Please login or register. October 21, 2017, 03:57:23 PM

Author Topic: curl: (35) Unknown SSL protocol error  (Read 2197 times)

0 Members and 1 Guest are viewing this topic.

yborokhov

  • Jr. Member
  • **
  • Posts: 5
  • Karma: +0/-0
curl: (35) Unknown SSL protocol error
« on: December 29, 2016, 08:21:54 PM »
did anyone experience the following error with latest version of curl?

The version of curl we have is ...
curl 7.50.3 (powerpc-ibm-aix5.3.7.0) libcurl/7.50.3 OpenSSL/1.0.2j zlib/1.2.8
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets

Here is the error
curl -v -i -k -H "Content-Type: text/xml" -d @ortho.hl7 https://MSPATH-ADT-TEST-NYU-ELB-46670477.us-east-1.elb.amazonaws.com:5991 -o out.txt
* Rebuilt URL to: https://MSPATH-ADT-TEST-NYU-ELB-46670477.us-east-1.elb.amazonaws.com:5991/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 52.207.145.201...
* TCP_NODELAY set
* Connected to MSPATH-ADT-TEST-NYU-ELB-46670477.us-east-1.elb.amazonaws.com (52.207.145.201) port 5991 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /var/ssl/cacert.pem
  CApath: none
* TLSv1.2 (OUT), TLS Unknown, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* Unknown SSL protocol error in connection to MSPATH-ADT-TEST-NYU-ELB-46670477.us-east-1.elb.amazonaws.com:5991
* Curl_http_done: called premature == 0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to MSPATH-ADT-TEST-NYU-ELB-46670477.us-east-1.elb.amazonaws.com:5991

Thanks!
Yuriy

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1052
  • Karma: +0/-0
Re: curl: (35) Unknown SSL protocol error
« Reply #1 on: December 30, 2016, 09:04:19 PM »
The problems I was having with curl were caused by issues with the IBM openssl and getting it to read root certificates.

On vacation atm - so I cannot look deeper atm. From memory you need a file (use the curl site to get the file), named /var/ssl/cacert.pem - that is the file my packaging is look for by default. There is also an environment variable to use a different file.

p.s. only difference I have is openssl-1.0.2h


michael@x071:[/tmp]curl -v -i -k -H "Content-Type: text/xml" -d @ortho.hl7 https://MSPATH-ADT-TEST-NYU-ELB-4>
Warning: Couldn't read data from file "ortho.hl7", this makes an empty POST.
* Rebuilt URL to: https://MSPATH-ADT-TEST-NYU-ELB-46670477.us-east-1.elb.amazonaws.com:5991/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 52.207.145.201...
* TCP_NODELAY set
  0     0    0     0    0     0      0      0 --:--:--  0:00:10 --:--:--

yborokhov

  • Jr. Member
  • **
  • Posts: 5
  • Karma: +0/-0
Re: curl: (35) Unknown SSL protocol error
« Reply #2 on: December 31, 2016, 06:54:14 PM »
Hi Michael,

I have the right CA file (see below). There is newer version of it on curl site but I don't know if I should download and use it. Is there anything else I can look at to find the problem?

Thanks

hsdev01@hsdev@/var/ssl>ls -ltr
total 560
drwxr-x---    2 root     system          256 Mar 25 2013  private
drwxr-xr-x    2 root     system          256 Mar 25 2013  certs
-rw-r--r--    1 root     system        10835 Mar 25 2013  openssl.cnf
-rw-r--r--    1 root     system        11485 Oct 24 15:23 openssl.cnf.rpmorig
-rw-r--r--    1 bin      bin          261644 Dec 20 13:39 cacert-2016-09-14.pem
lrwxrwxrwx    1 root     system           30 Dec 20 13:39 cacert.pem -> /var/ssl/cacert-2016-09-14.pem
drwxr-xr-x    2 root     system          256 Dec 21 10:05 misc
 

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1052
  • Karma: +0/-0
Re: curl: (35) Unknown SSL protocol error
« Reply #3 on: January 02, 2017, 10:22:08 AM »
Yes, of course you can, read SHOULD!, use the new pem. We would all be hard-pressed to use openssl safely if we could not.

I shall download the newer pem file myself.

However, my other issue - while the URL resolves to an IP address I am not able to connect using any program. You was originally connecting (as you have additional connection information:


* TLSv1.2 (OUT), TLS Unknown, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* Unknown SSL protocol error in connection to MSPATH-ADT-TEST-NYU-ELB-46670477.us-east-1.elb.amazonaws.com:5991
* Curl_http_done: called premature == 0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to MSPATH-ADT-TEST-NYU-ELB-46670477.us-east-1.elb.amazonaws.com:5991


So I tried something - simplier -


root@x071:[/root]curl -v -i -k https://www.ibm.com/us-en/ -o out.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 2.20.175.75...
* TCP_NODELAY set
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0* Connected to www.ibm.com (2.20.175.75) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /var/ssl/cacert.pem
  CApath: none
* TLSv1.2 (OUT), TLS Unknown, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [120 bytes data]
* NPN, negotiated HTTP1.1
{ [5 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2993 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
} [36 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*  subject: C=US; ST=New York; L=Armonk; O=IBM; CN=www.ibm.com
*  start date: Dec 12 00:00:00 2016 GMT
*  expire date: Jan 23 23:59:59 2018 GMT
*  issuer: C=US; O=GeoTrust Inc.; CN=GeoTrust SSL CA - G3
*  SSL certificate verify ok.
} [5 bytes data]
> GET /us-en/ HTTP/1.1
> Host: www.ibm.com
> User-Agent: curl/7.50.3
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 200 OK
< Cache-Control: max-age=301
< Expires: Thu, 29 Dec 2016 15:22:41 GMT
< Last-Modified: Thu, 29 Dec 2016 14:30:15 GMT
< ETag: "80c2-544ccec7a2bc0"
< ntCoent-Length: 32962
< Kp-eeAlive: timeout=10, max=73
< Content-Type: text/html
< Date: Mon, 02 Jan 2017 10:13:56 GMT
< Transfer-Encoding:  chunked
< Connection: keep-alive
< Connection: Transfer-Encoding
<
{ [16022 bytes data]
* Curl_http_done: called premature == 0
100 32962    0 32962    0     0  18799      0 --:--:--  0:00:01 --:--:-- 18803
* Connection #0 to host www.ibm.com left intact
root@x071:[/root]ls -l out.txt
-rw------- 1 root system 33324 Jan  2 10:13 out.txt


So, I do not think the issue is with curl or openssl per-se, but instead some (additional) requirements that amazonaws.com are using, read requiring, to establish connections.

In other words - while you may prove me wrong later - at this point I do not see it as 'a bug' in AIX, openssl, or curl.

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1052
  • Karma: +0/-0
Re: curl: (35) Unknown SSL protocol error
« Reply #4 on: January 02, 2017, 01:23:03 PM »
p.s. packaged the latest curl at http://www.aixtools.net/index.php/curl

yborokhov

  • Jr. Member
  • **
  • Posts: 5
  • Karma: +0/-0
Re: curl: (35) Unknown SSL protocol error
« Reply #5 on: January 13, 2017, 07:41:50 PM »
Hi Michael,

I upgraded to the latest version of curl from your website but still getting the same errors. What's interesting is that using another version curl (written by another developer) works fine.

3-rd party working curl

hsdev01@hsdev@/hs/admin/test>/opt/TWWfsw/curl715/bin/curl -v -i -k -H "Content-Type: text/xml" -d @ortho.hl7 https://MSPATH-ADT-TEST-NYU-ELB-46670477.us-east-1.elb.amazonaws.com:5991 -o out.txt
* About to connect() to MSPATH-ADT-TEST-NYU-ELB-46670477.us-east-1.elb.amazonaws.com port 5991
*   Trying 34.195.27.140... connected
* Connected to MSPATH-ADT-TEST-NYU-ELB-46670477.us-east-1.elb.amazonaws.com (34.195.27.140) port 5991
* found 59 certificates in /opt/TWWfsw/curl715/share/ca-bundle.crt
*        server certificate verification FAILED
*        common name: *.mspaths.org (does not match 'MSPATH-ADT-TEST-NYU-ELB-46670477.us-east-1.elb.amazonaws.com')
*        certificate public key: RSA
*        certificate version: #3
*        subject: C=US,ST=Massachusetts,L=Cambridge,O=Biogen Inc,CN=*.mspaths.org
*        start date: Thu, 31 Mar 2016 00:00:00 GMT
*        expire date: Sat, 31 Mar 2018 23:59:59 GMT
*        issuer: C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3
*        compression: NULL
*        cipher: AES 128 CBC
*        MAC: SHA
> POST / HTTP/1.1
> User-Agent: curl/7.15.1 (powerpc-ibm-aix5.3.0.0) libcurl/7.15.1 GnuTLS/1.2.9 zlib/1.1.4 libidn/0.5.20
> Host: MSPATH-ADT-TEST-NYU-ELB-46670477.us-east-1.elb.amazonaws.com:5991
> Accept: */*
> Content-Type: text/xml
> Content-Length: 119
>
> MSH|^~\&|CURL|HJD|||20140711132952||ADT^A04|103568|T|2.3|LFISH^JACOB^||||||||||||||||||||||||||||||||||||20140711132951HTTP/1.1 200 OK
< Content-Type: text/html
< Content-Length: 97
< CACHE-CONTROL: no-cache
< PRAGMA: no-cache
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0    97    0    97    0     0    497      0 --:--:-- --:--:-- --:--:-- 24250Connection #0 to host MSPATH-ADT-TEST-NYU-ELB-46670477.us-east-1.elb.amazonaws.com left intact

* Closing connection #0



Now sending with 'AIX' curl

hsdev01@hsdev@/hs/admin/test>curl -v -i -k -H "Content-Type: text/xml" -d @ortho.hl7 https://MSPATH-ADT-TEST-NYU-ELB-46670477.us-east-1.elb.amazonaws.com:5991 -o out.txt
* Rebuilt URL to: https://MSPATH-ADT-TEST-NYU-ELB-46670477.us-east-1.elb.amazonaws.com:5991/
*   Trying 52.207.145.201...
* TCP_NODELAY set
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to MSPATH-ADT-TEST-NYU-ELB-46670477.us-east-1.elb.amazonaws.com (52.207.145.201) port 5991 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* TLSv1.2 (OUT), TLS Unknown, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* Unknown SSL protocol error in connection to MSPATH-ADT-TEST-NYU-ELB-46670477.us-east-1.elb.amazonaws.com:5991
* Curl_http_done: called premature == 1
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to MSPATH-ADT-TEST-NYU-ELB-46670477.us-east-1.elb.amazonaws.com:5991

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1052
  • Karma: +0/-0
Re: curl: (35) Unknown SSL protocol error
« Reply #6 on: January 13, 2017, 11:21:41 PM »
Your 3rd party one looks to be quite old - 7.15.1 if I read correctly. That was from December 2005.

<aybe it works because of a bug in that version - that  is fixed in the later (i.e., current) release.

I also see two very different IP addresses. One is class A 34.0.0.0 and the other is class A 52.0.0.0 - might have nothing to do with it.

Also, 3rd party is also using GNUTLS and it will not be the first time I have seen a GNU implementation that is different from POSIX or IEEE standards (i.e., GNU takes a different legal interpretation od a protocol).

In short, big differences (last is zlib 1.1.4 rather than at least zlib 1.2.3 (major security fix there) - current is zlib-1.2.10.

Ending: no idea why it is not working - and without the file for "POST" operation I cannot test your example.

yborokhov

  • Jr. Member
  • **
  • Posts: 5
  • Karma: +0/-0
Re: curl: (35) Unknown SSL protocol error
« Reply #7 on: January 14, 2017, 03:13:26 PM »
Hi Michael,

Are you requesting I send you the file we're attempting to POST to that host? I can certainly upload this file. Please let me know

Thanks

Yuriy 

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1052
  • Karma: +0/-0
Re: curl: (35) Unknown SSL protocol error
« Reply #8 on: January 14, 2017, 11:36:45 PM »
Hi.

No. I was not requesting the file. I would never presume  that the information may be confidential - and would not wish to put you in an awkward position. In short, I was only stating that I could not do the test without a file to post.

If you have a "template" of a file that will suffice for the connection (and it is small enough). I am guessing from the debug info it is an XML file - you could paste that info so I could try another test.

Further, have you tried using openssl client_c ... (or something like that) to connect to the site. I tried, but got no response of any kind - and 'gave up".

All said, if you are able to supply additional info such that I can attempt a similar test to yours I will spend some time on it.

yborokhov

  • Jr. Member
  • **
  • Posts: 5
  • Karma: +0/-0
Re: curl: (35) Unknown SSL protocol error
« Reply #9 on: January 17, 2017, 04:38:17 PM »
Hi Michael,

You won't be able to connect to that host because it has restricted access. I run two commands, once with CAfile specified and one without. It seems like curl might be using openssl but not passing an option for CAfile 

hsdev01@hsdev@/hs/sys/bin>openssl s_client -CAfile /var/ssl/cacert-2016-11-02.pem -connect MSPATH-ADT-TEST-NYU-ELB-46670477.us-east-1.elb.amazonaws.com:5991 -status
CONNECTED(00000003)
OCSP response: no response sent
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = GeoTrust SSL CA - G3
verify return:1
depth=0 C = US, ST = Massachusetts, L = Cambridge, O = Biogen Inc, CN = *.mspaths.org
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Massachusetts/L=Cambridge/O=Biogen Inc/CN=*.mspaths.org
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGZTCCBU2gAwIBAgIQMhbUECWcGScyu0eFR1h WEDANBgkqhkiG9w0BAQsFADBE
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ 1c3QgSW5jLjEdMBsGA1UEAxMU
R2VvVHJ1c3QgU1NMIENBIC0gRzMwHhcNMTYwMzM xMDAwMDAwWhcNMTgwMzMxMjM1
OTU5WjBmMQswCQYDVQQGEwJVUzEWMBQGA1UECBM NTWFzc2FjaHVzZXR0czESMBAG
A1UEBxQJQ2FtYnJpZGdlMRMwEQYDVQQKFApCaW9 nZW4gSW5jMRYwFAYDVQQDFA0q
Lm1zcGF0aHMub3JnMIIBIjANBgkqhkiG9w0BAQE FAAOCAQ8AMIIBCgKCAQEAvrGe
RVbgBEcKtBbH2h7qtCHfWhHGEHPNerJe3Tgb7kg mc4QcHjlLQbi7IUJv5Pe5TyJS
arvK34p4rgIXHeAwq+EN/regEsk4Dxy5sSFHxnz/2oxP/BK/zIdxRI1OLt30jid8
mirKJ3SuHhIYsvcgzVhOILsm3rTeCLl6QVxrUss 6u9IpicIhSgCWbc+Wzdj96jah
ikkVAQRwcPb3lT2/HPiYtaMh682ErYmYVAu2TB72f1mClJPt1iqgYixIu0bf2GIo
lm7iAGttEydGcq+AyxQhEngHqvk60NPzO1FCfvFOpRWWB1GmPpZbapJ9VfV4cwsa
mp4wfSscVYfyyZsgDQIDAQABo4IDLzCCAyswJQY DVR0RBB4wHIINKi5tc3BhdGhz
Lm9yZ4ILbXNwYXRocy5vcmcwCQYDVR0TBAIwADA OBgNVHQ8BAf8EBAMCBaAwKwYD
VR0fBCQwIjAgoB6gHIYaaHR0cDovL2duLnN5bWN iLmNvbS9nbi5jcmwwgZ0GA1Ud
IASBlTCBkjCBjwYGZ4EMAQICMIGEMD8GCCsGAQU FBwIBFjNodHRwczovL3d3dy5n
ZW90cnVzdC5jb20vcmVzb3VyY2VzL3JlcG9zaXR vcnkvbGVnYWwwQQYIKwYBBQUH
AgIwNQwzaHR0cHM6Ly93d3cuZ2VvdHJ1c3QuY29 tL3Jlc291cmNlcy9yZXBvc2l0
b3J5L2xlZ2FsMB0GA1UdJQQWMBQGCCsGAQUFBwM BBggrBgEFBQcDAjAfBgNVHSME
GDAWgBTSb/eW9IU/cjwwfSPahXibo3xafDBXBggrBgEFBQcBAQRLMEkwHwYIKwYB
BQUHMAGGE2h0dHA6Ly9nbi5zeW1jZC5jb20wJgY IKwYBBQUHMAKGGmh0dHA6Ly9n
bi5zeW1jYi5jb20vZ24uY3J0MIIBfwYKKwYBBAH WeQIEAgSCAW8EggFrAWkAdgDd
6x0reg1PpiCLga2BaHB+Lo6dAdVciI09EcTNtuy+zAAAAVPM9LP8AAAEAwBHMEUC
IBVbvOIBLBlHIQDk9CKjc0cA7UW1hNfXr1VgYXw HJancAiEAgmT7ehBRnKNsKnLi
6YvLFOUeMS/iwS89+Oe0A5ftghwAdwCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jj
d80OyA3cEAAAAVPM9LQwAAAEAwBIMEYCIQDQ3CT 7H9ckyHjxXv11lSs4CO74FBYo
l/zOyqddASCShgIhANzRnL/3Jy6b5hNKedabaiZLmm0VS/jeVCeKNIHFte8YAHYA
aPaY+B9kgr46jO65KB1M/HFRXWeT1ETRCmesu09P+8QAAAFTzPS0LQAABAMARzBF
AiA0Aac/a+AiSvewQHU4h29mNlR+lJkSkr5XGTokZGONbgIhALhJCfEpQxvefWfW
DiDR67n0xydfzR1VaxDJ7PbgXm23MA0GCSqGSIb 3DQEBCwUAA4IBAQAKMyO6t0Um
HVrGHrxp9LhuGiO4J0P2fGOjyg7c2XSWubadc2T/aYGRnpQENDejQ+THDtrrqmhh
+KC+M2TutuSzPyW3tyIeFfjLdA+yfQQSPEjdrpk+gzVS5eHkMDiVeua2XcbDXadY
heEPkIsP7ZXCWYpE1wg4vPLrM5y2/Pmd9PyMCwvNa6vteZQOfXKA9u2YUqbC537U
YgCjfJifCwPXJN81Xd1A7qkMxvOLfAttCfgQ5kM YEZ8MQdNYNB1bRJO+dXT0V8Uo
0s0eHeHa3RHhTTo++3pqz4EXj8RjJuG/FoeYCzjyDx83CFjHycPtEofQAQ+Q6nla
ApUybzFlVnER
-----END CERTIFICATE-----
subject=/C=US/ST=Massachusetts/L=Cambridge/O=Biogen Inc/CN=*.mspaths.org
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3258 bytes and written 440 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: C7190A43EE3C30CF600E8110BC018A8352A355F 7FCF7C424ACCB1F1756086ACD
    Session-ID-ctx:
    Master-Key: AEF89C7153AC3E20D46159BFD0511EAE00F652B 45B0C2AA1458DEDAFCC6ADB57AB5C4EF993364B 0264E798BD663A530E
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1484670828
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
closed


Now without CA file

hsdev01@hsdev@/hs/sys/bin>openssl s_client -connect MSPATH-ADT-TEST-NYU-ELB-46670477.us-east-1.elb.amazonaws.com:5991 -status
CONNECTED(00000003)
OCSP response: no response sent
depth=1 C = US, O = GeoTrust Inc., CN = GeoTrust SSL CA - G3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/C=US/ST=Massachusetts/L=Cambridge/O=Biogen Inc/CN=*.mspaths.org
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGZTCCBU2gAwIBAgIQMhbUECWcGScyu0eFR1h WEDANBgkqhkiG9w0BAQsFADBE
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ 1c3QgSW5jLjEdMBsGA1UEAxMU
R2VvVHJ1c3QgU1NMIENBIC0gRzMwHhcNMTYwMzM xMDAwMDAwWhcNMTgwMzMxMjM1
OTU5WjBmMQswCQYDVQQGEwJVUzEWMBQGA1UECBM NTWFzc2FjaHVzZXR0czESMBAG
A1UEBxQJQ2FtYnJpZGdlMRMwEQYDVQQKFApCaW9 nZW4gSW5jMRYwFAYDVQQDFA0q
Lm1zcGF0aHMub3JnMIIBIjANBgkqhkiG9w0BAQE FAAOCAQ8AMIIBCgKCAQEAvrGe
RVbgBEcKtBbH2h7qtCHfWhHGEHPNerJe3Tgb7kg mc4QcHjlLQbi7IUJv5Pe5TyJS
arvK34p4rgIXHeAwq+EN/regEsk4Dxy5sSFHxnz/2oxP/BK/zIdxRI1OLt30jid8
mirKJ3SuHhIYsvcgzVhOILsm3rTeCLl6QVxrUss 6u9IpicIhSgCWbc+Wzdj96jah
ikkVAQRwcPb3lT2/HPiYtaMh682ErYmYVAu2TB72f1mClJPt1iqgYixIu0bf2GIo
lm7iAGttEydGcq+AyxQhEngHqvk60NPzO1FCfvFOpRWWB1GmPpZbapJ9VfV4cwsa
mp4wfSscVYfyyZsgDQIDAQABo4IDLzCCAyswJQY DVR0RBB4wHIINKi5tc3BhdGhz
Lm9yZ4ILbXNwYXRocy5vcmcwCQYDVR0TBAIwADA OBgNVHQ8BAf8EBAMCBaAwKwYD
VR0fBCQwIjAgoB6gHIYaaHR0cDovL2duLnN5bWN iLmNvbS9nbi5jcmwwgZ0GA1Ud
IASBlTCBkjCBjwYGZ4EMAQICMIGEMD8GCCsGAQU FBwIBFjNodHRwczovL3d3dy5n
ZW90cnVzdC5jb20vcmVzb3VyY2VzL3JlcG9zaXR vcnkvbGVnYWwwQQYIKwYBBQUH
AgIwNQwzaHR0cHM6Ly93d3cuZ2VvdHJ1c3QuY29 tL3Jlc291cmNlcy9yZXBvc2l0
b3J5L2xlZ2FsMB0GA1UdJQQWMBQGCCsGAQUFBwM BBggrBgEFBQcDAjAfBgNVHSME
GDAWgBTSb/eW9IU/cjwwfSPahXibo3xafDBXBggrBgEFBQcBAQRLMEkwHwYIKwYB
BQUHMAGGE2h0dHA6Ly9nbi5zeW1jZC5jb20wJgY IKwYBBQUHMAKGGmh0dHA6Ly9n
bi5zeW1jYi5jb20vZ24uY3J0MIIBfwYKKwYBBAH WeQIEAgSCAW8EggFrAWkAdgDd
6x0reg1PpiCLga2BaHB+Lo6dAdVciI09EcTNtuy+zAAAAVPM9LP8AAAEAwBHMEUC
IBVbvOIBLBlHIQDk9CKjc0cA7UW1hNfXr1VgYXw HJancAiEAgmT7ehBRnKNsKnLi
6YvLFOUeMS/iwS89+Oe0A5ftghwAdwCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jj
d80OyA3cEAAAAVPM9LQwAAAEAwBIMEYCIQDQ3CT 7H9ckyHjxXv11lSs4CO74FBYo
l/zOyqddASCShgIhANzRnL/3Jy6b5hNKedabaiZLmm0VS/jeVCeKNIHFte8YAHYA
aPaY+B9kgr46jO65KB1M/HFRXWeT1ETRCmesu09P+8QAAAFTzPS0LQAABAMARzBF
AiA0Aac/a+AiSvewQHU4h29mNlR+lJkSkr5XGTokZGONbgIhALhJCfEpQxvefWfW
DiDR67n0xydfzR1VaxDJ7PbgXm23MA0GCSqGSIb 3DQEBCwUAA4IBAQAKMyO6t0Um
HVrGHrxp9LhuGiO4J0P2fGOjyg7c2XSWubadc2T/aYGRnpQENDejQ+THDtrrqmhh
+KC+M2TutuSzPyW3tyIeFfjLdA+yfQQSPEjdrpk+gzVS5eHkMDiVeua2XcbDXadY
heEPkIsP7ZXCWYpE1wg4vPLrM5y2/Pmd9PyMCwvNa6vteZQOfXKA9u2YUqbC537U
YgCjfJifCwPXJN81Xd1A7qkMxvOLfAttCfgQ5kM YEZ8MQdNYNB1bRJO+dXT0V8Uo
0s0eHeHa3RHhTTo++3pqz4EXj8RjJuG/FoeYCzjyDx83CFjHycPtEofQAQ+Q6nla
ApUybzFlVnER
-----END CERTIFICATE-----
subject=/C=US/ST=Massachusetts/L=Cambridge/O=Biogen Inc/CN=*.mspaths.org
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3258 bytes and written 440 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 5C95C0163232120C4EA2B5013C9158BFD66B5A1 4A0931282C179E85EDD4A306F
    Session-ID-ctx:
    Master-Key: 0FB8F95BDC8BCC64E887C02391ACD6A2A14C328 867F19B1D9735A594FC9A8E406E1FD5E1AAB7D3 1A8AAD2A91B73A5698
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1484671075
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
closed