Hi, there!
<lengthy_introduction_that_you_may_skip_without_loss> My problem started recently with a migration from openSUSE-12.1 to openSUSE-12.2. openSUSE-12.2 comes with curl-7.25.0 resp. libcurl/7.25.0, and they in turn use OpenSSL/1.0.1c Until "recently" this worked for me (and it still does on a different platform with *older* versions of "everything"), but now it breaks: $ curl --verbose --insecure 'https://banking.postbank.de/rai/login' * About to connect() to banking.postbank.de port 443 (#0) * Trying 62.153.105.15... * connected * Connected to banking.postbank.de (62.153.105.15) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs/ * SSLv3, TLS handshake, Client hello (1): * Unknown SSL protocol error in connection to banking.postbank.de:443 * Closing connection #0 curl: (35) Unknown SSL protocol error in connection to banking.postbank.de:443 </lengthy_introduction_that_you_may_skip_without_loss> A web page on curl.haxx.se (http://curl.haxx.se/docs/sslcerts.html) teaches me, that I should try this, in order to find out, whether the problem is with openssl: $ openssl s_client -connect banking.postbank.de:443 Alright, I did a binary search on the "recent" releases of openssl: 0.9.8x, 1.0.0, 1.0.0j, 1.0.1, 1.0.1c The last one, that did not break my request is 1.0.0j, the first one, that breaks my request is 1.0.1 . (I skipped the betas.) And the problem report looks like this ("SSL handshake has read 0 bytes and written ..."): $ /usr/local/src/openssl-1.0.1/apps/openssl s_client -connect banking.postbank.de:443 $ openssl s_client -connect banking.postbank.de:443 WARNING: can't open config file: /usr/local/openssl-1.0.1/openssl.cnf CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 321 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Here are the last few lines of "make test" for 1.0.0j and 1.0.1, just in case you want to see them: openssl-1.0.0j ALL TESTS SUCCESSFUL. make[1]: Leaving directory `/usr/local/src/openssl-1.0.0j/test' OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a OpenSSL 1.0.0j 10 May 2012 built on: Tue Sep 18 14:21:04 CEST 2012 platform: linux-elf options: bn(64,32) rc4(4x,int) des(ptr,risc1,16,long) idea(int) blowfish(idx) compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM OPENSSLDIR: "/usr/local/openssl-1.0.0j" openssl-1.0.1 ALL TESTS SUCCESSFUL. make[1]: Leaving directory `/usr/local/src/openssl-1.0.1/test' OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a OpenSSL 1.0.1 14 Mar 2012 built on: Tue Sep 18 14:29:57 CEST 2012 platform: linux-elf options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) idea(int) blowfish(idx) compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/usr/local/openssl-1.0.1" Anybody any idea? Any specific details I can provide you with? Is it a bug or a feature? A little lost ... Jochen P.S. I posted this already yesterday through Google Groups as https://groups.google.com/forum/?fromgroups=&hl=en#!topic/mailing.openssl.users/1bw48CGd5xQ , but it looks, as if this doesn't reach the mailing list, so I post it here again. I apologise for the redundancy. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org