On Mon, 01 Oct 2018 11:58:37 +0100, Tony Finch via Outages said:
Chris via Outages <outages@outages.org> wrote:
me@jumpoff1 ~ $ openssl s_client -connect 104.24.114.156:443 CONNECTED(00000003) 140186033568600:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:802: --- no peer certificate available
You might find it works better with SNI: use the -servername option.
I got bit by this trying to do imap-over-ssl to Gmail. The tl;dr: If you forget the SNI, it would hand back a self-signed cert. And of course, it depended on what version of openssl you were on - I try it, get back a self-signed cert, ask a cow-orker, and he had an older openssl that fetched the expected cert and worked... The gory details: https://mta.openssl.org/pipermail/openssl-project/2018-April/000623.html