SSL Connection Error
I have difficulties in my SSL Connection for S3.
Got this error on my PHP scripts.
> Message: S3::putObject(): [35] Unknown SSL protocol error in connection to kopi.kilatstorage.com:443
On that server (Server A), tried to invoke this command:
curl -v https://kopi.kilatstorage.com
* Rebuilt URL to: https://kopi.kilatstorage.com:443/
* Trying 103.23.20.30...
* Connected to kopi.kilatstorage.com (103.23.20.30) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 694 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: Error in the push function.
* Closing connection 0
curl: (35) gnutls_handshake() failed: Error in the push function.
This error is not appeared on my another server (Server B), with same command, very strange.
* Rebuilt URL to: https://kopi.kilatstorage.com:443/
* Trying 103.23.20.30...
* Connected to kopi.kilatstorage.com (103.23.20.30) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 694 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: *.kilatstorage.com (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: OU=Domain Control Validated,CN=*.kilatstorage.com
* start date: Wed, 10 Jun 2015 06:04:00 GMT
* expire date: Mon, 10 Jul 2017 06:04:00 GMT
* issuer: C=BE,O=GlobalSign nv-sa,CN=AlphaSSL CA - SHA256 - G2
* compression: NULL
* ALPN, server did not agree to a protocol
> GET / HTTP/1.1
> Host: kopi.kilatstorage.com
> User-Agent: curl/7.47.0
> Accept: */*
Also my PHP scripts for S3 working fine on server B.
On server A, I also tried this command:
openssl s_client -connect kopi.kilatstorage.com:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1493559958
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
So the problem is on server A.
Some suggested that err=104, is connection reset by proxy or firewall, but my firewall is working fine.
On server A, tried to curl another HTTPS sites, it's working fine.
Let's say,
* Rebuilt URL to: https://google.com/
* Trying 2404:6800:4003:80c::200e...
* Connected to google.com (2404:6800:4003:80c::200e) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 694 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_ECDSA_AES_128_GCM_SHA256
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: *.google.com (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: EC
* certificate version: #3
* subject: C=US,ST=California,L=Mountain View,O=Google Inc,CN=*.google.com
* start date: Fri, 21 Apr 2017 08:25:00 GMT
* expire date: Fri, 14 Jul 2017 08:25:00 GMT
* issuer: C=US,O=Google Inc,CN=Google Internet Authority G2
* compression: NULL
* ALPN, server accepted to use http/1.1
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/7.47.0
> Accept: */*
I can't spot the problem, since server A and server B are the same Ubuntu version and using same repository server.
Server A somehow can't access https://*.kilatstorage.com.
P.S.: I'm using VestaCP on both of them.
Did I missed out something?
Thank you.
6 Replies
For me it was an issue with my home router. I still haven't figured out the root cause. But, it only happens on the Xfinity router. Goes away if I tether to my phone for example.
@bc-jasond --
Comcast cannot require you to rent their router. You are free to buy your own router for the Comcast network. While I am not a Comcast subscriber myself (just say no!), several people where I live are and every single one of them has their own router.
Just look on Amazon…there are many excellent choices. If you replace your router with your own equipment, you don't have to pay the Comcast equipment rental fee on your bill every month. Savings in equipment rental fees usually pay for your router in a year or less.
-- sw
@bc-jasond --
Comcast cannot require you to rent their router. You are free to buy your own router for the Comcast network. While I am not a Comcast subscriber myself (just say no!), several people where I live are and every single one of them has their own router.
Just look on Amazon…there are many excellent choices. If you replace your router with your own equipment, you don't have to pay the Comcast equipment rental fee on your bill every month. Savings in equipment rental fees usually pay for your router in a year or less.
-- sw
@bc-jasond --
Comcast cannot require you to rent their router. You are free to buy your own router for the Comcast network. While I am not a Comcast subscriber myself (just say no!), several people where I live are and every single one of them has their own router.
Just look on Amazon…there are many excellent choices. If you replace your router with your own equipment, you don't have to pay the Comcast equipment rental fee on your bill every month. Savings in equipment rental fees usually pay for your router in a year or less.
-- sw