Curl OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.github.com:443

Hi,
We have two machine Rocky Linux Machine. Both are installed with with Rocky Linux 8.5 and packages are updated.

One test Machine inside Virtual Box ( name rocky ) and working fine. Other is Prod AWS EC2 instances using Rocky offical AMI ( machine name SC2-WebApp-01 )

We are using Composer which use curl to fetch some libraries from api.github.com.

On test machine it is working fine. On Prod Machine curl command is failing with error curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.github.com:443

Below is detail of Machine where it is failing

root@SC2-WebApp-01 ~]# curl -v   https://api.github.com
* Rebuilt URL to: https://api.github.com/
*   Trying 140.82.121.6...
* TCP_NODELAY set
* Connected to api.github.com (140.82.121.6) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.github.com:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.github.com:443
[root@SC2-WebApp-01 ~]#
[root@SC2-WebApp-01 ~]# openssl s_client -connect api.github.com:443 -msg --state -debug
CONNECTED(00000003)
SSL_connect:before SSL initialization
>>> ??? [length 0005]
    16 03 01 01 5d
>>> TLS 1.3, Handshake [length 015d], ClientHello
    01 00 01 59 03 03 50 7b 0c d7 bc 05 66 d1 3e 2f
    5d f2 d3 f4 e8 85 ac eb e8 b9 50 80 1b 2e 5e 8f
    60 29 0f 95 9b 86 20 40 e6 da 84 e5 d7 40 49 a9
    a4 bb a9 3e 75 f2 ab b2 04 62 fb 70 58 db 67 9b
    82 04 7c b7 da 78 0b 00 64 13 02 13 03 13 01 13
    04 c0 2c c0 30 cc a9 cc a8 c0 ad c0 2b c0 2f c0
    ac c0 23 c0 27 c0 0a c0 14 c0 09 c0 13 c0 07 c0
    11 c0 08 c0 12 00 9d c0 9d 00 9c c0 9c 00 3d 00
    3c 00 35 00 2f 00 05 00 0a 00 a3 00 9f cc aa c0
    9f 00 a2 00 9e c0 9e 00 6b 00 6a 00 67 00 40 00
    39 00 38 00 33 00 32 00 16 00 13 00 ff 01 00 00
    ac 00 00 00 13 00 11 00 00 0e 61 70 69 2e 67 69
    74 68 75 62 2e 63 6f 6d 00 0b 00 04 03 00 01 02
    00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18
    00 23 00 00 00 16 00 00 00 17 00 00 00 0d 00 30
    00 2e 04 03 05 03 06 03 08 07 08 08 08 09 08 04
    08 0a 08 05 08 0b 08 06 04 01 05 01 06 01 03 03
    03 01 04 02 05 02 06 02 03 02 02 03 02 01 02 02
    00 2b 00 09 08 03 04 03 03 03 02 03 01 00 2d 00
    02 01 01 00 33 00 26 00 24 00 1d 00 20 fb c3 e0
    39 69 6e 71 94 ef d9 7f 91 01 29 85 b7 ba 85 9e
    43 d2 b0 40 8c da de 6f df 86 fc 6e 7d
write to 0x564694bd90e0 [0x564694becf80] (354 bytes => 354 (0x162))
0000 - 16 03 01 01 5d 01 00 01-59 03 03 50 7b 0c d7 bc   ....]...Y..P{...
0010 - 05 66 d1 3e 2f 5d f2 d3-f4 e8 85 ac eb e8 b9 50   .f.>/].........P
0020 - 80 1b 2e 5e 8f 60 29 0f-95 9b 86 20 40 e6 da 84   ...^.`).... @...
0030 - e5 d7 40 49 a9 a4 bb a9-3e 75 f2 ab b2 04 62 fb   ..@I....>u....b.
0040 - 70 58 db 67 9b 82 04 7c-b7 da 78 0b 00 64 13 02   pX.g...|..x..d..
0050 - 13 03 13 01 13 04 c0 2c-c0 30 cc a9 cc a8 c0 ad   .......,.0......
0060 - c0 2b c0 2f c0 ac c0 23-c0 27 c0 0a c0 14 c0 09   .+./...#.'......
0070 - c0 13 c0 07 c0 11 c0 08-c0 12 00 9d c0 9d 00 9c   ................
0080 - c0 9c 00 3d 00 3c 00 35-00 2f 00 05 00 0a 00 a3   ...=.<.5./......
0090 - 00 9f cc aa c0 9f 00 a2-00 9e c0 9e 00 6b 00 6a   .............k.j
00a0 - 00 67 00 40 00 39 00 38-00 33 00 32 00 16 00 13   .g.@.9.8.3.2....
00b0 - 00 ff 01 00 00 ac 00 00-00 13 00 11 00 00 0e 61   ...............a
00c0 - 70 69 2e 67 69 74 68 75-62 2e 63 6f 6d 00 0b 00   pi.github.com...
00d0 - 04 03 00 01 02 00 0a 00-0c 00 0a 00 1d 00 17 00   ................
00e0 - 1e 00 19 00 18 00 23 00-00 00 16 00 00 00 17 00   ......#.........
00f0 - 00 00 0d 00 30 00 2e 04-03 05 03 06 03 08 07 08   ....0...........
0100 - 08 08 09 08 04 08 0a 08-05 08 0b 08 06 04 01 05   ................
0110 - 01 06 01 03 03 03 01 04-02 05 02 06 02 03 02 02   ................
0120 - 03 02 01 02 02 00 2b 00-09 08 03 04 03 03 03 02   ......+.........
0130 - 03 01 00 2d 00 02 01 01-00 33 00 26 00 24 00 1d   ...-.....3.&.$..
0140 - 00 20 fb c3 e0 39 69 6e-71 94 ef d9 7f 91 01 29   . ...9inq......)
0150 - 85 b7 ba 85 9e 43 d2 b0-40 8c da de 6f df 86 fc   .....C..@...o...
0160 - 6e 7d                                             n}
SSL_connect:SSLv3/TLS write client hello
read from 0x564694bd90e0 [0x564694be3d63] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
SSL_connect:error in SSLv3/TLS write client hello
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 354 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
read from 0x564694bd90e0 [0x564694b1ce10] (8192 bytes => 0 (0x0))

Now below is the output of the machine where it is working without any issue

[root@rocky ~]# openssl s_client -connect api.github.com:443 -msg
CONNECTED(00000003)
>>> ??? [length 0005]
    16 03 01 01 33
>>> TLS 1.3, Handshake [length 0133], ClientHello
    01 00 01 2f 03 03 a0 42 9f a2 f4 72 29 86 39 52
    52 08 76 06 46 9b 59 d5 04 4a 78 8e b6 e6 77 b6
    b6 2f ed 98 aa 91 20 7a 1d 58 28 d1 2f 8b b8 89
    d9 ac 16 34 60 af 6e d4 0d 9e f4 e1 b9 0b 39 1a
    b5 97 59 4a 93 2b 2d 00 48 13 02 13 03 13 01 13
    04 c0 2c c0 30 cc a9 cc a8 c0 ad c0 2b c0 2f c0
    ac c0 23 c0 27 c0 0a c0 14 c0 09 c0 13 00 9d c0
    9d 00 9c c0 9c 00 3d 00 3c 00 35 00 2f 00 9f cc
    aa c0 9f 00 9e c0 9e 00 6b 00 67 00 39 00 33 00
    ff 01 00 00 9e 00 00 00 13 00 11 00 00 0e 61 70
    69 2e 67 69 74 68 75 62 2e 63 6f 6d 00 0b 00 04
    03 00 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e
    00 19 00 18 00 23 00 00 00 16 00 00 00 17 00 00
    00 0d 00 26 00 24 04 03 05 03 06 03 08 07 08 08
    08 09 08 04 08 0a 08 05 08 0b 08 06 04 01 05 01
    06 01 03 03 03 01 02 03 02 01 00 2b 00 05 04 03
    04 03 03 00 2d 00 02 01 01 00 33 00 26 00 24 00
    1d 00 20 1a 64 a7 81 5b cc 90 bf 74 1f 0a 70 5b
    72 06 2a 13 9f 5f bb 98 81 b1 05 f4 73 dd 1e 59
    9e 1a 36
<<< ??? [length 0005]
    16 03 03 00 7a
<<< TLS 1.3, Handshake [length 007a], ServerHello
    02 00 00 76 03 03 60 53 61 ad f3 41 72 51 b2 40
    9c c9 b6 79 64 18 13 f7 cd 88 cc 47 00 79 91 e7
    41 5b 44 bf fa ca 20 7a 1d 58 28 d1 2f 8b b8 89
    d9 ac 16 34 60 af 6e d4 0d 9e f4 e1 b9 0b 39 1a
    b5 97 59 4a 93 2b 2d 13 01 00 00 2e 00 2b 00 02
    03 04 00 33 00 24 00 1d 00 20 98 2e 92 7b 61 db
    4c fc 8b ec 2d af 0c 17 49 e6 03 d1 7b db 93 0c
    a3 7d d9 52 f6 a3 3f 3c eb 6e
<<< ??? [length 0005]
    14 03 03 00 01
<<< ??? [length 0005]
    17 03 03 00 1b
<<< TLS 1.3 [length 0001]
    16
<<< TLS 1.3, Handshake [length 000a], EncryptedExtensions
    08 00 00 06 00 04 00 00 00 00
<<< ??? [length 0005]
    17 03 03 09 4b
<<< TLS 1.3 [length 0001]
    16
<<< TLS 1.3, Handshake [length 093a], Certificate
    0b 00 09 36 00 00 09 32 00 05 09 30 82 05 05 30
    82 04 ab a0 03 02 01 02 02 10 01 68 d5 75 f1 ce
    87 28 ad 95 a8 f1 1e f1 59 8b 30 0a 06 08 2a 86
    48 ce 3d 04 03 02 30 67 31 0b 30 09 06 03 55 04
    06 13 02 55 53 31 17 30 15 06 03 55 04 0a 13 0e
    44 69 67 69 43 65 72 74 2c 20 49 6e 63 2e 31 3f
    30 3d 06 03 55 04 03 13 36 44 69 67 69 43 65 72
    74 20 48 69 67 68 20 41 73 73 75 72 61 6e 63 65
    20 54 4c 53 20 48 79 62 72 69 64 20 45 43 43 20
    53 48 41 32 35 36 20 32 30 32 30 20 43 41 31 30
    1e 17 0d 32 31 30 33 32 35 30 30 30 30 30 30 5a
    17 0d 32 32 30 33 33 30 32 33 35 39 35 39 5a 30
    68 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13
    30 11 06 03 55 04 08 13 0a 43 61 6c 69 66 6f 72
    6e 69 61 31 16 30 14 06 03 55 04 07 13 0d 53 61
    6e 20 46 72 61 6e 63 69 73 63 6f 31 15 30 13 06
    03 55 04 0a 13 0c 47 69 74 48 75 62 2c 20 49 6e
    63 2e 31 15 30 13 06 03 55 04 03 0c 0c 2a 2e 67
    69 74 68 75 62 2e 63 6f 6d 30 59 30 13 06 07 2a
    86 48 ce 3d 02 01 06 08 2a 86 48 ce 3d 03 01 07
    03 42 00 04 94 bf 7f fb 44 e2 75 32 00 2c f7 d4
    fe d8 92 ea 92 3c cc 02 24 ad 4e 29 a2 15 25 75
    57 34 6d be 8e dc 50 11 97 77 27 a8 80 ca f5 2a
    05 eb 9c f7 c6 24 7a 5e c9 c5 4b c1 74 3b 2f dc
    85 74 7f 91 a3 82 03 36 30 82 03 32 30 1f 06 03
    55 1d 23 04 18 30 16 80 14 50 61 a6 a0 d2 35 c4
    11 2a 20 8d 1f 0f ac 42 f0 cd 29 cf 4b 30 1d 06
    03 55 1d 0e 04 16 04 14 cf cb 0c eb ee 3d 71 24
    f8 7e 96 5a 71 a6 4a 9b d5 dc c6 ce 30 23 06 03
    55 1d 11 04 1c 30 1a 82 0c 2a 2e 67 69 74 68 75
    62 2e 63 6f 6d 82 0a 67 69 74 68 75 62 2e 63 6f
    6d 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 07
    80 30 1d 06 03 55 1d 25 04 16 30 14 06 08 2b 06
    01 05 05 07 03 01 06 08 2b 06 01 05 05 07 03 02
    30 81 b1 06 03 55 1d 1f 04 81 a9 30 81 a6 30 51
    a0 4f a0 4d 86 4b 68 74 74 70 3a 2f 2f 63 72 6c
    33 2e 64 69 67 69 63 65 72 74 2e 63 6f 6d 2f 44
    69 67 69 43 65 72 74 48 69 67 68 41 73 73 75 72
    61 6e 63 65 54 4c 53 48 79 62 72 69 64 45 43 43
    53 48 41 32 35 36 32 30 32 30 43 41 31 2e 63 72
    6c 30 51 a0 4f a0 4d 86 4b 68 74 74 70 3a 2f 2f
    63 72 6c 34 2e 64 69 67 69 63 65 72 74 2e 63 6f
    6d 2f 44 69 67 69 43 65 72 74 48 69 67 68 41 73
    73 75 72 61 6e 63 65 54 4c 53 48 79 62 72 69 64
    45 43 43 53 48 41 32 35 36 32 30 32 30 43 41 31
    2e 63 72 6c 30 3e 06 03 55 1d 20 04 37 30 35 30
    33 06 06 67 81 0c 01 02 02 30 29 30 27 06 08 2b
    06 01 05 05 07 02 01 16 1b 68 74 74 70 3a 2f 2f
    77 77 77 2e 64 69 67 69 63 65 72 74 2e 63 6f 6d
    2f 43 50 53 30 81 92 06 08 2b 06 01 05 05 07 01
    01 04 81 85 30 81 82 30 24 06 08 2b 06 01 05 05
    07 30 01 86 18 68 74 74 70 3a 2f 2f 6f 63 73 70
    2e 64 69 67 69 63 65 72 74 2e 63 6f 6d 30 5a 06
    08 2b 06 01 05 05 07 30 02 86 4e 68 74 74 70 3a
    2f 2f 63 61 63 65 72 74 73 2e 64 69 67 69 63 65
    72 74 2e 63 6f 6d 2f 44 69 67 69 43 65 72 74 48
    69 67 68 41 73 73 75 72 61 6e 63 65 54 4c 53 48
    79 62 72 69 64 45 43 43 53 48 41 32 35 36 32 30
    32 30 43 41 31 2e 63 72 74 30 0c 06 03 55 1d 13
    01 01 ff 04 02 30 00 30 82 01 03 06 0a 2b 06 01
    04 01 d6 79 02 04 02 04 81 f4 04 81 f1 00 ef 00
    76 00 29 79 be f0 9e 39 39 21 f0 56 73 9f 63 a5
    77 e5 be 57 7d 9c 60 0a f8 f9 4d 5d 26 5c 25 5d
    c7 84 00 00 01 78 6a bd f9 54 00 00 04 03 00 47
    30 45 02 20 04 c9 f0 35 07 92 20 80 05 4a ea 86
    c0 5c ff 58 ac 53 cd c3 a5 16 03 47 20 e7 e6 49
    78 d1 d7 fa 02 21 00 81 fa c9 e9 a9 88 a2 8c 25
    0a 68 04 d8 1a 5c e9 1e 0f 73 b9 e4 88 61 66 16
    da b7 f6 81 d5 5e 84 00 75 00 22 45 45 07 59 55
    24 56 96 3f a1 2f f1 f7 6d 86 e0 23 26 63 ad c0
-------
----------
---------
[root@rocky ~]# curl -v    https://api.github.com
* Rebuilt URL to: https://api.github.com/
*   Trying 140.82.121.5...
* TCP_NODELAY set
* Connected to api.github.com (140.82.121.5) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.com
*  start date: Mar 25 00:00:00 2021 GMT
*  expire date: Mar 30 23:59:59 2022 GMT
*  subjectAltName: host "api.github.com" matched cert's "*.github.com"
*  issuer: C=US; O=DigiCert, Inc.; CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* Using Stream ID: 1 (easy handle 0x55ff041d5690)
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET / HTTP/2
> Host: api.github.com
> User-Agent: curl/7.61.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/2 200
< server: GitHub.com
< date: Wed, 05 Jan 2022 09:23:13 GMT
< cache-control: public, max-age=60, s-maxage=60
< vary: Accept, Accept-Encoding, Accept, X-Requested-With
< access-control-expose-headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset
-------
----------
---------

Any one can help why it is getting fail on one server and working fine on other server. Both have exactly same version

Hi, Did you found an any solution?

Hi dtr.foobar
I missed to update the post. In our case actually it was the network firewall which was causing the issue.
PaloAlto was blocking the traffic which was going towards https://api.github.com. Once traffic get allowed in FW, every thing start working smoothly.