This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-users] All DomU failing SSLv3 handshake (curl, apt-get, wget, etc.)

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] All DomU failing SSLv3 handshake (curl, apt-get, wget, etc.) but OK on Dom0
From: Niklas Bivald <niklas@xxxxxxxxxx>
Date: Fri, 4 Feb 2011 15:42:25 +0100
Delivery-date: Fri, 04 Feb 2011 06:43:56 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx

First of all I've googled this subject a lot (several hours) but right now I'm 
simply stuck. All my 4 DomU fails SSL handshake:

> niklas@stats:~$ curl -vI https://graph.facebook.com
> * About to connect() to graph.facebook.com port 443 (#0)
> *   Trying connected
> * Connected to graph.facebook.com ( port 443 (#0)
> * successfully set certificate verify locations:
> *   CAfile: none
>   CApath: /etc/ssl/certs
> * SSLv3, TLS handshake, Client hello (1):
Hangs for 2 minutes...
> * Unknown SSL protocol error in connection to graph.facebook.com:443 
> * Closing connection #0
> curl: (35) Unknown SSL protocol error in connection to graph.facebook.com:443 

But the same request works fine on Dom0. To make it even more weird, some https 
requests works. The failure is not program specific (curl, wget and apt-get all 
has the same error).

Running debian lenny.

> uname -a

> Linux server.com 2.6.26-1-xen-amd64 #1 SMP Fri Mar 13 21:39:38 UTC 2009 
> x86_64 GNU/Linux

DomUs has a different IP-serie then Dom0 (net.ipv4.ip_forward = 1)

I've re-installed openssl, run apt-get upgrade, pretty much all that I can 
possibly think of. I'm running out of ideas.

Can anyone point me in the right direction?

Example of ssl/https that doesn't work:
>       graph.facebook.com (http works fine though)
>       apt-get update with the security.debian.org mirror

Example that works:
>       www.nordea.se

Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>