------=_Part_9802_7076235.1193252032062
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Try this..

../openssl s_client -tls1 -connect www.cia.gov:443


On 10/24/07, Lutz Jaenicke wrote:
>
> Isolating the problem is more or less simple:
> openssl s_client -connect www.cia.gov:443
> shows the intermittent failures as well, so we can rule out all
> applications (curl, wget, ...). Has to be some basic thing.
>
> I tend to observe the failure with s_client not on the first attempt but
> on the nth attempt in a row. I would guess(!) that it may be some
> DoS protection measure that prevents too many new connections
> (from the same site).
> Firefox (and other browsers) would use session caching so that the
> server could see that it is actually the same client coming in again.
> This of course could only be seen after the client hello with a
> proposed session to be reused comes in and could not be done at
> the firewall level.
> Again: this is just a GUESS!
>
> Best regards,
> Lutz
>
> Alex Lam wrote:
> > That's TLSv1, not SSLv2.
> >
> > 0000: 01 03 01 00 63 00 00 00 10 00 00 39 00 00 38 00 ....c......9..8.
> > 0010: 00 35 00 00 88 00 00 87 00 00 84 00 00 16 00 00 .5..............
> > 0020: 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f .........3..2../
> > 0030: 00 00 45 00 00 44 00 00 41 00 00 07 05 00 80 03 ..E..D..A.......
> > 0040: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 ................
> > 0050: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 ......@.........
> > 0060: 00 00 06 04 00 80 00 00 03 02 00 80 c9 f7 89 ff ................
> > 0070: 74 f1 92 59 c8 a0 f1 ba ab c0 dd 89 t..Y........
> >
> > On 10/23/07, *Jake Goulding* > > > wrote:
> >
> > Hey all:
> >
> > We use curl to retrieve webpages, and recently started receiving an
> > intermittent (40-60% of the time) error when retrieving a page
> > from the
> > CIA. About two weeks ago, they switched to running https only,
> > with the
> > http URLs being forwarded to the https equivalents.
> >
> > The error we receive is:
> >
> > $ curl 'https://www.cia.gov/about-cia/faqs/'
> > curl: (35) Unknown SSL protocol error in connection to
> > www.cia.gov:443
> >
> > Using the --trace option, I see this:
> >
> > == Info: About to connect() to www.cia.gov
> > port 443 (#0)
> > == Info: Trying 198.81.129.100.. . == Info: connected
> > == Info: Connected to www.cia.gov
> > (198.81.129.100 ) port 443 (#0)
> > == Info: successfully set certificate verify locations:
> > == Info: CAfile: /etc/ssl/certs/ca- certificates.crt
> > CApath: none
> > == Info: SSLv2, Client hello (1):
> > => Send SSL data, 124 bytes (0x7c)
> > 0000: 01 03 01 00 63 00 00 00 10 00 00 39 00 00 38 00

> ....c......9..8.
> > 0010: 00 35 00 00 88 00 00 87 00 00 84 00 00 16 00 00
> > .5..............
> > 0020: 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f

> .........3..2../
> > 0030: 00 00 45 00 00 44 00 00 41 00 00 07 05 00 80 03

> ..E..D..A.......
> > 0040: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00
> > ................
> > 0050: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08

> ......@.........
> > 0060: 00 00 06 04 00 80 00 00 03 02 00 80 c9 f7 89 ff

> ................
> > 0070: 74 f1 92 59 c8 a0 f1 ba ab c0 dd 89 t..Y........
> > == Info: Unknown SSL protocol error in connection to
> > www.cia.gov:443
> > == Info: Closing connection #0
> >
> > Unfortunately, I don't grok SSL hex :-) .
> >
> > I have tried this and received the same error with the following
> > versions:
> > curl-7.12.1-8.rhel4 / openssl-0.9.7a-43.14
> > curl-7.12.1-11.el4 / openssl-0.9.7a-43.16
> > curl-7.16.1 / openssl-0.9.8e
> > curl-7.17.0 / openssl-0.9.8f
> >
> > Firefox does not seem to have any issues with this page.
> >
> > I asked the curl mailing list about this error, and got the

> following
> > response:
> >
> > > This is apparently has nothing to do with curl. I got the same
> > > intermittent errors with lynx, w3m, wget, you name it. I am using
> > > OpenSSL 0.9.8g 19 Oct 2007.

> >
> > Any help would be greatly appreciated. Please let me know if I can
> > provide more information.
> >
> > Thanks!
> >

> __________________________________________________ ____________________
> >
> > OpenSSL Project

> http://www.openssl.org
> > User Support Mailing
> > List openssl-users@openssl.org
> > penssl-users@openssl.org>
> > Automated List Manager
> > majordomo@openssl.org
> >
> >

>
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
>


------=_Part_9802_7076235.1193252032062
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Try this..

./openssl s_client -tls1 -connect www.cia.gov:443


On 10/24/07, Lutz Jaenicke <
lutz@lutz-jaenicke.de> wrote:
Isolating the problem is more or less simple:

  openssl s_client -connect www.cia.gov:443
shows the intermittent failures as well, so we can rule out all
applications (curl, wget, ...). Has to be some basic thing.

I tend to observe the failure with s_client not on the first attempt but

on the nth attempt in a row. I would guess(!) that it may be some
DoS protection measure that prevents too many new connections
(from the same site).
Firefox (and other browsers) would use session caching so that the

server could see that it is actually the same client coming in again.
This of course could only be seen after the client hello with a
proposed session to be reused comes in and could not be done at
the firewall level.

Again: this is just a GUESS!

Best regards,
    Lutz

Alex Lam wrote:
> That's TLSv1, not SSLv2.
>
> 0000: 01 03 01 00 63 00 00 00 10 00 00 39 00 00 38 00 ....c......9..8.
> 0010: 00 35 00 00 88 00 00 87 00 00 84 00 00 16 00 00 .5..............

> 0020: 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f .........3..2../
> 0030: 00 00 45 00 00 44 00 00 41 00 00 07 05 00 80 03 ..E..D..A.......
> 0040: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 ................

> 0050: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 ......@.........
> 0060: 00 00 06 04 00 80 00 00 03 02 00 80 c9 f7 89 ff ................
> 0070: 74 f1 92 59 c8 a0 f1 ba ab c0 dd 89             t..Y........

>
> On 10/23/07, *Jake Goulding* <goulding@vivisimo.com
> <mailto:goulding@vivisimo.com>> wrote:
>

>     Hey all:
>
>     We use curl to retrieve webpages, and recently started receiving an
>     intermittent (40-60% of the time) error when retrieving a page
>     from the
>     CIA. About two weeks ago, they switched to running https only,

>     with the
>     http URLs being forwarded to the https equivalents.
>
>     The error we receive is:
>
>     $ curl 'https://www.cia.gov/about-cia/faqs/
'
>     curl: (35) Unknown SSL protocol error in connection to
>     www.cia.gov:443 <http://www.cia.gov:443>
>

>     Using the --trace option, I see this:
>
>     == Info: About to connect() to www.cia.gov <http://www.cia.gov>
>     port 443 (#0)

>     == Info:   Trying 198.81.129.100.. . == Info: connected
>     == Info: Connected to www.cia.gov <http://www.cia.gov
>
>     (198.81.129.100 <http://198.81.129.100>) port 443 (#0)
>     == Info: successfully set certificate verify locations:

>     == Info:   CAfile: /etc/ssl/certs/ca- certificates.crt
>       CApath: none
>     == Info: SSLv2, Client hello (1):
>     => Send SSL data, 124 bytes (0x7c)
>     0000: 01 03 01 00 63 00 00 00 10 00 00 39 00 00 38 00 ....c......9..8.

>     0010: 00 35 00 00 88 00 00 87 00 00 84 00 00 16 00 00
>     .5..............
>     0020: 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f .........3..2../
>     0030: 00 00 45 00 00 44 00 00 41 00 00 07 05 00 80 03 ..E..D..A.......

>     0040: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00
>     ................
>     0050: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 ......@.........
>     0060: 00 00 06 04 00 80 00 00 03 02 00 80 c9 f7 89 ff ................

>     0070: 74 f1 92 59 c8 a0 f1 ba ab c0 dd 89             t..Y........
>     == Info: Unknown SSL protocol error in connection to
>     www.cia.gov:443 <
http://www.cia.gov:443
>
>     == Info: Closing connection #0
>
>     Unfortunately, I don't grok SSL hex  :-) .
>
>     I have tried this and received the same error with the following

>     versions:
>     curl-7.12.1-8.rhel4 / openssl-0.9.7a-43.14
>     curl-7.12.1-11.el4 / openssl-0.9.7a-43.16
>     curl-7.16.1 / openssl-0.9.8e
>     curl-7.17.0 / openssl-0.9.8f
>

>     Firefox does not seem to have any issues with this page.
>
>     I asked the curl mailing list about this error, and got the following
>     response:
>
>     > This is apparently has nothing to do with curl. I got the same

>     > intermittent errors with lynx, w3m, wget, you name it. I am using
>     > OpenSSL 0.9.8g 19 Oct 2007.
>
>     Any help would be greatly appreciated. Please let me know if I can
>     provide more information.

>
>     Thanks!
>     __________________________________________________ ____________________
>
>     OpenSSL Project                                 http://www.openssl.org

>     User Support Mailing
>     List                    penssl-users@openssl.org">openssl-users@openssl.org
>     <mailto:penssl-users@openssl.org">openssl-users@openssl.org
>
>     Automated List Manager
>     majordomo@openssl.org <mailto:majordomo@openssl.org>
>
>


__________________________________________________ ____________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    
penssl-users@openssl.org">openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org



------=_Part_9802_7076235.1193252032062--
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org