Ubuntu 16.04 openssl s_client write:errno=104

ssl openssl curl tls gnutls
20,480

The very boring answer to this is that I was behind a firewall. I'd ruled out a firewall because it was blocking things like google.com and outlook.office.com and I was the only one having the problem.

It turns out that because I'm new in the company I have some configuration (I suspect it's just that my MAC is recognised) on new company laptop (even though it's a fresh Ubuntu install) that means that my traffic gets intercepted by the firewall.

Share:
20,480

Related videos on Youtube

Todd Baur
Author by

Todd Baur

Humble optimist in training

Updated on September 18, 2022

Comments

  • Todd Baur
    Todd Baur over 1 year

    I'm getting the following error when trying to connect to github.com, google.com, dropbox.com via https, but stackoverflow.com, askubuntu.com and the majority of https websites work.

    Relevant details:

    • I'm behind a work proxy, but I can connect fine when using Fedora 28, it's just on Ubuntu 16.04 that I have the problem. No one else in the office has the problem, but they are mostly using Macs.
    • This is on my own desktop, not on a server/VM/Docker etc.
    • I can connect to these websites via my mobile hotspot or on other WiFi networks
    • Edit: I tested on a separate Thinkpad laptop with Ubuntu 16.04 and there is no problem on there. So it's something specific to this machine (a Dell XPS 13 9370).

    Error message:

    $ openssl s_client -connect github.com:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 311 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1537527929
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

    I've upgraded OpenSSL to the most recent version but that makes no difference:

    $ openssl version
OpenSSL 1.0.2p  14 Aug 2018

    I get the following error when running CURL:

    $ curl -v https://google.com
* Rebuilt URL to: https://google.com/
*   Trying 172.217.17.46...
* Connected to google.com (172.217.17.46) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 597 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: Error in the pull function.
* Closing connection 0
curl: (35) gnutls_handshake() failed: Error in the pull function.

    There's numerous other answers that have similar problems but I can't find any that deal with my situation:

    Here's an example of it working with stackoverflow.com:

    $ openssl s_client -connect stackoverflow.com:443
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/C=US/ST=NY/L=New York/O=Stack Exchange, Inc./CN=*.stackexchange.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHHjCCBgagAwIBAgIQDhG71w1UtxDQxvVAtrUspDANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA1MjEwMDAwMDBaFw0xOTA4MTQxMjAwMDBa
MGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOWTERMA8GA1UEBxMITmV3IFlvcmsx
HTAbBgNVBAoTFFN0YWNrIEV4Y2hhbmdlLCBJbmMuMRwwGgYDVQQDDBMqLnN0YWNr
ZXhjaGFuZ2UuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0YD
zscT5i6T2FaRsTGNCiLB8OtPXu8N9iAyuaROh/nS0kRRsN8wUMk1TmgZhPuYM6oF
S377V8W2LqhLBMrPXi7lnhvKt2DFWCyw38RrDbEsM5dzVGErmhux3F0QqcTI92zj
VW61DmE7NSQLiR4yonVpTpdAaO4jSPJxn8d+4p1sIlU2JGSk8LZSWFqaROc7KtXt
lWP4HahNRZtdwvL5dIEGGNWx+7B+XVAfY1ygc/UisldkA+a3D2+3WAtXgFZRZZ/1
CWFjKWJNMAI6ZBAtlbgSNgRYxdcdleIhPLCzkzWysfltfiBmsmgz6VCoFR4KgJo8
Gd3MeTWojBthM10SLwIDAQABo4IDuDCCA7QwHwYDVR0jBBgwFoAUUWj/kK8CB3U8
zNllZGKiErhZcjswHQYDVR0OBBYEFFrBQmPCYhOznZSEqjIeF8tto4Z7MIIB6AYD
VR0RBIIB3zCCAduCEyouc3RhY2tleGNoYW5nZS5jb22CEXN0YWNrb3ZlcmZsb3cu
Y29tghMqLnN0YWNrb3ZlcmZsb3cuY29tgg1zdGFja2F1dGguY29tggtzc3RhdGlj
Lm5ldIINKi5zc3RhdGljLm5ldIIPc2VydmVyZmF1bHQuY29tghEqLnNlcnZlcmZh
dWx0LmNvbYINc3VwZXJ1c2VyLmNvbYIPKi5zdXBlcnVzZXIuY29tgg1zdGFja2Fw
cHMuY29tghRvcGVuaWQuc3RhY2thdXRoLmNvbYIRc3RhY2tleGNoYW5nZS5jb22C
GCoubWV0YS5zdGFja2V4Y2hhbmdlLmNvbYIWbWV0YS5zdGFja2V4Y2hhbmdlLmNv
bYIQbWF0aG92ZXJmbG93Lm5ldIISKi5tYXRob3ZlcmZsb3cubmV0gg1hc2t1YnVu
dHUuY29tgg8qLmFza3VidW50dS5jb22CEXN0YWNrc25pcHBldHMubmV0ghIqLmJs
b2dvdmVyZmxvdy5jb22CEGJsb2dvdmVyZmxvdy5jb22CGCoubWV0YS5zdGFja292
ZXJmbG93LmNvbYIVKi5zdGFja292ZXJmbG93LmVtYWlsghNzdGFja292ZXJmbG93
LmVtYWlsMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29t
L3NoYTItaGEtc2VydmVyLWc1LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNl
cnQuY29tL3NoYTItaGEtc2VydmVyLWc1LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG
/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BT
MAgGBmeBDAECAjCBgwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC5kaWdpY2VydC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly9jYWNlcnRzLmRp
Z2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJIaWdoQXNzdXJhbmNlU2VydmVyQ0EuY3J0
MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBAAzJAMGSdKoX1frdqNlN
iXu8Gcbsm/DxWMXpcTXlZn8s+/qQQoc+/3o0CK3C8/j9n5DmsYa88P6Ntt5ysDs+
b0ynXFva4CAEyKaoPM4SIpOjwfWBRSUOqAIkQO2/LhKBwT/EnpaIHIKGnI0UdXLQ
oDfkMDg6mgJsEBsKdKF5EfEX7iU3NO5xVJPJE8/R0btLAdYwxB9S6fSpCXGe2HqQ
D101O/7/4MWNdFSbfdDSFcn5oEm+idimrqiNrF5knmuJy4qPBkL7thNuGK6rvYCF
ZJM03ZEZhkQmn2jG/7LgjfwZmvfcITeADCpylf88bL+lf+vxe6cCl9CyqWgBDpsI
xpE=
-----END CERTIFICATE-----
subject=/C=US/ST=NY/L=New York/O=Stack Exchange, Inc./CN=*.stackexchange.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3688 bytes and written 437 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 6108011C279498322CD465101770BB0F5B33BB71138CBC79FCDF8CAD77595F29
    Session-ID-ctx: 
    Master-Key: CC8F5FD8CC5197DA6C57E6BF13A47954A8045202DAD80C9C74C26A358613CFDE4430C27F8347FFC9F38F34AF789AF511
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 77 0d 86 c9 22 54 0f 4b-97 9a 3e 46 78 cc 14 46   w..."T.K..>Fx..F
    0010 - 2d 82 e9 5f 63 b7 4c ae-de 3e c8 08 4e 35 4b e5   -.._c.L..>..N5K.
    0020 - 65 89 ef fa b6 83 a6 25-b6 77 c2 c9 a7 35 a7 95   e......%.w...5..
    0030 - c8 2c f1 98 81 19 20 11-84 10 a1 c6 0d 95 61 6d   .,.... .......am
    0040 - 68 76 2c fc d2 d1 1e 98-1f b2 36 84 3a 83 e0 20   hv,.......6.:.. 
    0050 - 75 98 9a ef 53 76 23 e1-03 f1 ef a2 e5 9a de 6f   u...Sv#........o
    0060 - e8 69 8e a4 9a 57 db 82-3f 19 e4 1b a0 85 19 54   .i...W..?......T
    0070 - ba e3 4c 0a f7 30 0f 68-16 6b 40 f2 65 81 db 6f   [email protected]
    0080 - aa 41 4f 75 79 dd 75 1a-aa b3 66 3f 6c dd 19 70   .AOuy.u...f?l..p
    0090 - cf b5 87 72 61 40 cb 1e-73 1a bd 69 92 a3 16 66   [email protected]

    Start Time: 1537529712
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

    This is the relevant ifconfig details for the proxy connection:

    wlp2s0    Link encap:Ethernet  HWaddr 9c:b6:d0:8e:76:8f  
          inet addr:10.1.64.58  Bcast:10.1.79.255  Mask:255.255.240.0
          inet6 addr: fe80::75a:cefe:ae7f:73f1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:24463 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25120 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:13605579 (13.6 MB)  TX bytes:5419669 (5.4 MB)

    Edit: Output of ldd $(which curl):

    $ ldd $(which curl)
    linux-vdso.so.1 =>  (0x00007ffd885fc000)
    libcurl-gnutls.so.4 => /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 (0x00007fd8d24f7000)
    libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fd8d22dd000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fd8d20c0000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd8d1cf6000)
    libidn.so.11 => /usr/lib/x86_64-linux-gnu/libidn.so.11 (0x00007fd8d1ac3000)
    librtmp.so.1 => /usr/lib/x86_64-linux-gnu/librtmp.so.1 (0x00007fd8d18a7000)
    libnettle.so.6 => /usr/lib/x86_64-linux-gnu/libnettle.so.6 (0x00007fd8d1671000)
    libgnutls.so.30 => /usr/lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007fd8d1341000)
    libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007fd8d10f7000)
    liblber-2.4.so.2 => /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2 (0x00007fd8d0ee8000)
    libldap_r-2.4.so.2 => /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2 (0x00007fd8d0c97000)
    /lib64/ld-linux-x86-64.so.2 (0x00007fd8d2993000)
    libhogweed.so.4 => /usr/lib/x86_64-linux-gnu/libhogweed.so.4 (0x00007fd8d0a64000)
    libgmp.so.10 => /usr/lib/x86_64-linux-gnu/libgmp.so.10 (0x00007fd8d07e4000)
    libp11-kit.so.0 => /usr/lib/x86_64-linux-gnu/libp11-kit.so.0 (0x00007fd8d0580000)
    libtasn1.so.6 => /usr/lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007fd8d036d000)
    libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007fd8d009b000)
    libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 (0x00007fd8cfe6c000)
    libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007fd8cfc68000)
    libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007fd8cfa5d000)
    libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fd8cf842000)
    libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007fd8cf627000)
    libgssapi.so.3 => /usr/lib/x86_64-linux-gnu/libgssapi.so.3 (0x00007fd8cf3e6000)
    libffi.so.6 => /usr/lib/x86_64-linux-gnu/libffi.so.6 (0x00007fd8cf1de000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fd8cefda000)
    libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 (0x00007fd8cedd6000)
    libheimntlm.so.0 => /usr/lib/x86_64-linux-gnu/libheimntlm.so.0 (0x00007fd8cebcd000)
    libkrb5.so.26 => /usr/lib/x86_64-linux-gnu/libkrb5.so.26 (0x00007fd8ce943000)
    libasn1.so.8 => /usr/lib/x86_64-linux-gnu/libasn1.so.8 (0x00007fd8ce6a1000)
    libhcrypto.so.4 => /usr/lib/x86_64-linux-gnu/libhcrypto.so.4 (0x00007fd8ce46e000)
    libroken.so.18 => /usr/lib/x86_64-linux-gnu/libroken.so.18 (0x00007fd8ce258000)
    libwind.so.0 => /usr/lib/x86_64-linux-gnu/libwind.so.0 (0x00007fd8ce02f000)
    libheimbase.so.1 => /usr/lib/x86_64-linux-gnu/libheimbase.so.1 (0x00007fd8cde20000)
    libhx509.so.5 => /usr/lib/x86_64-linux-gnu/libhx509.so.5 (0x00007fd8cdbd5000)
    libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 (0x00007fd8cd900000)
    libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fd8cd6c8000)

    Edit 2: Thanks to Simon Sutter for his comments. I have updated to Ubuntu 18.04 in an attempt to resolve it but there are still the similar problems.

    Actually the curl error is now slightly different which is useful:

    $ curl -v https://google.com
* Rebuilt URL to: https://google.com/
*   Trying 172.217.19.206...
* TCP_NODELAY set
* Connected to google.com (172.217.19.206) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to google.com:443 
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to google.com:443

    Searching for the SSL_ERROR_SYSCALL bug I came across a SO answer that suggests it might have something to do with IPv6 and suggests trying wget. This is what I get with wget:

    $ wget https://stackoverflow.com
--2018-09-26 09:33:12--  https://stackoverflow.com/
Resolving stackoverflow.com (stackoverflow.com)... 151.101.129.69, 151.101.193.69, 151.101.1.69, ...
Connecting to stackoverflow.com (stackoverflow.com)|151.101.129.69|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 263668 (257K) [text/html]
Saving to: ‘index.html’

index.html        100%[=============>] 257.49K   864KB/s    in 0.3s    

2018-09-26 09:33:13 (864 KB/s) - ‘index.html’ saved [263668/263668]

$ wget https://google.com
--2018-09-26 09:33:25--  https://google.com/
Resolving google.com (google.com)... 172.217.20.110, 2a00:1450:400e:80a::200e
Connecting to google.com (google.com)|172.217.20.110|:443... connected.
Unable to establish SSL connection.

    Interestingly from that google makes an IPv6 request but stackoverflow doesn't. However a further check shows that I have an issue with bitbucket.org too and that makes no indication of an IPv6 connection:

    $ wget https://bitbucket.org/
--2018-09-26 10:03:40--  https://bitbucket.org/
Resolving bitbucket.org (bitbucket.org)... 18.205.93.2, 18.205.93.1, 18.205.93.0, ...
Connecting to bitbucket.org (bitbucket.org)|18.205.93.2|:443... connected.
Unable to establish SSL connection.

    I did some further checking on this by disabling IPv6 but that made no difference - as in I get the same errors when running curl or wget.

    Now because I'm on Ubuntu 18.04 here's an updated set of checks.

    $ curl --version
curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.0g zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

    Relevant ifconfig details:

    wlp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.1.64.53  netmask 255.255.240.0  broadcast 10.1.79.255
        inet6 fe80::75a:cefe:ae7f:73f1  prefixlen 64  scopeid 0x20<link>
        ether 9c:b6:d0:8e:76:8f  txqueuelen 1000  (Ethernet)
        RX packets 1203608  bytes 1323281319 (1.3 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 434207  bytes 63876155 (63.8 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

    Curl libraries:

    $ ldd $(which curl)
    linux-vdso.so.1 (0x00007ffcba0bb000)
    libcurl.so.4 => /usr/lib/x86_64-linux-gnu/libcurl.so.4 (0x00007ff5cba6b000)
    libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007ff5cb84e000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007ff5cb62f000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ff5cb23e000)
    libnghttp2.so.14 => /usr/lib/x86_64-linux-gnu/libnghttp2.so.14 (0x00007ff5cb019000)
    libidn2.so.0 => /usr/lib/x86_64-linux-gnu/libidn2.so.0 (0x00007ff5cadfc000)
    librtmp.so.1 => /usr/lib/x86_64-linux-gnu/librtmp.so.1 (0x00007ff5cabe0000)
    libpsl.so.5 => /usr/lib/x86_64-linux-gnu/libpsl.so.5 (0x00007ff5ca9d2000)
    libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007ff5ca768000)
    libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007ff5ca2f0000)
    libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007ff5ca0a5000)
    libldap_r-2.4.so.2 => /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2 (0x00007ff5c9e53000)
    liblber-2.4.so.2 => /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2 (0x00007ff5c9c45000)
    /lib64/ld-linux-x86-64.so.2 (0x00007ff5cbf21000)
    libunistring.so.2 => /usr/lib/x86_64-linux-gnu/libunistring.so.2 (0x00007ff5c98c7000)
    libgnutls.so.30 => /usr/lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007ff5c9562000)
    libhogweed.so.4 => /usr/lib/x86_64-linux-gnu/libhogweed.so.4 (0x00007ff5c932e000)
    libnettle.so.6 => /usr/lib/x86_64-linux-gnu/libnettle.so.6 (0x00007ff5c90f8000)
    libgmp.so.10 => /usr/lib/x86_64-linux-gnu/libgmp.so.10 (0x00007ff5c8e77000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ff5c8c73000)
    libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007ff5c899d000)
    libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 (0x00007ff5c876b000)
    libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007ff5c8567000)
    libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007ff5c835c000)
    libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007ff5c8141000)
    libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007ff5c7f26000)
    libgssapi.so.3 => /usr/lib/x86_64-linux-gnu/libgssapi.so.3 (0x00007ff5c7ce5000)
    libp11-kit.so.0 => /usr/lib/x86_64-linux-gnu/libp11-kit.so.0 (0x00007ff5c79b6000)
    libtasn1.so.6 => /usr/lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007ff5c77a3000)
    libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 (0x00007ff5c759f000)
    libheimntlm.so.0 => /usr/lib/x86_64-linux-gnu/libheimntlm.so.0 (0x00007ff5c7396000)
    libkrb5.so.26 => /usr/lib/x86_64-linux-gnu/libkrb5.so.26 (0x00007ff5c7109000)
    libasn1.so.8 => /usr/lib/x86_64-linux-gnu/libasn1.so.8 (0x00007ff5c6e67000)
    libhcrypto.so.4 => /usr/lib/x86_64-linux-gnu/libhcrypto.so.4 (0x00007ff5c6c31000)
    libroken.so.18 => /usr/lib/x86_64-linux-gnu/libroken.so.18 (0x00007ff5c6a1b000)
    libffi.so.6 => /usr/lib/x86_64-linux-gnu/libffi.so.6 (0x00007ff5c6813000)
    libwind.so.0 => /usr/lib/x86_64-linux-gnu/libwind.so.0 (0x00007ff5c65ea000)
    libheimbase.so.1 => /usr/lib/x86_64-linux-gnu/libheimbase.so.1 (0x00007ff5c63db000)
    libhx509.so.5 => /usr/lib/x86_64-linux-gnu/libhx509.so.5 (0x00007ff5c6191000)
    libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 (0x00007ff5c5e88000)
    libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007ff5c5c50000)
    libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007ff5c58b2000)

    env | grep -i proxy returns nothing.

    Package statuses:

    $ dpkg -l curl ca-certificates
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                           Version              Architecture         Description
+++-==============================-====================-====================-==================================================================
ii  ca-certificates                20180409             all                  Common CA certificates
ii  curl                           7.58.0-2ubuntu3.3    amd64                command line tool for transferring data with URL syntax

    If it is a certificate error somewhere in the chain I know that I did install a work CA certificate when I first setup the computer.

    Edit 3:

    Here's a list of the sites that work:

    • https://duckduckgo.com
    • https://*.stackexchange.com
    • https://stackoverflow.com
    • https://www.getharvest.com/
    • https://www.bbc.com/news
    • https://egghead.io
    • https://news.ycombinator.com
    • https://www.speedtest.net/
    • https://ipleak.net/ - indicates that I have no IPv6 connection
    • https://*.atlassian.net (but bitbucket.org fails)

    A list of the sites that fail:

    • https://google.com
    • https://dropbox.com
    • https://outlook.live.com/owa/
    • https://bitbucket.org
    • https://www.facebook.com/
    • https://www.slack.com
    • https://twitter.com
    • https://github.com

    Half works:

    • https://outlook.office.com/owa/

    The site at https://outlook.office.com/owa/?bO=1 has experienced a network protocol violation that cannot be repaired.

    Edit 4:

    I think I've made some progress with my Ubuntu problems. It works on a separate Ubuntu 16 laptop that I've tried. Further, I think I've tracked it down to a firewall issue (via this Security.SE answer) and the handling of TLS v1.1 vs TLS v1.2.

    I tracked down which sites I could access vs not access (above). An interesting example is bitbucket.org (fails) vs atlassian.net (works).

    Then if I try with openssl (forcing TLS v1.1):

    ​openssl s_client -connect bitbucket.org:443 -tls1_1 # this fails
openssl s_client -connect atlassian.net:443 -tls1_1 # this works

    So I think that the firewall might be blocking TLS v1.2 traffic in some way.

    On my other Ubuntu machine when I run:

    openssl s_client -connect bitbucket.org:443 -tls1_1 # this works!

    Also the same works on​ a Mac that I tried.

    • Simon Sudler
      Simon Sudler over 5 years
      Can you please add the output of ldd $(which curl)
    • Simon Sudler
      Simon Sudler over 5 years
      You wrote, that you are behind a proxy server... but openssl s_client does not work with http proxies. How did the command established the connection (NAT, forwarding proxy)?
    • Todd Baur
      Todd Baur over 5 years
      @SimonSudler thanks for the comments, I've added the ldd output. To be honest I'm at the limits of my knowledge, it's entirely possible I'm just doing completely stupid things. I do know that openssl s_client does work on my Fedora laptop which is the only comparison that I've got to work on. I've got Docker installed on my laptop, which could potentially be knackering my network connection, but I'm trying to duplicate a setup that's working fine on Fedora (Docker included).
    • Simon Sudler
      Simon Sudler over 5 years
      Okay, I need more information on your environment: Check if there are some proxy settings env | grep -i proxy. Post some more information on curl curl --version and dpkg -l curl ca-certificates. As you can see in the ldd output, curl does not use openssl, it uses libgnutls.so.30. So there sould not be any impact from the new openssl.
    • Todd Baur
      Todd Baur over 5 years
      @SimonSudler thanks again, I've tried updating to Ubuntu 18 but I'm still getting the similar errors, I've put in all the info that you requested and done further tests using wget. All wget, curl and openssl fail.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version /home/mohan/mesg
When I try to CURL a website I get SSL error
Disable SSLv3 In cURL?
How to change libcurl SSL backend from gnutls to openssl on Ubuntu server
Curl: unable to get local issuer certificate. How to debug?
Laravel Guzzle : curl error 77 error setting certificate verify locations
/usr/local/ssl/lib/libcrypto.a: could not read symbols: Bad value
curl: RSA_padding_check_PKCS1_type_1:invalid padding
SSL certificate generated with OpenSSL not working on NSS
cURL says certificate is expired, Firefox disagrees