Curl hangs after client hello – Unix Server Solutions

When I execute the following command in Ubuntu:

 curl -v --insecure -XGET 'https://user:pass@IP_ADDR:PORT/SOME_FILE.php'

I get this output:

* Hostname was NOT found in DNS cache
*   Trying IP_ADDR...
* Connected to IP_ADDR (IP_ADDR) port PORT (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):

And after several minutes I get this:

* Unknown SSL protocol error in connection to IP_ADDR:PORT 
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to IP_ADDR:PORT

When I try the same thing in CentOS I still get stuck in Client Hello, but in the end I get this:

curl: (28) Operation timed out after 0 milliseconds with 0 out of 0 bytes received

Does anyone knows what can cause it and how can I fix it?

Best Answer

We suffered the same exact issue and the cause was an MTU misconfiguration, but there are many other possible causes.

The key was to sniff traffic on our edge router, where we saw ICMP messages to the server (GitHub.com) asking for fragmentation. This was messing the connection, with retransmissions, duplicated ACKs and so.

The ICMP packet had a field, MTU of next hop with a weird value, 1450. The usual value is 1500.

We checked our router and one of the interfaces (an Ethernet tunnel) had this value as MTU, so the router was taking the minumun MTU of all interfaces as next hop. As soon as we removed this interface (it was unused), the SSH handshake started to work again.

Best Answer

Related Solutions

Centos – getting “Curl (6) Could not resolve host” after I did a “yum -y update”

How to check currently installed and in use versions of SSL and TLS

Related Question