Https connection, TLS hangs and eventually fails SSL_ERROR_SYSCALL

Question

I'm trying to correctly diagnose an issue where the server i have access to doesn't seem to be able to contact another server on the internet over port 443:

~$ curl https://mydomain.co.uk -vvv
* Rebuilt URL to: https://mydomain.co.uk/
*   Trying 1.2.3.4...
* TCP_NODELAY set
* Connected to mydomain.co.uk (1.2.3.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to mydomain.co.uk:443 
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to mydomain.co.uk:443

I've read that this could be because of incompatible ciphers. So i tried it on a different server on a different network but this time the connection was made successfully:

~$ curl https://mydomain.co.uk -vvv
* Rebuilt URL to: https://mydomain.co.uk/
*   Trying 1.2.3.4...
* TCP_NODELAY set
* Connected to mydomain.co.uk (1.2.3.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=NA; ST=Some Place; L=Some City; O=MyCompany; OU=Technology; CN=*.mydomain.co.uk
*  start date: Mar 15 00:00:00 2018 GMT
*  expire date: Nov 13 12:00:00 2019 GMT
*  subjectAltName: host "mydomain.co.uk" matched cert's "mydomain.co.uk"
*  issuer: C=US; O=AniCert Inc; OU=www.anicert.com; CN=NioTrust RSA CA 2019
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: mydomain.co.uk
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 302 Moved Temporarily
< Server: nginx
< Date: Mon, 25 Feb 2019 17:30:02 GMT
< Content-Type: text/html
< Content-Length: 154
< Connection: keep-alive
< Location: https://www.mydomain.co.uk
< 
<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host mydomain.co.uk left intact

The two servers i tried the curl command from are both the same, the networks they're on differ. The two servers i have access to are running Ubuntu 18.04. I don't have access to the remote server that they're both trying to connect to. I need to be able to pin point what the issue is/could be.

So it's not the cipher. What else could cause the TLS handshake to hang like this?

Cheers, Ankur

What is different about the networks? What is the site you are trying to connect to? — Michael Hampton, Feb 25 '19 at 18:11
The server that is having issue connecting to the site is in a network that i have no control over. The other server that does work is at home. The site i'm trying to connect to is a well known transport company... not sure i can say much more than that. — Ankur22, Feb 26 '19 at 09:29
You should ask the network administrators at the site you are having trouble. They may have a firewall in place. — Michael Hampton, Feb 26 '19 at 13:14

score 2 · Accepted Answer · answered Mar 04 '19 at 10:49

2

This has been resolved. It was due to the ip being blacklisted. Once it was taken off the connection established successfully.

answered Mar 04 '19 at 10:49

Ankur22

111
1
2
8

Strange that the initial connection was made OK. – Ed Randall Jun 18 '20 at 07:14
Hmmm, yeah, that is odd. Since the TCP packets contain the originating IP information, you'd think that the remote server would prevent the TCP connection from being made. – Ankur22 Jun 24 '20 at 09:20

score 0 · Answer 2 · answered Feb 25 '19 at 20:21

0

Probably a coincidence, but I had a similar error today. The server process picking up the connection somehow got half-stuck. Sometimes it picked up allright, the other times it left the client waiting indefinitely at exactly the same point as you have here. Had to kill -9 this server process.

answered Feb 25 '19 at 20:21

Gerrit

1,552
8
8

I can suggest that to the owners of the site, but it seems to be a networking issue. – Ankur22 Feb 26 '19 at 09:30
Seems also similar to this issue: https://github.com/curl/curl/issues/2299. Maybe there is a MTU problem? – Gerrit Feb 26 '19 at 14:26
I tried altering the MTU but that doesn't help either – Ankur22 Feb 28 '19 at 14:41
Try some variations `curl -v --ciphers DHE-RSA-AES128-GCM-SHA256 https://example.com` , `openssl s_client -connect example.com:443` , `openssl s_client -connect example.com:443 -mtu 1478 -no_ticket -msg -cipher DHE-RSA-AES128-GCM-SHA256`, `openssl s_client -connect example.com:443 -mtu 1478 -no_ticket -msg` – Gerrit Feb 28 '19 at 23:15

Https connection, TLS hangs and eventually fails SSL_ERROR_SYSCALL

2 Answers2