When I execute the following command in Ubuntu:
curl -v --insecure -XGET 'https://user:pass@IP_ADDR:PORT/SOME_FILE.php'
I get this output:
* Hostname was NOT found in DNS cache
* Trying IP_ADDR...
* Connected to IP_ADDR (IP_ADDR) port PORT (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
And after several minutes I get this:
* Unknown SSL protocol error in connection to IP_ADDR:PORT
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to IP_ADDR:PORT
When I try the same thing in CentOS I still get stuck in Client Hello
, but in the end I get this:
curl: (28) Operation timed out after 0 milliseconds with 0 out of 0 bytes received
Does anyone knows what can cause it and how can I fix it?
Best Answer
We suffered the same exact issue and the cause was an MTU misconfiguration, but there are many other possible causes.
The key was to sniff traffic on our edge router, where we saw ICMP messages to the server (GitHub.com) asking for fragmentation. This was messing the connection, with retransmissions, duplicated ACKs and so.
The ICMP packet had a field,
MTU of next hop
with a weird value, 1450. The usual value is 1500.We checked our router and one of the interfaces (an Ethernet tunnel) had this value as MTU, so the router was taking the minumun MTU of all interfaces as next hop. As soon as we removed this interface (it was unused), the SSH handshake started to work again.