I'm trying to debug an issue on a client (running rhel8) trying to connect to a https service on server myservice.myserver.edu.au and using openssl toolkit to troubleshoot. I dont understand why openssl appears to "hang" and not proceed after ClientHello:
$ openssl s_client -connect myservice.myserver.edu.au:8443 -status -msg -debug
CONNECTED(00000003)
>>> ??? [length 0005]
16 03 01 01 10
>>> TLS 1.3, Handshake [length 0110], ClientHello
01 00 01 0c 03 03 4b 92 7f c3 7c 65 d6 1d a6 0d
70 43 9b 64 31 07 16 b2 80 15 4e d2 92 6a 62 a5
e7 3e 93 66 ab 2f 20 f0 89 84 28 29 cf eb 72 cc
a2 6e c6 80 42 d4 ee c8 78 55 4c cc 76 6d d3 f9
24 33 a7 35 48 b0 f0 00 16 13 02 13 03 c0 2c c0
30 cc a9 cc a8 c0 ad 00 9f cc aa c0 9f 00 ff 01
00 00 ad 00 00 00 21 00 1f 00 00 1c 6e 73 77 2d
65 74 63 61 2d 72 68 6e 63 31 2e 61 61 72 6e 65
74 2e 6e 65 74 2e 61 75 00 0b 00 04 03 00 01 02
00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18
00 23 00 00 00 05 00 05 01 00 00 00 00 00 16 00
00 00 17 00 00 00 0d 00 1e 00 1c 04 03 05 03 06
03 08 07 08 08 08 09 08 04 08 0a 08 05 08 0b 08
06 04 01 05 01 06 01 00 2b 00 05 04 03 04 03 03
00 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20
ba 6b 8e 10 41 b3 c3 5e 0e 7a 0d a2 5b a1 a3 1e
7a 6c 6f 6c 98 80 04 62 55 00 a3 ba ba 0d 40 59
write to 0x555bab4b6310 [0x555bab4cd020] (277 bytes => 277 (0x115))
0000 - 16 03 01 01 10 01 00 01-0c 03 03 4b 92 7f c3 7c ...........K...|
0010 - 65 d6 1d a6 0d 70 43 9b-64 31 07 16 b2 80 15 4e e....pC.d1.....N
0020 - d2 92 6a 62 a5 e7 3e 93-66 ab 2f 20 f0 89 84 28 ..jb..>.f./ ...(
0030 - 29 cf eb 72 cc a2 6e c6-80 42 d4 ee c8 78 55 4c )..r..n..B...xUL
0040 - cc 76 6d d3 f9 24 33 a7-35 48 b0 f0 00 16 13 02 .vm..$3.5H......
0050 - 13 03 c0 2c c0 30 cc a9-cc a8 c0 ad 00 9f cc aa ...,.0..........
0060 - c0 9f 00 ff 01 00 00 ad-00 00 00 21 00 1f 00 00 ...........!....
0070 - 1c 6e 73 77 2d 65 74 63-61 2d 72 68 6e 63 31 2e .myservice.
0080 - 61 61 72 6e 65 74 2e 6e-65 74 2e 61 75 00 0b 00 myserver.edu.au...
0090 - 04 03 00 01 02 00 0a 00-0c 00 0a 00 1d 00 17 00 ................
00a0 - 1e 00 19 00 18 00 23 00-00 00 05 00 05 01 00 00 ......#.........
00b0 - 00 00 00 16 00 00 00 17-00 00 00 0d 00 1e 00 1c ................
00c0 - 04 03 05 03 06 03 08 07-08 08 08 09 08 04 08 0a ................
00d0 - 08 05 08 0b 08 06 04 01-05 01 06 01 00 2b 00 05 .............+..
00e0 - 04 03 04 03 03 00 2d 00-02 01 01 00 33 00 26 00 ......-.....3.&.
00f0 - 24 00 1d 00 20 ba 6b 8e-10 41 b3 c3 5e 0e 7a 0d $... .k..A..^.z.
0100 - a2 5b a1 a3 1e 7a 6c 6f-6c 98 80 04 62 55 00 a3 .[...zlol...bU..
0110 - ba ba 0d 40 59 ...@Y
read from 0x555bab4b6310 [0x555bab4c3e03] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
write:errno=110
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 277 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
read from 0x555bab4b6310 [0x555bab3e6cd0] (8192 bytes => 0 (0x0))
From the client, I could telnet to port 8443 on myservice.myserver.edu.au just fine and tcpdump on myservice.myserver.edu.au shows that traffic was registering fine from the client. So firewall on myservice.myserver.edu.au (running nftables on rhel8) isnt the problem.
Any idea what could be causing this? myservice.myserver.edu.au:8443 is available to my laptop (running Ubuntu on WSL) as well since it's connected to the VPN, and openssl appears to behave just fine from the WSL and i could view the server's certificate info etc:
CONNECTED(00000003)
>>> TLS 1.0, RecordHeader [length 0005]
16 03 01 01 4e
>>> TLS 1.3, Handshake [length 014e], ClientHello
01 00 01 4a 03 03 09 17 31 37 e4 98 c4 67 33 cb
4e a0 9b dd 62 cf 5f 96 6d be 4a f1 ac b9 e7 80
24 61 cf 03 c6 bb 20 ed 20 b7 d1 31 80 d7 12 74
09 b7 b1 81 fb 06 ee b9 c6 14 ee 26 4c b4 02 64
5f fa 3e 45 24 2a 95 00 3e 13 02 13 03 13 01 c0
2c c0 30 00 9f cc a9 cc a8 cc aa c0 2b c0 2f 00
9e c0 24 c0 28 00 6b c0 23 c0 27 00 67 c0 0a c0
14 00 39 c0 09 c0 13 00 33 00 9d 00 9c 00 3d 00
3c 00 35 00 2f 00 ff 01 00 00 c3 00 00 00 21 00
1f 00 00 1c 6e 73 77 2d 65 74 63 61 2d 72 68 6e
63 31 2e 61 61 72 6e 65 74 2e 6e 65 74 2e 61 75
00 0b 00 04 03 00 01 02 00 0a 00 16 00 14 00 1d
00 17 00 1e 00 19 00 18 01 00 01 01 01 02 01 03
01 04 00 23 00 00 00 05 00 05 01 00 00 00 00 00
16 00 00 00 17 00 00 00 0d 00 2a 00 28 04 03 05
03 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08
05 08 06 04 01 05 01 06 01 03 03 03 01 03 02 04
02 05 02 06 02 00 2b 00 05 04 03 04 03 03 00 2d
00 02 01 01 00 33 00 26 00 24 00 1d 00 20 19 80
69 7c 3c ac 12 ee 3e 58 8b 01 b0 ea e2 22 9f 88
4d d3 1f 7d d6 13 5c 57 3b 57 c2 58 24 77
write to 0x7fffe7e206c0 [0x7fffe7e2f010] (339 bytes => 339 (0x153))
<redacted>
<<< TLS 1.2, RecordHeader [length 0005]
16 03 03 00 7a
read from 0x7fffe7e206c0 [0x7fffe7e25cf8] (122 bytes => 122 (0x7A))
0000 - 02 00 00 76 03 03 56 70-a9 66 06 c7 1c 94 66 53 ...v..Vp.f....fS
0010 - b3 82 f1 8a 34 65 88 1d-8d 0f 84 ab fd f2 94 d9 ....4e..........
0020 - 3a 2a da 1a 3c db 20 ed-20 b7 d1 31 80 d7 12 74 :*..<. . ..1...t
0030 - 09 b7 b1 81 fb 06 ee b9-c6 14 ee 26 4c b4 02 64 ...........&L..d
0040 - 5f fa 3e 45 24 2a 95 13-02 00 00 2e 00 2b 00 02 _.>E$*.......+..
0050 - 03 04 00 33 00 24 00 1d-00 20 8a bb 1e 9b 6b 79 ...3.$... ....ky
0060 - 98 6f fc be 56 40 ee 55-b0 57 15 c3 80 58 18 9b [email protected]..
0070 - c1 ee 5e a1 90 1d 19 cc-6e 00 ..^.....n.
<<< TLS 1.3, Handshake [length 007a], ServerHello
02 00 00 76 03 03 56 70 a9 66 06 c7 1c 94 66 53
I'm at a loss. Could this be a MTU issue and if so, how do I troubleshoot it further to make sure?
Thanks, Jane