Hi, Also, if openssl s_client IS doing a reverse DNS lookup, is there a way (command line parameter) to disable that from happening?
Thanks again, Jim ---- oh...@cox.net wrote: > Hi, > > I was kind of curious about 'why?' would openssl s_client be trying to do the > reverse DNS lookup? > > In other words, when you do an: > > openssl s_client -connect xx.xx.xx.xx:443... > > why does openssl try to do a reverse DNS lookup on the xx.xx.xx.xx IP > address, and why does it do that BEFORE (apparently) sending the client HELLO > to the host? > > Thanks, > Jim > > > ---- oh...@cox.net wrote: > > Hi, > > > > We think that we found the problem. > > > > The server end had a timeout, and apparently, openssl tries to do a reverse > > DNS lookup after establishing the connection to the server, but before > > sending the client HELLO, That reverse DNS lookup was failing, but taking > > awhile to fail, so the server was sending the "unknown protocol" error, > > because it was timing out. > > > > Jim > > > > > > > > > > ---- oh...@cox.net wrote: > > > Hi, > > > > > > I wanted to mention one other piece of information. Apparently, the > > > server certificate in this case has the IP address of the server, rather > > > than a hostname/FQDN, in the subject (i.e., CN=xx.xx.xx.xx,...). The > > > server end is not our under our control, so we can't change that. > > > > > > Jim > > > > > > > > > > > > > > > > > > ---- oh...@cox.net wrote: > > > > Hi, > > > > > > > > We are trying to use "openssl s_client" to test a server-authenticated > > > > (1-way SSL) connection. > > > > > > > > The openssl s_client command is being run (on a Redhat machine) using > > > > the IP address of the SSL-enabled server, i.e., something like: > > > > > > > > openssl s_client -connect xx.xx.xx.xx:443 .... > > > > > > > > The problem we're having is that the connection is failing about 80% of > > > > the time. When it fails, we see the client Hello being sent, but then > > > > no server Hello and an "unknown protocol". > > > > > > > > Now, here's the strange thing... If we add an entry in the /etc/hosts > > > > with the IP address of the SSL server, and with ANY hostname (doesn't > > > > matter what it is), then the connection succeeds all the time. > > > > > > > > I was wondering if anyone be able to explain why the connection would > > > > not succeed SOME of the times if there isn't an entry in the > > > > client-side /etc/hosts file, but then would work all the time if > > > > there's an entry in /etc/hosts with the IP address of the SSL-enabled > > > > server (with ANY hostname in the /etc/hosts entry)? > > > > > > > > Thanks, > > > > Jim > > > > ______________________________________________________________________ > > > > OpenSSL Project http://www.openssl.org > > > > User Support Mailing List openssl-users@openssl.org > > > > Automated List Manager majord...@openssl.org > > > > > > ______________________________________________________________________ > > > OpenSSL Project http://www.openssl.org > > > User Support Mailing List openssl-users@openssl.org > > > Automated List Manager majord...@openssl.org > > > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
