Isolating the problem is more or less simple:
openssl s_client -connect www.cia.gov:443
shows the intermittent failures as well, so we can rule out all
applications (curl, wget, ...). Has to be some basic thing.

I tend to observe the failure with s_client not on the first attempt but
on the nth attempt in a row. I would guess(!) that it may be some
DoS protection measure that prevents too many new connections
(from the same site).
Firefox (and other browsers) would use session caching so that the
server could see that it is actually the same client coming in again.
This of course could only be seen after the client hello with a
proposed session to be reused comes in and could not be done at
the firewall level.
Again: this is just a GUESS!

Best regards,
Lutz

Alex Lam wrote:
> That's TLSv1, not SSLv2.
>
> 0000: 01 03 01 00 63 00 00 00 10 00 00 39 00 00 38 00 ....c......9..8.
> 0010: 00 35 00 00 88 00 00 87 00 00 84 00 00 16 00 00 .5..............
> 0020: 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f .........3..2../
> 0030: 00 00 45 00 00 44 00 00 41 00 00 07 05 00 80 03 ..E..D..A.......
> 0040: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 ................
> 0050: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 ......@.........
> 0060: 00 00 06 04 00 80 00 00 03 02 00 80 c9 f7 89 ff ................
> 0070: 74 f1 92 59 c8 a0 f1 ba ab c0 dd 89 t..Y........
>
> On 10/23/07, *Jake Goulding* > > wrote:
>
> Hey all:
>
> We use curl to retrieve webpages, and recently started receiving an
> intermittent (40-60% of the time) error when retrieving a page
> from the
> CIA. About two weeks ago, they switched to running https only,
> with the
> http URLs being forwarded to the https equivalents.
>
> The error we receive is:
>
> $ curl 'https://www.cia.gov/about-cia/faqs/'
> curl: (35) Unknown SSL protocol error in connection to
> www.cia.gov:443
>
> Using the --trace option, I see this:
>
> == Info: About to connect() to www.cia.gov
> port 443 (#0)
> == Info: Trying 198.81.129.100.. . == Info: connected
> == Info: Connected to www.cia.gov
> (198.81.129.100 ) port 443 (#0)
> == Info: successfully set certificate verify locations:
> == Info: CAfile: /etc/ssl/certs/ca- certificates.crt
> CApath: none
> == Info: SSLv2, Client hello (1):
> => Send SSL data, 124 bytes (0x7c)
> 0000: 01 03 01 00 63 00 00 00 10 00 00 39 00 00 38 00 ....c......9..8.
> 0010: 00 35 00 00 88 00 00 87 00 00 84 00 00 16 00 00
> .5..............
> 0020: 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f .........3..2../
> 0030: 00 00 45 00 00 44 00 00 41 00 00 07 05 00 80 03 ..E..D..A.......
> 0040: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00
> ................
> 0050: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 ......@.........
> 0060: 00 00 06 04 00 80 00 00 03 02 00 80 c9 f7 89 ff ................
> 0070: 74 f1 92 59 c8 a0 f1 ba ab c0 dd 89 t..Y........
> == Info: Unknown SSL protocol error in connection to
> www.cia.gov:443
> == Info: Closing connection #0
>
> Unfortunately, I don't grok SSL hex :-) .
>
> I have tried this and received the same error with the following
> versions:
> curl-7.12.1-8.rhel4 / openssl-0.9.7a-43.14
> curl-7.12.1-11.el4 / openssl-0.9.7a-43.16
> curl-7.16.1 / openssl-0.9.8e
> curl-7.17.0 / openssl-0.9.8f
>
> Firefox does not seem to have any issues with this page.
>
> I asked the curl mailing list about this error, and got the following
> response:
>
> > This is apparently has nothing to do with curl. I got the same
> > intermittent errors with lynx, w3m, wget, you name it. I am using
> > OpenSSL 0.9.8g 19 Oct 2007.

>
> Any help would be greatly appreciated. Please let me know if I can
> provide more information.
>
> Thanks!
> __________________________________________________ ____________________
>
> OpenSSL Project http://www.openssl.org
> User Support Mailing
> List openssl-users@openssl.org
> penssl-users@openssl.org>
> Automated List Manager
> majordomo@openssl.org
>
>


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org