Hello,
> We use curl to retrieve webpages, and recently started receiving an
> intermittent (40-60% of the time) error when retrieving a page from the
> CIA. About two weeks ago, they switched to running https only, with the
> http URLs being forwarded to the https equivalents.
>
> The error we receive is:
>
> $ curl 'https://www.cia.gov/about-cia/faqs/'
> curl: (35) Unknown SSL protocol error in connection to www.cia.gov:443
>
> Using the --trace option, I see this:
>
> == Info: About to connect() to www.cia.gov port 443 (#0)
> == Info: Trying 198.81.129.100... == Info: connected
> == Info: Connected to www.cia.gov (198.81.129.100) port 443 (#0)
> == Info: successfully set certificate verify locations:
> == Info: CAfile: /etc/ssl/certs/ca-certificates.crt
> CApath: none
> == Info: SSLv2, Client hello (1):
> => Send SSL data, 124 bytes (0x7c)
> 0000: 01 03 01 00 63 00 00 00 10 00 00 39 00 00 38 00 ....c......9..8.
> 0010: 00 35 00 00 88 00 00 87 00 00 84 00 00 16 00 00 .5..............
> 0020: 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f .........3..2../
> 0030: 00 00 45 00 00 44 00 00 41 00 00 07 05 00 80 03 ..E..D..A.......
> 0040: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 ................
> 0050: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 ......@.........
> 0060: 00 00 06 04 00 80 00 00 03 02 00 80 c9 f7 89 ff ................
> 0070: 74 f1 92 59 c8 a0 f1 ba ab c0 dd 89 t..Y........
> == Info: Unknown SSL protocol error in connection to www.cia.gov:443
> == Info: Closing connection #0

I think that this is CIA webserver problem.
You may test this with:
$ openssl s_client -connect www.cia.gov:443 -state -debug -msg [[-ssl3] [-tls1]]
and in any combination after some successful connection you will get failed connections.
For example:
$ openssl s_client -connect www.cia.gov:443 -state -debug -msg
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x9b5bdb0 [0x9b5bdf8] (142 bytes => 142 (0x8E))
0000 - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00 ......c... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00 ..3..2../.....f.
0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00 .............c..
0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40 b..a...........@
0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00 ..e..d..`.......
0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 e1 99 ................
0070 - 17 7c d8 8d 06 53 4e a1-cf 05 40 af 27 57 da e1 .|...SN...@.'W..
0080 - 51 26 ea f1 50 f9 f6 ba-47 7d 70 74 00 35 Q&..P...G}pt.5
>>> SSL 2.0 [length 008c], CLIENT-HELLO

01 03 01 00 63 00 00 00 20 00 00 39 00 00 38 00
00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00
33 00 00 32 00 00 2f 03 00 80 00 00 66 00 00 05
00 00 04 01 00 80 08 00 80 00 00 63 00 00 62 00
00 61 00 00 15 00 00 12 00 00 09 06 00 40 00 00
65 00 00 64 00 00 60 00 00 14 00 00 11 00 00 08
00 00 06 04 00 80 00 00 03 02 00 80 e1 99 17 7c
d8 8d 06 53 4e a1 cf 05 40 af 27 57 da e1 51 26
ea f1 50 f9 f6 ba 47 7d 70 74 00 35
SSL_connect:SSLv2/v3 write client hello A
read from 0x9b5bdb0 [0x9b61358] (7 bytes => 0 (0x0))
4176:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

As you see after sending client_hello remote server just quits connection,
there is no alert information (for example about unsupported ciphers or something)
but simply connection is dropped:
-> read from 0x9b5bdb0 [0x9b61358] (7 bytes => 0 (0x0))

I think that error is in remote site.

Best regards,
--
Marek Marcola

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org