$ openssl version OpenSSL 1.0.1 14 Mar 2012 $ openssl s_client -msg -state -connect w.x.y.z:10636 CONNECTED(00000003) SSL_connect:before/connect initialization >>> TLS 1.1 [length 00dd] 01 00 00 d9 03 02 51 0a c4 32 c9 50 79 93 ea 10 7f d1 41 57 3f 52 27 c6 86 df 9b fa 20 09 0c 92 b4 e8 ae 5f 6c fa 00 00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff 02 01 00 00 49 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 00 0f 00 01 01 SSL_connect:unknown stateLook at the negotiation trying to use TLS 1.1 for openssl 1.0.1. From my MAC I could negotiate though:
$ openssl version OpenSSL 0.9.8r 8 Feb 2011 $ echo | openssl s_client -msg -state -connect w.x.y.z:10636 CONNECTED(00000003) SSL_connect:before/connect initialization >>> SSL 2.0 [length 0080], CLIENT-HELLO 01 03 01 00 57 00 00 00 20 00 00 39 00 00 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f 00 00 9a 00 00 99 00 00 96 03 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 00 06 04 00 80 00 00 03 02 00 80 00 00 ff 5d df 78 59 05 15 8f fc d4 df 62 0f b5 b7 e8 79 af 6e 49 22 09 5b 1c 89 5a 96 49 fa b1 a2 41 91 SSL_connect:SSLv2/v3 write client hello A <<< TLS 1.0 Handshake [length 0051], ServerHello 02 00 00 4d 03 01 51 0a c5 e1 1c 6f 7f cc c2 92 8c 3c 02 3c ad 42 04 59 35 35 be 24 72 b6 92 27 a7 b9 a7 fc ae c2 20 51 0a c5 e1 a5 5e 9a 62 d8 1f 5d c4 be 3e 7d ef 89 b1 67 6d 5a db 20 3c d2 5b 3f 1f 19 e2 f1 83 00 39 00 00 05 ff 01 00 01 00 SSL_connect:SSLv3 read server hello A ...But then look at the negotiation trying to use SSL2.0 up front for the Lion client openssl. While the openssl project has been trying to solve issues like this (hangs) I believe there is still some code review to be made as previous versions of openssl were working correctly in terms of negotiations. For now we managed to get around this issue passing SSL3 as the preferred secure transport:
$ echo | openssl s_client -ssl3 -msg -state -connect w.x.y.z:10636 CONNECTED(00000003) SSL_connect:before/connect initialization >>> SSL 3.0 Handshake [length 005a], ClientHello ...It might not be an option for you in which case just try with other available protocol options. BTW this happened in Ubuntu 12.04.
Infrastructure as a Service demands high level of automation. Basically all best practices taught for software developers should be followed by Ops guys as well, especially when it comes to automating the building of environments and testing. These practices should be mandated and not overlooked to avoid surprises in production systems while still being as agile as possible on the Infrastructure side. Back to the lab ...