Good evening, most excellent experts,

I have a script that uses WWW::Mechanize to fetch data from a secure web server. Upon moving that script to a new computer, the script appears to hang for 60 seconds, then fails with the following error:

Error GETing https://sourceselfservice2.ceridian.com/elbitsystemsofamerica: Can't connect to sourceselfservice2.ceridian.com:443 at bin/perl/gpa_fail line 14

If I substitute a different https site (e.g. google mail), the program connects within a couple seconds with no problem.

Here's a simplified version of the program:

#!/usr/bin/perl -w

use strict;
use WWW::Mechanize;
use LWP::UserAgent;
use HTTP::Cookies;

my $fail_url = "https://sourceselfservice2.ceridian.com/elbitsystemsof
+america";
my $work_url = "https://accounts.google.com/ServiceLogin?service=mail"
+;

my $mech = WWW::Mechanize->new();
#$mech->agent_alias('Windows Mozilla');

$mech->get( $fail_url );

[download]

In the failure case, Wireshark seems to show an initial handshake of three TCP packets (SYN out; SYN, ACK in; ACK out), then an SSL Client Hello. The last packet before the 60s "hang" is a TCP ACK from the remote server.

Connecting to an https site that works, Wireshark shows the same first five packets, leading up to the SSL Client Hello and TCP ACK. The next packet is a TSLv1.1 Server Hello from the remote machine.

I believe I've verified that I have all the same packages on both systems, but of course, they are typically newer versions on the newer system.

I'd appreciate any help in tracking down the discrepancy.

SOLVED (20 Apr 2013):

I used perl -d:Trace failing_program to identify all modules used by the program, and then used cpan to update all those modules to the latest. This did not resolve the problem.

I then found this link giving a solution to the same problem with a different site. It seems to boil down to failure of the site to accept the TLS negotiation when certain cipher alternatives are offered by the client. Restricting the available ciphers in IO::Socket::SSL results in a successsful handshake with the site.

I added the following two lines at the beginning of my program:

use IO::Socket::SSL;

IO::Socket::SSL::set_defaults(SSL_cipher_list => 'ALL:!3DES:!DES:!ADH:
+!SRP:!AESGCM:!SHA256:!SHA384');

[download]

And there was much rejoicing.

In reply to SOLVED:Cannot connect to https site by wongo

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.