Hi again Jon, I continued trying to find what is exactly happening here. So here goes :
Running this in San Francisco : openssl s_client -debug -msg -servername dashboard.geospock.com -connect dashboard.geospock.com:443 -showcerts works perfectly and consistently. So I think we can all see that SF won't have issues connecting here. I then connected through an European location, and from there, trying this also succeeds: openssl s_client -servername dashboard.geospock.com -connect 64.233.167.121:443 -showcerts curl -k -I --resolve dashboard.geospock.com:443:64.233.167.121 https://dashboard.geospock.com/ >From your error and your message, I get you're using TLS 1.0, while I am running with TLS 1.2. I started looking into the version of openSSL we're both using, and while you're using the 0.98zg, I am on 1.0.1f. I believe since 0.9.8j SNI support was part of OpenSSL, so you using 0.98zg should work fine, but as a test, do you mind trying to run the same with 1.01 latest? I believe they are up to 1.0.1p. If I remember correctly, there was a backport patch implemented in 0.9.8j to let openSSL work with SNI (https://en.wikipedia.org/wiki/Server_Name_Indication ). The basis of the issue we have here is that I'm incapable of reproducing any of the behaviors you're experiencing, so it's hard to investigate further. I'm definitely interested in continuing this, but without a reliable way for me to replicate, it's impossible to send it up the chain to get it looked at and possibly fixed. If you have a specific test case that consistently fail, that I can then reproduce on my side as consistently, I'll be able to get some traction on this. Thanks On Wednesday, August 26, 2015 at 11:16:54 AM UTC-4, Jon Travers wrote: > > Here is some more detailed debugging information from the failing openssl > SSL negotiation. Perhaps this would give you a clue what's actually going > on?: > > $ openssl s_client -debug -msg -servername dashboard.geospock.com > -connect dashboard.geospock.com:443 -showcerts > CONNECTED(00000003) > write to 0x7f96b8d006a0 [0x7f96b9802000] (131 bytes => 131 (0x83)) > 0000 - 16 03 01 00 7e 01 00 00-7a 03 01 55 dd d7 93 c7 ....~...z..U.... > 0010 - f0 b2 0d ee ea f4 1c 2b-ee 50 b6 ff 0f e6 8f 59 .......+.P.....Y > 0020 - 8b 81 9e 05 2f 17 84 e2-20 ed b7 00 00 2e 00 39 ..../... ......9 > 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f .8.5.......3.2./ > 0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09 ................ > 0050 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 23 ...............# > 0060 - 00 00 00 1b 00 19 00 00-16 64 61 73 68 62 6f 61 .........dashboa > 0070 - 72 64 2e 67 65 6f 73 70-6f 63 6b 2e 63 6f 6d 00 rd.geospock.com. > 0080 - 23 # > 0083 - <SPACES/NULS> > >>> TLS 1.0 Handshake [length 007e], ClientHello > 01 00 00 7a 03 01 55 dd d7 93 c7 f0 b2 0d ee ea > f4 1c 2b ee 50 b6 ff 0f e6 8f 59 8b 81 9e 05 2f > 17 84 e2 20 ed b7 00 00 2e 00 39 00 38 00 35 00 > 16 00 13 00 0a 00 33 00 32 00 2f 00 9a 00 99 00 > 96 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 > 08 00 06 00 03 00 ff 01 00 00 23 00 00 00 1b 00 > 19 00 00 16 64 61 73 68 62 6f 61 72 64 2e 67 65 > 6f 73 70 6f 63 6b 2e 63 6f 6d 00 23 00 00 > read from 0x7f96b8d006a0 [0x7f96b9807600] (7 bytes => 7 (0x7)) > 0000 - 15 03 01 00 02 02 2f ....../ > <<< TLS 1.0 Alert [length 0002], fatal illegal_parameter > 02 2f > 8175:error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert > illegal > parameter:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s23_clnt.c:593: > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/9f70d901-6a9e-4e26-b275-e8f99e489933%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
