question

AmitVengsarkar-1175 avatar image
0 Votes"
AmitVengsarkar-1175 asked AmitVengsarkar-1175 commented

Getting curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL while accessing application url

Hello,

I am using Azure Linux VM with my application is configured in that. When I try to access the application URL with the desired port from another VM in the same Vnet it works without any error.

Small correction. I am trying to access VM which is sitting behind an internal load balancer. And the reason for using internal LB is we need to create a private link service.

However, the moment I use the VM from another Vnet I get SSL_ERROR_SYSCALL

azureuser@Bastion-VM:~$ curl https://abcd.com:9080 curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to abcd:9080

Please can you suggest what might be wrong or how to debug this issue?

azure-virtual-network
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @AmitVengsarkar-1175 ,

Apologies for the delay in response. Thank you for reaching out & hope you are doing well.

I have a few questions to get a better understanding of your setup:

  1. The application configured in your Azure Linux VM - Is it a publicly accessible application?

  2. Are you able to ping the Linux VM IP from the other Vnet?

  3. If the VM is listening on that configured port, could you try a psping(Windows) or nmap(Linux) on the VM's IP with the configured port from the other Vnet and check the result?

Thanks,
Gita

0 Votes 0 ·

1 Answer

msrini-MSFT avatar image
0 Votes"
msrini-MSFT answered AmitVengsarkar-1175 commented

Hi Amit,

This issue could be due to one of the following :

  1. Try to do nslookup to the abcd.com and see what IP it is getting resolved to. It could be IPv6 or IPv4. If it is an IPv6 address, it might not work according to this post (https://stackoverflow.com/questions/48987512/ssl-connect-ssl-error-syscall-in-connection-to-github-com443)

  2. Is the traffic to the destination routed via any Firewall or proxy ? This error means that the TCP handshake is working fine and an error occurred with TLS level.






· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

How many VMs are behind the LB ?
I would suggest you to take a packet capture and see if the packets are reaching the VMs and where it is failing

0 Votes 0 ·

So far we go only one VM. Since there is an explicit requirement for Private Link from customers we have to put VM behind LB.
Packets are reaching the VM but the observation is that though I hit with HTTPS the details I receive as for HTTP.
Now LB is Layer 4 and that it doesn't do SSL offload as per documents but then not sure why is that behaviour still.

0 Votes 0 ·

If you bypass the LB and directly access the VM behind the LB, are you seeing the same behavior ?

If you are taking a packet capture, then filter for tcp.port==443 and see what you observe

0 Votes 0 ·
Show more comments