OpenSSL.

Reducing the cipher list size should help, for example:

openssl s_client -cipher RSA -connect api.dreamhost.com:443

(You can use the --ciphers option for curl.)


So I went ahead and filed a ticket with Dreamhost (Based on the analysis of @Bruno above) because I was having the same issue. It took a few weeks but they actually fixed it. Any other company they probably would have just put me in tech support hell.

Related

Exchange server can't receive from AOL; MapiExceptionNamedPropsQuotaExceeded
Sonicwall routing between multiple subnets on multiple interfaces
HP Proliant DL180 G5 server treats 3-TB SATA disks as 750-GB ones
How to upgrade iDRAC firmware and BIOS of Dell PowerEdge R510?
IIS 8.5 - getting error when returning static 404 file
PDU says to ground to rack with "thread making screw".. this is impossible?
Does the additional load on UPS in case of grid failure amount to 100%?
SQL Server 2008 login problem with ASP.NET application: Failed to open the explicitly specified database
Preload Link using Files Directive in .htaccess
Apache Rewrite or Proxy to internal server
Queries passed to SQL Server are getting corrupted
Justifying a memory upgrade