# OpenSSL connect error



## erikf154 (May 18, 2009)

I'm having an issue with TLS. I've created and self-signed a certificate and want to test it. Doing the following works:

```
openssl s_client -connect 10.x.x.x:4433 -showcerts
```

However, the following doesn't

```
openssl s_client -connect test001.mid.no:4433 -showcerts
connect: Operation timed out
connect:errno=60
```

The DNS is registered and I can dig it, connect to it with SSH and so on. What's wrong?


----------



## DutchDaemon (May 18, 2009)

The host does not exist 'officially'. Both authoritative DNS servers return NXDOMAIN. Do you use a local DNS, and is openssl looking at the same nameserver as dig and ssh? Do you have something in /etc/hosts too?


----------



## vivek (May 18, 2009)

Try port 443, you have used 4433 (assuming that you want 443) and syntax as follows:

```
openssl s_client -host server.ip.addr.ess  -port 443  -showcerts
```
Here is command for forums.freebsd.org:443: 

```
openssl s_client -host forums.freebsd.org  -port 443  -showcerts
```
It says:

```
CONNECTED(00000003)
depth=0 /C=US/ST=CO/L=Denver/O=FreeBSD.org/CN=forums.freebsd.org
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=CO/L=Denver/O=FreeBSD.org/CN=forums.freebsd.org
verify return:1
---
Certificate chain
 0 s:/C=US/ST=CO/L=Denver/O=FreeBSD.org/CN=forums.freebsd.org
   i:/C=US/ST=CO/L=Denver/O=FreeBSD.org/CN=forums.freebsd.org
-----BEGIN CERTIFICATE-----
MIICMzCCAZwCCQCpSP2jK+o2pTANBgkqhkiG9w0BAQQFADBeMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCQ08xDzANBgNVBAcTBkRlbnZlcjEUMBIGA1UEChMLRnJlZUJT
RC5vcmcxGzAZBgNVBAMTEmZvcnVtcy5mcmVlYnNkLm9yZzAeFw0wNzEwMjMyMTU5
MTNaFw0xNzEwMjAyMTU5MTNaMF4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEP
MA0GA1UEBxMGRGVudmVyMRQwEgYDVQQKEwtGcmVlQlNELm9yZzEbMBkGA1UEAxMS
Zm9ydW1zLmZyZWVic2Qub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/
HFzi4BWoLwnwFsJ5HoF9l1e/an1qG3ywsNoKhrblEokQ81nAVjLiviTiLudiZnDU
+VWIK3fImdTgauSVLGrsCvsa9DyX60ANkqHuEHQGMp68bJ9SDy95smBabKmlqEie
DqLMZwsYF72k9UVxnI8+Wy8rxf30Ywi/g8B1TfI+ewIDAQABMA0GCSqGSIb3DQEB
BAUAA4GBABtO2+7fdj9TLcN5kCpevth1FbLhqdTHGRR8zCXCYr+HG2ANebwDhSRP
n0AF0SSSWiFjziDYXieAhUnZjxv1ppwTaaV12hc+kfODJ8+w7YIzVRPG72NiEdWY
3ZtxGGsKclZcFe7iTgJwq1ne6tYBbbRn5gQ9T41cmMCpnaE4/uN+
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=CO/L=Denver/O=FreeBSD.org/CN=forums.freebsd.org
issuer=/C=US/ST=CO/L=Denver/O=FreeBSD.org/CN=forums.freebsd.org
---
No client certificate CA names sent
---
SSL handshake has read 1131 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 3CF27E59B4E9E1491BA01F0B92F175EB432B46E035A05FFEF506E11E86B91E94
    Session-ID-ctx: 
    Master-Key: F48A7A026C9525F3F52799ACC5D245DF7A93901BB2BCFF395A55FD4995E6EA02D386B98F51B3AB568FBA292B1713BC4A
    Key-Arg   : None
    Start Time: 1242642256
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
closed
```


----------



## erikf154 (May 18, 2009)

It's a local DNS in our intranet. But (duh!), I had an entry in /etc/hosts I forgot about. Thanks very much for pointing that out!


----------



## DutchDaemon (May 18, 2009)

Using the -port syntax is not mandatory; the hostort syntax works just fine.


----------

