

Ubuntu can't establish SSL connections to Facebook.com - zackmorris
http://stackoverflow.com/questions/13596019/openssl-1-0-1-handshake-workaround-in-ubuntu

======
ceejayoz
Correction: One yahoo (who happens to be using Ubuntu) can't establish an SSL
connection to Facebook.com when he manually uses a setting in OpenSSH he
doesn't quite understand.

~~~
zackmorris
I can sympathize with how my question must sound ridiculous. But I have tried
many combinations of parameters to OpenSSL and curl with no luck. It's looking
at this point that the problem is due to an MTU below 1500:

[http://askubuntu.com/questions/189752/cant-connect-to-
certai...](http://askubuntu.com/questions/189752/cant-connect-to-certain-
https-sites/189829#189829)

But if that's the case, that's a serious problem with their OpenSSL
implementation, because there is no way to control how packets are split once
they are on the internet. All SSL should require is a single socket connection
that can send and receive bytes, regardless of underlying protocol.

My frustration with this is that we shouldn't be seeing these types of issues
this late in game with something as fundamental as SSL. This bug never should
have made it into a stable release, and if it did, it should have been fixed
immediately.

------
marshray
Because -cipher SRP-AES-256-CBC-SHA, that's why.

~~~
zackmorris
I should have been clearer that I was just passing a cipher to get any
response at all. Without the cipher, it hangs after the client hello send.
I've updated my question to reflect it.

~~~
marshray
Works for me: <http://pastebin.com/MXk7NPC5>

~~~
zackmorris
Hey thanks for posting a known-good result I can follow. I've apt-get
updated/upgraded everything and run update-ca-certificates but still no luck.
The MTU on our network is 1496 so that almost certainly must be the issue.
I'll let everyone know if it is.

~~~
marshray
Speak of the PMTU ... [http://www.daemonology.net/blog/2012-11-28-broken-
EC2-firewa...](http://www.daemonology.net/blog/2012-11-28-broken-
EC2-firewall.html) :-)

Another interesting thing is that your connection is negotiating the use of
TLS 1.1. If you have some type of man-in-the-middle box or stateful firewall,
it may be getting upset by that.

A full packet capture would be useful here.

------
zackmorris
I have submitted a partial solution. Manually setting the MTU on my Ubuntu box
to 1496 allows me to receive a response:

[http://stackoverflow.com/questions/13596019/openssl-1-0-1-ha...](http://stackoverflow.com/questions/13596019/openssl-1-0-1-handshake-
workaround-in-ubuntu/13613374#13613374)

------
bcoates
Yes it can.

