Almeida
More exactly, the TCP stacks must be able to connect.
That requires slightly more than IP reachability --
not much more, but enough to be a problem in rare cases.
But "CONNECTED(fd)" from s_client means they *did* TCP
connect, so that's not the problem here.
A problem here would cause a handshake error not a hang.
A problem here would cause a handshake error not a hang.
Yes, or possibly other middlebox, see below.
Maybe both sides, see below.
According to the log posted, his host is www.mydomain.com and
the cert is for *.mydomain.com . That is a valid wildcard match,
and should be acceptable to any conforming client. But openssl
library and s_client doesn't do hostname matching at all.
(*Apps* using openssl normally should, and at least some do.)

I don't know if "mydomain" is supposedly real or munged for posting.
mydomain.com is a real company and test.mydomain.com doesn't
resolve publicly and the cert chain used for {www.,}mydomain.com
publicly is wholly different from the OP's log.

OP's s_client fails to verify the received chain because it
(apparently) doesn't have the ValiCert root in its truststore.
Official openssl does not distribute any default trusted roots,
although custom packages of it may, as may apps using it.
OP probably didn't install a default truststore (or possibly
is using a build that has the default truststore wrong).

But failure to verify should cause a real app to reject the
connection, and s_client as a test tool overrides the verify
error and continues. Neither of these is a hang.

In the other direction, s_client doesn't do client authentication
and send a client cert unless explicitly specified, which the OP
didn't. If the server wants client-auth and client doesn't provide
it or provides a cert (chain) which server doesn't trust, that will
give a handshake error, not a hang.
Use s_client with at least -state and preferably -debug or -msg
(you don't need both) to see how far it's getting in the handshake.

If you receive some handshake messages but not all, it practically
must be the server; talk to the server operator(s). It would be
unusual, but not impossible, for the server to mishandle connections
from one IP while it works for another. If you receive no message
at all, it might be server (try them) or it might be network
weirdness as (Mr?) de Almeida suggests; try a sniffer on your client
machine or near it (same LAN), and if that looks okay also try one
on or near the server (you may need server operator(s) to do that).

For Windows or Mac, I recommend www.wireshark.org . Very capable,
easy to install and use, well maintained. I don't know an equally
good solution for Linux, but there may be one, or at minimum you can
capture with tcpdump and if it's anything more complicated than
no-response you can copy the capture and decode with wireshark.

One possibility -- some servers want to lookup in DNS the address
of the client who connects to them (called reverse DNS or rDNS).
If this is done synchronously before the SSL handshake, and rDNS
is set-up correctly for client#2 but not client#1, then this could
cause the handshake for client#1 to stall. But even in worst case,
(r)DNS should timeout within a minute or so, and then the server
should either continue or reject the connection (disconnect).
<snip: normal for unverified cert chain>

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

It is not a firewall issue, I checked this from outside firewall. The
strange part of the problem is
it does not happen always, it works intermittently.

[***@gateway bin]# openssl s_client -bugs -connect
test.mydomain.com:443 -msg -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
01 03 01 00 4e 00 00 00 10 00 00 39 00 00 38 00
00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00
33 00 00 32 00 00 2f 03 00 80 00 00 05 00 00 04
01 00 80 00 00 15 00 00 12 00 00 09 06 00 40 00
00 14 00 00 11 00 00 08 00 00 06 04 00 80 00 00
03 02 00 80 00 00 ff c6 89 a6 e3 3e 51 4c 4b d9
e2 c4 29 01 63 54 06
SSL_connect:SSLv2/v3 write client hello A


It simply hangs after this.

* Here "test.mydomain.com" is not real it is used for posting.

On Tue, Sep 11, 2012 at 7:02 PM, Aleksandr Konstantinov