Hi Horatiu.  To connect to a site that uses CloudFlare Universal SSL
[1], you need to specify the SNI (Server Name Indication) header.
Modern browsers do this by default, but for s_client you need to do this...

openssl s_client -connect <target>:443 -servername <target>

This isn't an OpenSSL bug, so I suggest closing this ticket.

[1] https://blog.cloudflare.com/introducing-universal-ssl/

On 15/09/15 15:33, Horatiu N via RT wrote:
> Greetings,
> Using the nagios plugins (latest debian package for 8.1) to check
> availability of https websites using cloudflare gives errors
>> CRITICAL - Cannot make SSL connection.
>> 139729452828304:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 
>> alert internal error:s23_clnt.c:770:
> same goes if i attempt to run
>> openssl s_client -connect <target>:443 
> This basically makes monitoring impossible at this time,
> Any idea how to remedy this situation ?
> i attached a textfile with sample domains as extracted from the
> certificate's "Certificate Subject alt name"
> it's reproducible on any target as long as it's online
> openssl version
>> OpenSSL 1.0.1k 8 Jan 2015
> dpkg -l openssl
>> ii  openssl                     1.0.1k-3+deb8u1    amd64              Secure 
>> Sockets Layer toolkit - cryptographic utility
> tried also to compile the newest one from openssl.org and use it, same
> problem.

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to