Can't connect to certain HTTPS sites
This is an old question, but for those getting here via Google, this will help. The issue is fragmentation on SSL is bad, and breaks the protocol. If you are using PPPOE, the normal MTU in your router/DSL/Cable modem is 1492. That is too high, and will cause fragmentation. 1476 is the magic number that will work with the most sites. Some sites use different SSL implementations so 1480 may work, or even 1488. For the MOST compatibility, the MTU on the WAN side of your network device (router, modem, etc) should be 1476.
Here are a couple of things to try:
Check your network card settings. Neither of your eth interfaces are showing IPv4 addresses. Make sure you have IPv4 turned on (you may need to re-establish your connection with your router to renew the IP). If that doesn't work, try turning off IPv6 support and see if that makes a difference. Do this by right clicking the networking icon by your clock (when on an Ethernet connection, it's a pair of arrows, one pointing up, the other down) and selecting "Edit Connections...". In the "IPv4 Settings" tab, make sure it's set to "Automatic (DHCP)". If you want to turn off IPv6, go to its tab and set it to "Ignore".
Check to see if you can connect to the sites using other methods. What does
ping
respond with for the sites you can't connect to? How about atraceroute
(you may have to install traceroute to use it, FYI)? Their responses might help you troubleshoot the issue. If they can't get to the URL's servers, then it might be a DNS issue (however, if they can get to the URL's servers, but are then dropped, it might just mean those commands are blocked).Bypass the router. If your router and your modem are two different machines, try hooking up your computer directly to your modem and seeing if that changes anything.
Restart your modem and router. Sometimes, they just suck.
Restart your computer. Sometimes, they just suck.
Try a different computer. If you have one, does another computer work where this one fails? If not, then it might be something with your specific computer.
Clear your computer's cache, cookies, etc. Sometimes, bad sessions cookies, cache, etc. can interfere with connecting to a site (I had this issue with Google a while back). Clear them out and start fresh and see what you get.
Disconnect any VPN connections. Point-to-Point protocol is often used for VPN (the PPP interface), and VPNs can interfere with connecting to sites. Make sure you aren't connected by right clicking your network icon by your clock, finding the "VPN Connections" entry and making sure no listing are checked (if you don't have a "VPN Connections" menu item, then you don't have one set up). If there are any checked, then you're connected to it, disconnect from it.
Remember: Not everything you do will result in a simple "work or fail," any change in the reaction of the server to your request will tell us something. So, if you do any of the above and get a new message, don't forget to update your question.
I have seen this behaviour twice in practice for which I have found the following solutions.
- Some computer in the local network was successfully attempting a man-in-the-middle attack. It was ARP-spoofing the gateway, thus redirecting all traffic to go through this machine, modifying requests and other nasty stuff. The machine was running Windows and found to be infected with some nasty malware. As soon as this machine was disconnected from the network physically, symptoms vanished.
- An MTU problem on your or another gateway. In IPv4 gateways are responsible for fragmenting and re-assembling IP packets on the network if the frame size of the networks it's routing traffic for isn't the same. For DSL connections using PPPoE/PPPoA the MTU size is usually smaller than the 1500 bytes at the LAN side. Also routers in between fail and you need to enable TCP MSS Clamping on your router. I always needed to set this on the connection of my previous ISP, but it was resolving more than just SSL-related issues. Check if your modem/router has such an option. Consider this to be a workaround.
- I was in a network probably running a transparent proxy to also pass SSL traffic, but failing at TLSv1 for some reason. The same request worked when using a VPN connection. scary
Try runningcurl
with the option--sslv3
. If that solves it, then it stinks.
General stuff to try:
- Check if you're running the latest firmware on your modem/router. If not, try upgrading.
Capture the traffic using
tcpdump
or Whireshark and get it analysed (post it here for example).# 1. start the dump $ sudo tcpdump -w httpstrafficdump.pcap -i eth0 -s 0 port 443 # 2. open a new terminal window and do your HTTPS request there (curl/browser) # 3. end tcpdump (Ctrl+C) # 4. open the file in wireshark $ wireshark httpstrafficdump.pcap
If you're getting Reassembling errors or Previous segment lost repeatedly, this is a clear sign about packet loss caused by a wrong MTU size.
However, HTTPS traffic is encrypted and hard to analyse from network traffic by itself.
Edit:
From your tcpdump the root of your SSL problem is clear: TCP Previous segment lost
. General networking troubleshooting should apply here, but it may be outside the scope of your local network and a problem with your ISP.