0

My Ubuntu 16.04 system has the following problem:

  • wget and curl hang indefinitely when connecting to a server with HTTPS
  • Both programs work fine with HTTP

Example for curl:

curl -vv https://google.com
* Rebuilt URL to: https://google.com/
*   Trying 172.217.0.174...
* Connected to google.com (172.217.0.174) port 443 (#0)
* found 127 certificates in /etc/ssl/certs/ca-certificates.crt
* found 513 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
# … timeout after some time

Things I have tried:

  • update curl and libssl with apt

How can I diagnose this problem? The system is a "server" so I have no GUI available to check if e.g. a browser works with TLS.

The computer is an Intel NUC 6i7kyk. I've seen this problem on two different computers of this make, but never on any other system.

oarfish
  • 51
  • 4
  • 1
    Did you try some other website than Google's? – Michael Hampton Jul 08 '20 at 18:32
  • 2
    You should try to capture trafic with `tcpdump -w somefile.pcap tcp port 443`. Run this command in one terminal and try to `curl`in a second one. Then grab the file somefile.pcap that it will create and open it with Wireshak on you desktop machine. This may help you to diagnose the problem. (and of course, you checked that this is not just a firewall issue ?) – Emmanuel BERNAT Jul 08 '20 at 21:55
  • Is your server time correct? – Timothy Frew Jul 08 '20 at 23:32
  • Interestingly, the problem disappeared after resetting and reconfiguring the router which the host connects to. So unfortunately, I cannot reproduce the problem now. – oarfish Jul 09 '20 at 06:22
  • what changes did you make to the router? Maybe you DNS service was not work properly , degraded, or in the worse case 'spoofed'. What were these reconfigurations you did? – The Unix Janitor Jul 13 '20 at 14:23
  • Could be an SSL inspection problem. I have seen problems multiple times with Cisco SFR as well as with Fortinet SSL inspection functions. Most often with networks behind cloud SSL protection layers. – Gerrit Jul 13 '20 at 15:00
  • If DNS was broken, that would have affected all domain-based internet connectivity, no? We didn't have any problems, just with TLS. The router somehow lost its configuration and it had to be restored, but the settings should be identical, so unclear what changed, if anything. The setup is an LTE router that connects to the internet via AT&T + Tmobile SIMs, but i don't know that that's relevant. – oarfish Jul 13 '20 at 16:31
  • if your server is at _Amazon_ look into the _Community Board_ that they have serious **Network Congestion**. I experienced that myself and there is no attention put on it. The `tcpdump` command will give you insights. – Bodo Hugo Barwich Jul 14 '20 at 08:11
  • Try to set interface mtu a bit lower, like a 1472 – Ahmet Özer Jul 14 '20 at 11:05
  • Output of iptables -L -v -n and sniff the tcp traffic like @EmmanuelBERNAT commented above... – Markus Jul 14 '20 at 15:23

0 Answers0