[squid-users] OT: why does openssl-1.0.1f not like https://www.bnz.co.nz/?

Jason Haar Jason_Haar at trimble.com
Wed Nov 12 22:55:52 UTC 2014


Hi there

I just found I cannot connect to https://www.bnz.co.nz/ using curl on
Ubuntu (7.35 compiled against openssl-1.0.1f), whereas
https://www.kiwibank.co.nz/ works fine. I first thought it was due to my
messing around with ssl-bump, but it happens when I don't go through
squid too

I have a CentOS-6 server with curl-7.19 (compiled against 1.0.1e) and it
works fine. The same happens with "openssl s_client": it works on CentOS
but not on Ubuntu - so I think it's the root cause (unless I call it
with either "-ssl3" or "-tls1" - explicitly asking for protocols seems
to get around the issue with 1.0.1f). It looks like www.bnz.co.nz
doesn't negotiate SSL/TLS correctly?

Any SSL guru out there willing to explain why newer command line tools
don't like www.bnz.co.nz (whereas browsers do - but I hear it's because
they "double try" in certain error conditions and basically workaround
this kind of issue)

Thanks

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



More information about the squid-users mailing list