HTTPS connection returns the error: "Connection was reset"

Hello,

At some servers (few) when I connect with them via https I get the message “connection was reset”.

This message or other with the same meaning i get from any browser (Chrome, Firefox, Opera, wget, curl) or other clients that try to connect using various enviroments like Apache Cordova using nodejs for example.

Examples

wget --no-check-certificate https://140.211.11.121/repos/asf?p=cordova-android.git;a=snapshot;h=3.5.1;sf=tgz

–2014-08-22 13:59:43-- https://140.211.11.121/repos/asf?p=cordova-android.git
Connecting to 140.211.11.121:443… connected.
Unable to establish SSL connection.

Or Firefox returns:
The connection was resetThe connection to the server was reset while the page was loading.

I think that source of this issue is in following:

openssl s_client -connect git-wip-us.apache.org:443 -state -nbio
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL_connect:error in SSLv2/v3 read server hello A
read:errno=104

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 305 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

Can anyone help me to be overtaken this problem

Many Thanks,

Christos

On Fri 22 Aug 2014 11:36:02 AM CDT, cnik66 wrote:

Hello,

At some servers (few) when I connect with them via https I get the
message “connection was reset”.

This message or other with the same meaning i get from any browser
(Chrome, Firefox, Opera, wget, curl) or other clients that try to
connect using various enviroments like Apache Cordova using nodejs for
example.

Hi
Are you ca-certificates up to date? Your second command works fine for
me.


Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.1 Kernel 3.11.10-21-desktop
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

malcolmlewis thanks for your reply. After a few days of research back to update with more details the issue.

Are you ca-certificates up to date? Your second command works fine for me.

CA-certidicates on my PC are updated. I don’t know about ssl protocol but an not sure if these are needed for this communication. In the “second command” :

openssl s_client -connect git-wip-us.apache.org:443 -state -nbio
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL_connect:error in SSLv2/v3 read server hello A
read:errno=104

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 305 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

I think that in following line shows the problem

SSL_connect:error in SSLv2/v3 read server hello A
read:errno=104

The two systems (my office PC (openSuse 13.1) and the remote web server) are failed to initiate ssl communication (handshaking).

I tried to connect from other systems (Redhat, Oracle Linux, OpenSuse, Windows) located inside or outside from my internal network and nothing could connect via ssl to this site, except one Windows 7 in the internal network next to my desktop. Notice that another Windows 7 more next but in the same network didn’t!
Additionally, I tried from laptop (openSuse 13.1 in my home) as well as from others linux server and all have been connected successfully.

At the end, I added on my office PC a wireless card and I have done connection via an external adsl connected with a independent internet provider and I routed all connections concerning this site via wireless interface. And all now work fine!!!

In conclusion, all computers that i tried and located in other networks work fine, all computers located in inside my office network don’t work except one!

Has anyone any idea about?

Hi
Install wireshark on the system that works and capture the connection, install wireshark on your openSUSE system and do the same. You can then look at both captures to compare.

If I’m reading your error correctly you have mutual authentication setup (which is available but very unusual to enable). This means not only do you need to have a Website certificate setup but a client certificate as well, and both certificates need to be authenticated by an authority the other trusts.

So, is this really what you’re trying to setup (If I were to hazard a guess, Malcolm might have run his test connecting to a website on Localhost which would mean both server and client certificates are easily authenticated).

Testing with Windows IE can be a red herring. I seem to remember that MS automatically lowers security for common misconfigurations for highly unusual scenarios and SSL mutual authentication can be one of those.

TSU

I don’t know, I have the default settings such as the related packages have when these were installed on openSuse 13.1.
At one point I have doubts about mutual authentication is that apart from the other two sites is normally

I will back when i have data about network traffic from this communication

many thanks for you reply

Hello again,

I captured the traffic with wireshark (it’s really very good) from my office PC that failed to open ssl connection with incomplete handshaking in a specific url location:

o. Time Source Destination Protocol Length Info
1 0.000000000 10.1.3.40 140.211.11.121 TCP 74 46445 > https [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=254046809 TSecr=0 WS=128 2 0.224433000 140.211.11.121 10.1.3.40 TCP 74 https > 46445 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1380 WS=512 TSval=2398364423 TSecr=254046809
3 0.224506000 10.1.3.40 140.211.11.121 TCP 66 46445 > https [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=254047033 TSecr=2398364423
4 0.224951000 10.1.3.40 140.211.11.121 SSL 283 Client Hello
5 0.448233000 140.211.11.121 10.1.3.40 TCP 60 https > 46445 [RST] Seq=1 Win=0 Len=0
**
in the following link the above 5 packets in detail:**
https://www.dropbox.com/s/crxxjjeluj24ugv/bad-Connection.txt?dl=0

and I capture the traffic from home pc with success ssl connection:

o. Time Source Destination Protocol Length Info
8 5.684689000 192.168.1.7 140.211.11.121 TCP 74 34860 > https [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=13381854 TSecr=0 WS=128
10 5.910316000 140.211.11.121 192.168.1.7 TCP 74 https > 34860 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1452 WS=512 SACK_PERM=1 TSval=3684104683 TSecr=13381854
11 5.910350000 192.168.1.7 140.211.11.121 TCP 66 34860 > https [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=13382080 TSecr=3684104683
12 5.910798000 192.168.1.7 140.211.11.121 TLSv1.2 286 Client Hello
18 6.135423000 140.211.11.121 192.168.1.7 TCP 66 [TCP Window Update] https > 34860 [ACK] Seq=1 Ack=1 Win=6554624 Len=0 TSval=3684104908 TSecr=13382080
19 6.141061000 140.211.11.121 192.168.1.7 TLSv1.2 1506 Server Hello

in the following link the above packets (and more) in detail

https://www.dropbox.com/s/y1xvkufbjd5rtmj/good-connection.txt?llo agedl=0

You can see that in the first circumstance the remote server returned RST flag in communication failed.

But I can see why done this!

Without inspecting the entire dump,
To my eye it looks like your successful connection connected implementing TLSv1.2.

For starters,
you should verify your web browser which isn’t connecting supports TLSv1.2 as well.

TSU