openssl s_client returns errono=54 to github.com
Emily Wong 
I'm trying to execute this commands:
openssl s_client -connect github.com:443
openssl s_client -connect github.com:443 -servername github.comBut I got in both:
CONNECTED(00000005)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 316 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---I'm working behind a proxy in a MacOS BigSur. The interesting is that using curl works normally: curl returns github html page.
Another important thing is that if I enter in github.com in my chrome I got my proxy company certificate as CA for github public certificate. Inside my macos I already installed all CA certificates inside Keychan App but didn't worked.
31 Answer
errno=54 means that the connection was reset by the peer (ECONNRESET) or some device claiming to be the peer. Given that your infrastructure uses a proxy it is likely that the proxy is the cause of the problem.
Inside my macos I already installed all CA certificates inside Keychan App but didn't worked.
This does not help since it is not the local code having problems to check the server certificate. It does not even get the server certificate for verification which can be seen from the following output:
SSL handshake has read 0 bytes and written 316 bytes
This means that the TCP connection was successful, the ClientHello was written (316 bytes) but nothing received (0 bytes) which implicitly also no server certificate received. This kind of behavior is common with DPI based firewalls.
The interesting is that using curl works normally ...
curl and the browser might use an explicit proxy, in which case they will do a CONNECT request to build a tunnel through the proxy and not directly connect to the website. Check the https_proxy, http_proxy, HTTPS_PROXY or HTTP_PROXY variables. openssl s_client instead does not use a proxy.
