We Keep Coding

SSL handshake failure: When connecting to TIBCO ActiveMatrix BusinessWorks 5.7.2

TIBCO version - TIBCO ActiveMatrix BusinessWorks 5.7.2
Problem:
I am the consumer of the TIBCO server, getting SSL handshake failure. I have tried the following openssl commands to see if it can accept connections. Below are my results:
openssl s_client -showcerts -connect tibco-server:port -verify 3 -tls1 -state
verify depth is 3
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL3 alert read:fatal:unexpected_message
SSL_connect:failed in error
139827261306768:error:140943F2:SSL routines:ssl3_read_bytes:sslv3 alert unexpected message:s3_pkt.c:1493:SSL alert number 10
139827261306768:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1581402078
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
However the same is working when I hit with ssl3 option
openssl s_client -showcerts -connect tibco-server:port -verify 3 -ssl3 -state
verify depth is 3
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 C = AU, ST = <state>, L = <location>, O = <org>, OU = <unit>, CN = <cn>
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = <state>, L = <location>, O = <org>, OU = <unit>, CN = <cn>
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
-----BEGIN CERTIFICATE-----
.....
.....
-----END CERTIFICATE-----
---
Server certificate
subject=...
issuer=...
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 1779 bytes and written 362 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES128-SHA
Session-ID: 8BCEAEADC85613876FFF0E2EAB590A92
Session-ID-ctx:
Master-Key: <master-key-here>
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1581402661
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
I have masked some of the output data.
Any help on why, openssl can connect TIBCO via ssl3 but not tls1.0 ?

This issue got resolved after the security configuration changes in TIBCO server. Now the clients can successfully negotiate TLS1.0 connections with TIBCO server.
FIX
Changed security to be j2se instead of entrust
java.property.TIBCO_SECURITY_VENDOR=j2se
References
https://support.tibco.com/s/article/Tibco-KnowledgeArticle-Article-38616
https://community.tibco.com/questions/tls-compatibility-tibco-bw

Private mail server giving certificate error even though valid certificate present

I have created a private mail server using iRedMail & Nginx. I have installed SSL certificates and keys into Nginx and iRedMail itself at the below locations. The server runs great and everything works via web mail. The browser agrees that the SSL certificate is valid and HTTPS works.
The issue is when I add the mail account to my email client, I get an invalid certificate error, and the same issue when using CalDav. It still works, but this makes me think that I'm missing some certificate install somewhere. Any suggestions? Thank you!
/etc/ssl/certs/iRedMail.crt
/etc/ssl/private/iRedMail.key
Here is the output of openssl s_client -showcerts -connect mail.bragsdale.dev:993
CONNECTED(00000003)
depth=0 CN = bragsdale.dev
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = bragsdale.dev
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=bragsdale.dev
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
...CERTIFICATE HERE...
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=bragsdale.dev
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2064 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 3DD2E8B607CF5B4ACECDB995078FDAE80C210097372B80CD1409E90A0A523E0A
Session-ID-ctx:
Master-Key: F1953ABEAC1024279DA6D0E17D26E3305E7C2A9589976FDFD2DBF22E4B6280415BC271E5228045B7D0C5E8A0B3921B11
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
....DATA HERE...
Start Time: 1551664367
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready

Fixed it. The problem was I wasn't using my intermediary certificate. See this answer for details.
A note, when I cat'ed the certificates together it was malformed, with the END CERTIFICATE/BEGIN CERTIFICATE being on one line. Easily fixed with a text editor.

All computers inside network fail SSL handshake with certain site

I was previously able to access the site roughly a week or two ago. Lately, no matter what browser, computer, or device I use to access dmv.ca.gov from inside my network the SSL handshake fails and the site gives an empty response. I can access other sites, including ca.gov, but just not dmv.ca.gov. The handshake fails, I think, because I get no response from the server.
When I run openssl from my ubuntu box I get the following output:
captain#HARM01NGINX01:~$ openssl s_client -state -nbio -connect dmv.ca.gov:443 -servername dmv.ca.gov
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL_connect:error in SSLv2/v3 read server hello A
read:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 324 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1531959808
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
However, what I would expect is the following (same command on an AWS instance I have:
ubuntu#ip-10-0-144-141:~$ openssl s_client -state -nbio -connect dmv.ca.gov:443 -servername dmv.ca.gov
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL_connect:unknown state
SSL_connect:error in unknown state
SSL_connect:error in unknown state
read R BLOCK
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Organization Validation Secure Server CA
verify return:1
depth=0 C = US, postalCode = 95814, ST = CA, L = Sacramento, street = "1325 J Street, Suite 1600", O = State of California, OU = Department of Motor Vehicles, OU = Hosted by State of California, OU = Multi-Domain SSL, CN = www.dmv.ca.gov
verify return:1
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:error in unknown state
read R BLOCK
SSL_connect:error in unknown state
read R BLOCK
SSL_connect:unknown state
read R BLOCK
---
Certificate chain
0 s:/C=US/postalCode=95814/ST=CA/L=Sacramento/street=1325 J Street, Suite 1600/O=State of California/OU=Department of Motor Vehicles/OU=Hosted by State of California/OU=Multi-Domain SSL/CN=www.dmv.ca.gov
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIINzCCBx+gAwIBAgIRAJ2VHzZ23HIPwp3suYpAPogwDQYJKoZIhvcNAQELBQAw
gZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTwwOgYD
VQQDEzNDT01PRE8gUlNBIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIFNlY3VyZSBT
ZXJ2ZXIgQ0EwHhcNMTgwNDI3MDAwMDAwWhcNMjAwNDI2MjM1OTU5WjCCAQQxCzAJ
BgNVBAYTAlVTMQ4wDAYDVQQREwU5NTgxNDELMAkGA1UECBMCQ0ExEzARBgNVBAcT
ClNhY3JhbWVudG8xIjAgBgNVBAkTGTEzMjUgSiBTdHJlZXQsIFN1aXRlIDE2MDAx
HDAaBgNVBAoTE1N0YXRlIG9mIENhbGlmb3JuaWExJTAjBgNVBAsTHERlcGFydG1l
bnQgb2YgTW90b3IgVmVoaWNsZXMxJjAkBgNVBAsTHUhvc3RlZCBieSBTdGF0ZSBv
ZiBDYWxpZm9ybmlhMRkwFwYDVQQLExBNdWx0aS1Eb21haW4gU1NMMRcwFQYDVQQD
Ew53d3cuZG12LmNhLmdvdjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANICIjcwXvW6kwMzboV0jD0eTSfH6ZXTZWRW6cDCHKV+cn2Ut4AVjLduJ++3GH3T
XzGlBFKTjccs+CB3lZJCk/8CbCr0zWuxVvIn+EQlTU5bjxK8hpZxGMk4Xqck8UOQ
k3slP/DeQ6e59bxBiNXXfDSlMIti75oVN6Q9IKMNRSY78xOtIyath8EGS0QxeHmU
AlLvtreKPsi/s1zwc9sCi6o+KLthiQOBV0tBcaMwH3O0zWU6izo4urOZnGdtcEto
3WClQIODfDey2oMtJIZg7zi9U2PjInJHX/NHLbDTT/50C6gEuTsVDUecc51tlkuX
5/PPh7qBQeffLqeACCbi0AUCAwEAAaOCBA0wggQJMB8GA1UdIwQYMBaAFJrzK9rP
rU+2L7sqSEgqErcbQsEkMB0GA1UdDgQWBBQCpbBSuY1+fz9cPVBsP2qXDy7OgzAO
BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwUAYDVR0gBEkwRzA7BgwrBgEEAbIxAQIBAwQwKzApBggrBgEF
BQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYGZ4EMAQICMFoG
A1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JT
QU9yZ2FuaXphdGlvblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYsGCCsG
AQUFBwEBBH8wfTBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5jb21vZG9jYS5jb20v
Q09NT0RPUlNBT3JnYW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
dDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMIHJBgNVHREE
gcEwgb6CDnd3dy5kbXYuY2EuZ292ggpkbXYuY2EuZ292gg5lZGwuZG12LmNhLmdv
doIRZWRsYXBwLmRtdi5jYS5nb3aCEXJlYWxpZC5kbXYuY2EuZ292ghFzdXJ2ZXku
ZG12LmNhLmdvdoISd3d3LmVkbC5kbXYuY2EuZ292ghV3d3cuZWRsYXBwLmRtdi5j
YS5nb3aCFXd3dy5yZWFsaWQuZG12LmNhLmdvdoIVd3d3LnN1cnZleS5kbXYuY2Eu
Z292MIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoAdwDuS723dc5guuFCaR+r4Z5m
ow9+X7By2IMAxHuJeqj9ywAAAWMJf5JMAAAEAwBIMEYCIQClJmCF9j3SuP7g9By5
MtBXlmWmJkyVbdWi6kke6bhWcwIhAJwe9WqgMawyVYZ832Kf9av6pqqdTG/gSlM+
c3XXkeWaAHcAXqdz+d9WwOe1Nkh90EngMnqRmgyEoRIShBh1loFxRVgAAAFjCX+U
YgAABAMASDBGAiEA1icqpmdKyGl4Wj1iYjxzt52uDsVlKR7m8VqEnd5ke4wCIQCp
9zFllGV53sreB5FvPv8R51l91/JSlup21Sf3me+ugQB2AFWB1MIWkDYBSuoLm1c8
U/DA5Dh4cCUIFy+jqh0HE9MMAAABYwl/kmwAAAQDAEcwRQIgfYoeUJVqJm6+hVwT
IJIxsIuOrBHOT9qCALxHknWXRqoCIQCZStG+T0f+FTPhbhmpmSTRv5cccuuxHEIh
iVo/R+hHMzANBgkqhkiG9w0BAQsFAAOCAQEAYzW4ZehiSJGiEAd+yg3pvYlzD3E7
WYbU8zzBXzo6CoPlpV5Ev4XHUXqawZ5tQO9H03yFHhoSjymLsnIa5URhday0z81s
yIasFymBYGwyccRgzX4Qd6V3tiArY7zDY9Hf00/yp9SSJe6a4KX/aCibsGnX/DIq
91RJNdGfOjd/94jMz9X/umrlvLWJ9ZqVMZYycLO9hkgGdYJQjYDf0wFd+jQ+c+b5
BjVOuO0HHWMfkE+CprcwNSJFzcKHuRUX0gn7EmiYebOLf2P5sRpMN51NQBD0RCSg
ZPOqG1ImhxRaWREfMm4uXJIYZeFU+Xt1NS+gCw752lm4tibJnn3wG1lVYg==
-----END CERTIFICATE-----
subject=/C=US/postalCode=95814/ST=CA/L=Sacramento/street=1325 J Street, Suite 1600/O=State of California/OU=Department of Motor Vehicles/OU=Hosted by State of California/OU=Multi-Domain SSL/CN=www.dmv.ca.gov
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5576 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 789084EE893DD466F4A9A06493691CAF46BCFC14728AF6FBB2A5D6AFEFAEE9CE
Session-ID-ctx:
Master-Key: F88F1EF27749B19B08AC56049072A8C69534D0157E0642CB73952DA1A1F66371C3C32C05AEA248A9272D16D6766483CB
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1531959941
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=104
DIG gives me the same dns records, so I know I'm connecting to the correct server.
At this point I'm running out of ideas. So, I ask of you all, what can I look at or test next?
I've got an actiontec router provided by Verizon, if there are any settings located on that device I need to check.
EDIT: With tls and curl and wget:
captain#HARM01NGINX01:~$ openssl s_client -state -nbio -connect dmv.ca.gov:443 -servername dmv.ca.gov -tls1_2
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:unknown state
SSL_connect:error in unknown state
write R BLOCK
SSL_connect:error in unknown state
read:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1532398652
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
captain#HARM01NGINX01:~$ openssl s_client -state -nbio -connect dmv.ca.gov:443 -servername dmv.ca.gov -tls1
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:unknown state
SSL_connect:error in unknown state
write R BLOCK
SSL_connect:error in unknown state
read:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1532398670
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
captain#HARM01NGINX01:~$ curl dmv.ca.gov
curl: (56) Recv failure: Connection reset by peer
captain#HARM01NGINX01:~$ wget dmv.ca.gov
--2018-07-23 19:18:52-- http://dmv.ca.gov/
Resolving dmv.ca.gov (dmv.ca.gov)... 107.162.129.29
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.
--2018-07-23 19:18:57-- (try: 2) http://dmv.ca.gov/
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.
--2018-07-23 19:19:03-- (try: 3) http://dmv.ca.gov/
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.
--2018-07-23 19:19:10-- (try: 4) http://dmv.ca.gov/
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:80... connected.
HTTP request sent, awaiting response... ^C
captain#HARM01NGINX01:~$ wget https://dmv.ca.gov
--2018-07-23 19:19:21-- https://dmv.ca.gov/
Resolving dmv.ca.gov (dmv.ca.gov)... 107.162.129.29
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:443... connected.
Unable to establish SSL connection.

How to use id_prefix with OpenSSL s_server

I'm not sure what argument do I have to pass to switch -id_prefix for openssl s_server.
What I am trying to do is to run openssl s_server on one side, and openssl s_client on the other, and verify that Session-ID and Master-Key matches on both sides.
The problem is, that I only get to see the Session-ID and Master-Key on the client side. I'm not sure how to obtain them on the server side as well, so I can compare them.
id_prefix seems to be one option, but I don't see the prefix in the Session-ID on the client side.
Any ideas?

I can see how you can check the Master-Key using openssl s_server and openssl s_client, but not the Session-ID; I'm not sure why.
Here's what I did. First, I started a server running locally:
$ openssl s_server -accept 4433 -cert ./server.pem -tls1_2
Then, in a different terminal/window, I connected to that server:
$ openssl s_client -connect 127.0.0.1:4433 -debug
In the server terminal, I saw the SSL session started:
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MFUCAQECAgMDBALAMAQABDDAOWXb47pESLXfWW1DYfaccOPGQcfgeaHW4sFP/avj
ejwVgvWNXGXy1vn6U3uLOeWhBgIEVqrm26IEAgIcIKQGBAQBAAAA
-----END SSL SESSION PARAMETERS-----
...
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
The key thing thing to notice here is that base64-encoded data for the SSL session parameters. I copy and pasted that data into a separate file, e.g. sess.pem.
Then, I used openssl sess_id to decode that sess.pem file:
$ openssl sess_id -noout -text < ./sess.pem
SSL-Session:
Protocol : TLSv1.2
Cipher : C030
Session-ID:
Session-ID-ctx: 01000000
Master-Key: 9C921511052D3F212FF718704518FC526474D69FC26BC1165DBD203C6E221BB3A84686BC5D15A7BD9FA7BB72201A7276
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1454040610
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Compare that Master-Key value with the one that the openssl s_client terminal shows (note that it's important to use the -debug command-line option for openssl s_client to see this):
...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 417D443BFD5702BEA974C5758FD65A0FC217B0FD9750C4CECF0915895C4E616D
Session-ID-ctx:
Master-Key: 9C921511052D3F212FF718704518FC526474D69FC26BC1165DBD203C6E221BB3A84686BC5D15A7BD9FA7BB72201A7276
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
....
So I'm not sure why the server output doesn't show the session ID generated, but you can at least use the above to compare the Master-Key values. I experimented with using both the -context and -id_prefix command-line options for openssl s_server, e.g.:
$ openssl s_server -accept 4433 -context FOO -id_prefix BAR ...
but it did not substantially change the data, nor did it cause the Session-ID to be displayed by openssl s_server.
Hope this helps!

Problems getting a site's https certificates

I have an Android app that has some trouble with a site's certificate when connecting via https. As I'm experiencing trouble even when using a custom keystore with the certificates ("No peer certificate") I'm trying to get more information about the connection, handshake and certificates actually given by the server.
The version of openssl is follows:
$ openssl version
OpenSSL 1.0.1e 11 Feb 2013
When I just try to get info about the certificates I get this response:
$ openssl s_client -showcerts -connect [hostname]:443 </dev/null
CONNECTED(00000003)
3069977808:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:749:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
This is how Chrome describes the connection (sorry for the Norwegian text, but you get an idea of the connection and encryption type:
Based on the info from Chrome I've tried different commands to get the certificates, but they all seem to fail. My top candidate was this one:
$ openssl s_client -showcerts -connect [hostname]:443 -tls1_2 -cipher RC4-MD5
CONNECTED(00000003)
3069396176:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1258:SSL alert number 40
3069396176:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1414399499
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Anyone got any hints based on the info given?

This might be an SNI issue, where the server has no default certificate defined for non-SNI clients. Android included a version of Apaches httpclient which is known to not support SNI and your openssl s_client command also does not use SNI.
Please try openssl s_client -servername hostname -connect ... to use SNI and see if this helps.