Our IM team reported they’re unable to download images through https servers, our https client is written in C++ with boost.asio, boost.asio is using openssl for ssl/tls.
First of all, I tried to start the client with DEBUG build, the error was “sslv3 alert handshake failure”. I tried different openssl options in client, however, the same. Besides, all options combined got the same response from the server side, observed by wireshark.
Second, I checked the packet sent from IE and our client based on openssl. some extensions inside CLIENTHELLO were suspicious.
A: Extension: renegotiation_info
B: Extension: server_name
C: Extension: status_request
I checked openssl source, looks like it doesn’t support extension A, while it does support A and C.
Before writing our test code, the most simple way to verify is to use openssl.exe to send request.
The first try, but failed:
openssl s_client -tls1_2 –connect OUR_HTTPS_DOMAIN:443
and next, it worked:
openssl s_client -tls1_2 –connect OUR_HTTPS_DOMAIN:443 -status -servername OUR_HTTPS_DOMAIN
This means the https server requires SNI(https://en.wikipedia.org/wiki/Server_Name_Indication) extensioin now.
It’s easy to solve this after we have located the cause: set host name after creating ssl stream object.