|No such thing as a small change|
SOLVED:Cannot connect to https siteby wongo (Initiate)
|on Feb 07, 2013 at 02:25 UTC||Need Help??|
wongo has asked for the
wisdom of the Perl Monks concerning the following question:
Good evening, most excellent experts,
I have a script that uses WWW::Mechanize to fetch data from a secure web server. Upon moving that script to a new computer, the script appears to hang for 60 seconds, then fails with the following error:
Error GETing https://sourceselfservice2.ceridian.com/elbitsystemsofamerica: Can't connect to sourceselfservice2.ceridian.com:443 at bin/perl/gpa_fail line 14
If I substitute a different https site (e.g. google mail), the program connects within a couple seconds with no problem.
Here's a simplified version of the program:
In the failure case, Wireshark seems to show an initial handshake of three TCP packets (SYN out; SYN, ACK in; ACK out), then an SSL Client Hello. The last packet before the 60s "hang" is a TCP ACK from the remote server.
Connecting to an https site that works, Wireshark shows the same first five packets, leading up to the SSL Client Hello and TCP ACK. The next packet is a TSLv1.1 Server Hello from the remote machine.
I believe I've verified that I have all the same packages on both systems, but of course, they are typically newer versions on the newer system.
I'd appreciate any help in tracking down the discrepancy.
SOLVED (20 Apr 2013):
I used perl -d:Trace failing_program to identify all modules used by the program, and then used cpan to update all those modules to the latest. This did not resolve the problem.
I then found this link giving a solution to the same problem with a different site. It seems to boil down to failure of the site to accept the TLS negotiation when certain cipher alternatives are offered by the client. Restricting the available ciphers in IO::Socket::SSL results in a successsful handshake with the site.
I added the following two lines at the beginning of my program:
And there was much rejoicing.