[csw-maintainers] OpenSSL connection issue

Dagobert Michelsen dam at opencsw.org
Fri Apr 19 16:04:52 CEST 2013


Hi Yann,

I just got a bug report for wget not being able to download the patchdiag.xref via https:
  https://www.opencsw.org/mantis/view.php?id=5068

I can reproduce the problem with openssl:

> root at login :/root > openssl s_client -connect getupdates.oracle.com:443
> CONNECTED(00000006)
> write:errno=131
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 321 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
> zsh: 13656 exit 1     openssl s_client -connect getupdates.oracle.com:443
> root at login :/root > 


It should look like this:

> root at login :/root > openssl s_client -connect www.google.com:443
> CONNECTED(00000006)
> depth=1 C = US, O = Google Inc, CN = Google Internet Authority
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> write:errno=0
> ---
> Certificate chain
>  0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
>    i:/C=US/O=Google Inc/CN=Google Internet Authority
>  1 s:/C=US/O=Google Inc/CN=Google Internet Authority
>    i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIDgDCCAumgAwIBAgIKQJSmXwABAACDizANBgkqhkiG9w0BAQUFADBGMQswCQYD
> VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
> dGVybmV0IEF1dGhvcml0eTAeFw0xMzA0MTExMjUxNTJaFw0xMzEyMzExNTU4NTBa
> MGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
> b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcwFQYDVQQDEw53d3cu
> Z29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2mKYQJK+Uu1N
> B60eCZjotPI4WcFEVlAg1/Wrkn6IgQtgdDdoDqLafkJpzdxpCiS9QfMVTMx0KnSE
> q5yqbIsoIGXECo7LP8DqMIXyLhNQxImZGP0ECnBEoDU+846H/SwRqF84iy13ywZq
> IgURrEKml5xkFQVeB5VcHz9A25TkxbMCAwEAAaOCAVEwggFNMB0GA1UdJQQWMBQG
> CCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQU8/LLjLowUsTURK6fDNOyf3qd
> YBswHwYDVR0jBBgwFoAUv8Aw6/VDET5nup6R+/xq2uNrEiQwWwYDVR0fBFQwUjBQ
> oE6gTIZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhv
> cml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcmwwZgYIKwYBBQUHAQEEWjBY
> MFYGCCsGAQUFBzAChkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVy
> bmV0QXV0aG9yaXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNydDAMBgNVHRMB
> Af8EAjAAMBkGA1UdEQQSMBCCDnd3dy5nb29nbGUuY29tMA0GCSqGSIb3DQEBBQUA
> A4GBAC2xiFaWgeME1eGE/pmKJYA1KUNb/YwGUaxZ/SOwzSiuA8ke/5NVMrJYHwKW
> xAnGkmvQf2IUBaQRVb3PDwMehexQ5SDCc3c5sZcWtxzazLb25HOnFkgO6x3YIpL+
> +jzdQ4Hb/gWhluh660JQpYXO0n8D2aME0PyBQ4+PuBRg6Dog
> -----END CERTIFICATE-----
> subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
> issuer=/C=US/O=Google Inc/CN=Google Internet Authority
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1900 bytes and written 81 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
> Server public key is 1024 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-RC4-SHA
>     Session-ID: 
>     Session-ID-ctx: 
>     Master-Key: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1366380057
>     Timeout   : 300 (sec)
>     Verify return code: 20 (unable to get local issuer certificate)
> ---
> zsh: 13518 exit 1     openssl s_client -connect www.google.com:443
> root at login :/root > openssl s_client -connect getupdates.oracle.com:443
> CONNECTED(00000006)
> write:errno=131
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 321 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
> zsh: 13656 exit 1     openssl s_client -connect getupdates.oracle.com:443
> root at login :/root > 

Other https-sites of course work also, just not Oracle :-(

Any idea how to investigate this?


Best regards

  -- Dago



More information about the maintainers mailing list