Hi,
We have two machine Rocky Linux Machine. Both are installed with with Rocky Linux 8.5 and packages are updated.
One test Machine inside Virtual Box ( name rocky ) and working fine. Other is Prod AWS EC2 instances using Rocky offical AMI ( machine name SC2-WebApp-01 )
We are using Composer which use curl to fetch some libraries from api.github.com.
On test machine it is working fine. On Prod Machine curl command is failing with error curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.github.com:443
Below is detail of Machine where it is failing
root@SC2-WebApp-01 ~]# curl -v https://api.github.com
* Rebuilt URL to: https://api.github.com/
* Trying 140.82.121.6...
* TCP_NODELAY set
* Connected to api.github.com (140.82.121.6) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.github.com:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.github.com:443
[root@SC2-WebApp-01 ~]#
[root@SC2-WebApp-01 ~]# openssl s_client -connect api.github.com:443 -msg --state -debug
CONNECTED(00000003)
SSL_connect:before SSL initialization
>>> ??? [length 0005]
16 03 01 01 5d
>>> TLS 1.3, Handshake [length 015d], ClientHello
01 00 01 59 03 03 50 7b 0c d7 bc 05 66 d1 3e 2f
5d f2 d3 f4 e8 85 ac eb e8 b9 50 80 1b 2e 5e 8f
60 29 0f 95 9b 86 20 40 e6 da 84 e5 d7 40 49 a9
a4 bb a9 3e 75 f2 ab b2 04 62 fb 70 58 db 67 9b
82 04 7c b7 da 78 0b 00 64 13 02 13 03 13 01 13
04 c0 2c c0 30 cc a9 cc a8 c0 ad c0 2b c0 2f c0
ac c0 23 c0 27 c0 0a c0 14 c0 09 c0 13 c0 07 c0
11 c0 08 c0 12 00 9d c0 9d 00 9c c0 9c 00 3d 00
3c 00 35 00 2f 00 05 00 0a 00 a3 00 9f cc aa c0
9f 00 a2 00 9e c0 9e 00 6b 00 6a 00 67 00 40 00
39 00 38 00 33 00 32 00 16 00 13 00 ff 01 00 00
ac 00 00 00 13 00 11 00 00 0e 61 70 69 2e 67 69
74 68 75 62 2e 63 6f 6d 00 0b 00 04 03 00 01 02
00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18
00 23 00 00 00 16 00 00 00 17 00 00 00 0d 00 30
00 2e 04 03 05 03 06 03 08 07 08 08 08 09 08 04
08 0a 08 05 08 0b 08 06 04 01 05 01 06 01 03 03
03 01 04 02 05 02 06 02 03 02 02 03 02 01 02 02
00 2b 00 09 08 03 04 03 03 03 02 03 01 00 2d 00
02 01 01 00 33 00 26 00 24 00 1d 00 20 fb c3 e0
39 69 6e 71 94 ef d9 7f 91 01 29 85 b7 ba 85 9e
43 d2 b0 40 8c da de 6f df 86 fc 6e 7d
write to 0x564694bd90e0 [0x564694becf80] (354 bytes => 354 (0x162))
0000 - 16 03 01 01 5d 01 00 01-59 03 03 50 7b 0c d7 bc ....]...Y..P{...
0010 - 05 66 d1 3e 2f 5d f2 d3-f4 e8 85 ac eb e8 b9 50 .f.>/].........P
0020 - 80 1b 2e 5e 8f 60 29 0f-95 9b 86 20 40 e6 da 84 ...^.`).... @...
0030 - e5 d7 40 49 a9 a4 bb a9-3e 75 f2 ab b2 04 62 fb ..@I....>u....b.
0040 - 70 58 db 67 9b 82 04 7c-b7 da 78 0b 00 64 13 02 pX.g...|..x..d..
0050 - 13 03 13 01 13 04 c0 2c-c0 30 cc a9 cc a8 c0 ad .......,.0......
0060 - c0 2b c0 2f c0 ac c0 23-c0 27 c0 0a c0 14 c0 09 .+./...#.'......
0070 - c0 13 c0 07 c0 11 c0 08-c0 12 00 9d c0 9d 00 9c ................
0080 - c0 9c 00 3d 00 3c 00 35-00 2f 00 05 00 0a 00 a3 ...=.<.5./......
0090 - 00 9f cc aa c0 9f 00 a2-00 9e c0 9e 00 6b 00 6a .............k.j
00a0 - 00 67 00 40 00 39 00 38-00 33 00 32 00 16 00 13 .g.@.9.8.3.2....
00b0 - 00 ff 01 00 00 ac 00 00-00 13 00 11 00 00 0e 61 ...............a
00c0 - 70 69 2e 67 69 74 68 75-62 2e 63 6f 6d 00 0b 00 pi.github.com...
00d0 - 04 03 00 01 02 00 0a 00-0c 00 0a 00 1d 00 17 00 ................
00e0 - 1e 00 19 00 18 00 23 00-00 00 16 00 00 00 17 00 ......#.........
00f0 - 00 00 0d 00 30 00 2e 04-03 05 03 06 03 08 07 08 ....0...........
0100 - 08 08 09 08 04 08 0a 08-05 08 0b 08 06 04 01 05 ................
0110 - 01 06 01 03 03 03 01 04-02 05 02 06 02 03 02 02 ................
0120 - 03 02 01 02 02 00 2b 00-09 08 03 04 03 03 03 02 ......+.........
0130 - 03 01 00 2d 00 02 01 01-00 33 00 26 00 24 00 1d ...-.....3.&.$..
0140 - 00 20 fb c3 e0 39 69 6e-71 94 ef d9 7f 91 01 29 . ...9inq......)
0150 - 85 b7 ba 85 9e 43 d2 b0-40 8c da de 6f df 86 fc .....C..@...o...
0160 - 6e 7d n}
SSL_connect:SSLv3/TLS write client hello
read from 0x564694bd90e0 [0x564694be3d63] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
SSL_connect:error in SSLv3/TLS write client hello
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 354 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
read from 0x564694bd90e0 [0x564694b1ce10] (8192 bytes => 0 (0x0))
Now below is the output of the machine where it is working without any issue
[root@rocky ~]# openssl s_client -connect api.github.com:443 -msg
CONNECTED(00000003)
>>> ??? [length 0005]
16 03 01 01 33
>>> TLS 1.3, Handshake [length 0133], ClientHello
01 00 01 2f 03 03 a0 42 9f a2 f4 72 29 86 39 52
52 08 76 06 46 9b 59 d5 04 4a 78 8e b6 e6 77 b6
b6 2f ed 98 aa 91 20 7a 1d 58 28 d1 2f 8b b8 89
d9 ac 16 34 60 af 6e d4 0d 9e f4 e1 b9 0b 39 1a
b5 97 59 4a 93 2b 2d 00 48 13 02 13 03 13 01 13
04 c0 2c c0 30 cc a9 cc a8 c0 ad c0 2b c0 2f c0
ac c0 23 c0 27 c0 0a c0 14 c0 09 c0 13 00 9d c0
9d 00 9c c0 9c 00 3d 00 3c 00 35 00 2f 00 9f cc
aa c0 9f 00 9e c0 9e 00 6b 00 67 00 39 00 33 00
ff 01 00 00 9e 00 00 00 13 00 11 00 00 0e 61 70
69 2e 67 69 74 68 75 62 2e 63 6f 6d 00 0b 00 04
03 00 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e
00 19 00 18 00 23 00 00 00 16 00 00 00 17 00 00
00 0d 00 26 00 24 04 03 05 03 06 03 08 07 08 08
08 09 08 04 08 0a 08 05 08 0b 08 06 04 01 05 01
06 01 03 03 03 01 02 03 02 01 00 2b 00 05 04 03
04 03 03 00 2d 00 02 01 01 00 33 00 26 00 24 00
1d 00 20 1a 64 a7 81 5b cc 90 bf 74 1f 0a 70 5b
72 06 2a 13 9f 5f bb 98 81 b1 05 f4 73 dd 1e 59
9e 1a 36
<<< ??? [length 0005]
16 03 03 00 7a
<<< TLS 1.3, Handshake [length 007a], ServerHello
02 00 00 76 03 03 60 53 61 ad f3 41 72 51 b2 40
9c c9 b6 79 64 18 13 f7 cd 88 cc 47 00 79 91 e7
41 5b 44 bf fa ca 20 7a 1d 58 28 d1 2f 8b b8 89
d9 ac 16 34 60 af 6e d4 0d 9e f4 e1 b9 0b 39 1a
b5 97 59 4a 93 2b 2d 13 01 00 00 2e 00 2b 00 02
03 04 00 33 00 24 00 1d 00 20 98 2e 92 7b 61 db
4c fc 8b ec 2d af 0c 17 49 e6 03 d1 7b db 93 0c
a3 7d d9 52 f6 a3 3f 3c eb 6e
<<< ??? [length 0005]
14 03 03 00 01
<<< ??? [length 0005]
17 03 03 00 1b
<<< TLS 1.3 [length 0001]
16
<<< TLS 1.3, Handshake [length 000a], EncryptedExtensions
08 00 00 06 00 04 00 00 00 00
<<< ??? [length 0005]
17 03 03 09 4b
<<< TLS 1.3 [length 0001]
16
<<< TLS 1.3, Handshake [length 093a], Certificate
0b 00 09 36 00 00 09 32 00 05 09 30 82 05 05 30
82 04 ab a0 03 02 01 02 02 10 01 68 d5 75 f1 ce
87 28 ad 95 a8 f1 1e f1 59 8b 30 0a 06 08 2a 86
48 ce 3d 04 03 02 30 67 31 0b 30 09 06 03 55 04
06 13 02 55 53 31 17 30 15 06 03 55 04 0a 13 0e
44 69 67 69 43 65 72 74 2c 20 49 6e 63 2e 31 3f
30 3d 06 03 55 04 03 13 36 44 69 67 69 43 65 72
74 20 48 69 67 68 20 41 73 73 75 72 61 6e 63 65
20 54 4c 53 20 48 79 62 72 69 64 20 45 43 43 20
53 48 41 32 35 36 20 32 30 32 30 20 43 41 31 30
1e 17 0d 32 31 30 33 32 35 30 30 30 30 30 30 5a
17 0d 32 32 30 33 33 30 32 33 35 39 35 39 5a 30
68 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13
30 11 06 03 55 04 08 13 0a 43 61 6c 69 66 6f 72
6e 69 61 31 16 30 14 06 03 55 04 07 13 0d 53 61
6e 20 46 72 61 6e 63 69 73 63 6f 31 15 30 13 06
03 55 04 0a 13 0c 47 69 74 48 75 62 2c 20 49 6e
63 2e 31 15 30 13 06 03 55 04 03 0c 0c 2a 2e 67
69 74 68 75 62 2e 63 6f 6d 30 59 30 13 06 07 2a
86 48 ce 3d 02 01 06 08 2a 86 48 ce 3d 03 01 07
03 42 00 04 94 bf 7f fb 44 e2 75 32 00 2c f7 d4
fe d8 92 ea 92 3c cc 02 24 ad 4e 29 a2 15 25 75
57 34 6d be 8e dc 50 11 97 77 27 a8 80 ca f5 2a
05 eb 9c f7 c6 24 7a 5e c9 c5 4b c1 74 3b 2f dc
85 74 7f 91 a3 82 03 36 30 82 03 32 30 1f 06 03
55 1d 23 04 18 30 16 80 14 50 61 a6 a0 d2 35 c4
11 2a 20 8d 1f 0f ac 42 f0 cd 29 cf 4b 30 1d 06
03 55 1d 0e 04 16 04 14 cf cb 0c eb ee 3d 71 24
f8 7e 96 5a 71 a6 4a 9b d5 dc c6 ce 30 23 06 03
55 1d 11 04 1c 30 1a 82 0c 2a 2e 67 69 74 68 75
62 2e 63 6f 6d 82 0a 67 69 74 68 75 62 2e 63 6f
6d 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 07
80 30 1d 06 03 55 1d 25 04 16 30 14 06 08 2b 06
01 05 05 07 03 01 06 08 2b 06 01 05 05 07 03 02
30 81 b1 06 03 55 1d 1f 04 81 a9 30 81 a6 30 51
a0 4f a0 4d 86 4b 68 74 74 70 3a 2f 2f 63 72 6c
33 2e 64 69 67 69 63 65 72 74 2e 63 6f 6d 2f 44
69 67 69 43 65 72 74 48 69 67 68 41 73 73 75 72
61 6e 63 65 54 4c 53 48 79 62 72 69 64 45 43 43
53 48 41 32 35 36 32 30 32 30 43 41 31 2e 63 72
6c 30 51 a0 4f a0 4d 86 4b 68 74 74 70 3a 2f 2f
63 72 6c 34 2e 64 69 67 69 63 65 72 74 2e 63 6f
6d 2f 44 69 67 69 43 65 72 74 48 69 67 68 41 73
73 75 72 61 6e 63 65 54 4c 53 48 79 62 72 69 64
45 43 43 53 48 41 32 35 36 32 30 32 30 43 41 31
2e 63 72 6c 30 3e 06 03 55 1d 20 04 37 30 35 30
33 06 06 67 81 0c 01 02 02 30 29 30 27 06 08 2b
06 01 05 05 07 02 01 16 1b 68 74 74 70 3a 2f 2f
77 77 77 2e 64 69 67 69 63 65 72 74 2e 63 6f 6d
2f 43 50 53 30 81 92 06 08 2b 06 01 05 05 07 01
01 04 81 85 30 81 82 30 24 06 08 2b 06 01 05 05
07 30 01 86 18 68 74 74 70 3a 2f 2f 6f 63 73 70
2e 64 69 67 69 63 65 72 74 2e 63 6f 6d 30 5a 06
08 2b 06 01 05 05 07 30 02 86 4e 68 74 74 70 3a
2f 2f 63 61 63 65 72 74 73 2e 64 69 67 69 63 65
72 74 2e 63 6f 6d 2f 44 69 67 69 43 65 72 74 48
69 67 68 41 73 73 75 72 61 6e 63 65 54 4c 53 48
79 62 72 69 64 45 43 43 53 48 41 32 35 36 32 30
32 30 43 41 31 2e 63 72 74 30 0c 06 03 55 1d 13
01 01 ff 04 02 30 00 30 82 01 03 06 0a 2b 06 01
04 01 d6 79 02 04 02 04 81 f4 04 81 f1 00 ef 00
76 00 29 79 be f0 9e 39 39 21 f0 56 73 9f 63 a5
77 e5 be 57 7d 9c 60 0a f8 f9 4d 5d 26 5c 25 5d
c7 84 00 00 01 78 6a bd f9 54 00 00 04 03 00 47
30 45 02 20 04 c9 f0 35 07 92 20 80 05 4a ea 86
c0 5c ff 58 ac 53 cd c3 a5 16 03 47 20 e7 e6 49
78 d1 d7 fa 02 21 00 81 fa c9 e9 a9 88 a2 8c 25
0a 68 04 d8 1a 5c e9 1e 0f 73 b9 e4 88 61 66 16
da b7 f6 81 d5 5e 84 00 75 00 22 45 45 07 59 55
24 56 96 3f a1 2f f1 f7 6d 86 e0 23 26 63 ad c0
-------
----------
---------
[root@rocky ~]# curl -v https://api.github.com
* Rebuilt URL to: https://api.github.com/
* Trying 140.82.121.5...
* TCP_NODELAY set
* Connected to api.github.com (140.82.121.5) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.com
* start date: Mar 25 00:00:00 2021 GMT
* expire date: Mar 30 23:59:59 2022 GMT
* subjectAltName: host "api.github.com" matched cert's "*.github.com"
* issuer: C=US; O=DigiCert, Inc.; CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* Using Stream ID: 1 (easy handle 0x55ff041d5690)
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET / HTTP/2
> Host: api.github.com
> User-Agent: curl/7.61.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/2 200
< server: GitHub.com
< date: Wed, 05 Jan 2022 09:23:13 GMT
< cache-control: public, max-age=60, s-maxage=60
< vary: Accept, Accept-Encoding, Accept, X-Requested-With
< access-control-expose-headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset
-------
----------
---------
Any one can help why it is getting fail on one server and working fine on other server. Both have exactly same version