I'm getting the following error when trying to connect to github.com, google.com, dropbox.com via https, but stackoverflow.com, askubuntu.com and the majority of https websites work.
Relevant details:
- I'm behind a work proxy, but I can connect fine when using Fedora 28, it's just on Ubuntu 16.04 that I have the problem. No one else in the office has the problem, but they are mostly using Macs.
- This is on my own desktop, not on a server/VM/Docker etc.
- I can connect to these websites via my mobile hotspot or on other WiFi networks
- Edit: I tested on a separate Thinkpad laptop with Ubuntu 16.04 and there is no problem on there. So it's something specific to this machine (a Dell XPS 13 9370).
Error message:
$ openssl s_client -connect github.com:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 311 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1537527929
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
I've upgraded OpenSSL to the most recent version but that makes no difference:
$ openssl version
OpenSSL 1.0.2p 14 Aug 2018
I get the following error when running CURL:
$ curl -v https://google.com
* Rebuilt URL to: https://google.com/
* Trying 172.217.17.46...
* Connected to google.com (172.217.17.46) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 597 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: Error in the pull function.
* Closing connection 0
curl: (35) gnutls_handshake() failed: Error in the pull function.
There's numerous other answers that have similar problems but I can't find any that deal with my situation:
- 16.04 - curl: (35) gnutls_handshake() failed: Error in the pull function
- https://stackoverflow.com/questions/24457408/openssl-command-to-check-if-a-server-is-presenting-a-certificate
- "error: gnutls_handshake() failed" when connecting to https servers
- https://serverfault.com/questions/892880/curl-gnutls-handshake-failed-error-in-the-pull-function
- Can't connect to certain HTTPS sites
- update fails with "gnutls_handshake() failed: Error in the pull function."
Here's an example of it working with stackoverflow.com:
$ openssl s_client -connect stackoverflow.com:443
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=US/ST=NY/L=New York/O=Stack Exchange, Inc./CN=*.stackexchange.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHHjCCBgagAwIBAgIQDhG71w1UtxDQxvVAtrUspDANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA1MjEwMDAwMDBaFw0xOTA4MTQxMjAwMDBa
MGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOWTERMA8GA1UEBxMITmV3IFlvcmsx
HTAbBgNVBAoTFFN0YWNrIEV4Y2hhbmdlLCBJbmMuMRwwGgYDVQQDDBMqLnN0YWNr
ZXhjaGFuZ2UuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0YD
zscT5i6T2FaRsTGNCiLB8OtPXu8N9iAyuaROh/nS0kRRsN8wUMk1TmgZhPuYM6oF
S377V8W2LqhLBMrPXi7lnhvKt2DFWCyw38RrDbEsM5dzVGErmhux3F0QqcTI92zj
VW61DmE7NSQLiR4yonVpTpdAaO4jSPJxn8d+4p1sIlU2JGSk8LZSWFqaROc7KtXt
lWP4HahNRZtdwvL5dIEGGNWx+7B+XVAfY1ygc/UisldkA+a3D2+3WAtXgFZRZZ/1
CWFjKWJNMAI6ZBAtlbgSNgRYxdcdleIhPLCzkzWysfltfiBmsmgz6VCoFR4KgJo8
Gd3MeTWojBthM10SLwIDAQABo4IDuDCCA7QwHwYDVR0jBBgwFoAUUWj/kK8CB3U8
zNllZGKiErhZcjswHQYDVR0OBBYEFFrBQmPCYhOznZSEqjIeF8tto4Z7MIIB6AYD
VR0RBIIB3zCCAduCEyouc3RhY2tleGNoYW5nZS5jb22CEXN0YWNrb3ZlcmZsb3cu
Y29tghMqLnN0YWNrb3ZlcmZsb3cuY29tgg1zdGFja2F1dGguY29tggtzc3RhdGlj
Lm5ldIINKi5zc3RhdGljLm5ldIIPc2VydmVyZmF1bHQuY29tghEqLnNlcnZlcmZh
dWx0LmNvbYINc3VwZXJ1c2VyLmNvbYIPKi5zdXBlcnVzZXIuY29tgg1zdGFja2Fw
cHMuY29tghRvcGVuaWQuc3RhY2thdXRoLmNvbYIRc3RhY2tleGNoYW5nZS5jb22C
GCoubWV0YS5zdGFja2V4Y2hhbmdlLmNvbYIWbWV0YS5zdGFja2V4Y2hhbmdlLmNv
bYIQbWF0aG92ZXJmbG93Lm5ldIISKi5tYXRob3ZlcmZsb3cubmV0gg1hc2t1YnVu
dHUuY29tgg8qLmFza3VidW50dS5jb22CEXN0YWNrc25pcHBldHMubmV0ghIqLmJs
b2dvdmVyZmxvdy5jb22CEGJsb2dvdmVyZmxvdy5jb22CGCoubWV0YS5zdGFja292
ZXJmbG93LmNvbYIVKi5zdGFja292ZXJmbG93LmVtYWlsghNzdGFja292ZXJmbG93
LmVtYWlsMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29t
L3NoYTItaGEtc2VydmVyLWc1LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNl
cnQuY29tL3NoYTItaGEtc2VydmVyLWc1LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG
/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BT
MAgGBmeBDAECAjCBgwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC5kaWdpY2VydC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly9jYWNlcnRzLmRp
Z2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJIaWdoQXNzdXJhbmNlU2VydmVyQ0EuY3J0
MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBAAzJAMGSdKoX1frdqNlN
iXu8Gcbsm/DxWMXpcTXlZn8s+/qQQoc+/3o0CK3C8/j9n5DmsYa88P6Ntt5ysDs+
b0ynXFva4CAEyKaoPM4SIpOjwfWBRSUOqAIkQO2/LhKBwT/EnpaIHIKGnI0UdXLQ
oDfkMDg6mgJsEBsKdKF5EfEX7iU3NO5xVJPJE8/R0btLAdYwxB9S6fSpCXGe2HqQ
D101O/7/4MWNdFSbfdDSFcn5oEm+idimrqiNrF5knmuJy4qPBkL7thNuGK6rvYCF
ZJM03ZEZhkQmn2jG/7LgjfwZmvfcITeADCpylf88bL+lf+vxe6cCl9CyqWgBDpsI
xpE=
-----END CERTIFICATE-----
subject=/C=US/ST=NY/L=New York/O=Stack Exchange, Inc./CN=*.stackexchange.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3688 bytes and written 437 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 6108011C279498322CD465101770BB0F5B33BB71138CBC79FCDF8CAD77595F29
Session-ID-ctx:
Master-Key: CC8F5FD8CC5197DA6C57E6BF13A47954A8045202DAD80C9C74C26A358613CFDE4430C27F8347FFC9F38F34AF789AF511
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 77 0d 86 c9 22 54 0f 4b-97 9a 3e 46 78 cc 14 46 w..."T.K..>Fx..F
0010 - 2d 82 e9 5f 63 b7 4c ae-de 3e c8 08 4e 35 4b e5 -.._c.L..>..N5K.
0020 - 65 89 ef fa b6 83 a6 25-b6 77 c2 c9 a7 35 a7 95 e......%.w...5..
0030 - c8 2c f1 98 81 19 20 11-84 10 a1 c6 0d 95 61 6d .,.... .......am
0040 - 68 76 2c fc d2 d1 1e 98-1f b2 36 84 3a 83 e0 20 hv,.......6.:..
0050 - 75 98 9a ef 53 76 23 e1-03 f1 ef a2 e5 9a de 6f u...Sv#........o
0060 - e8 69 8e a4 9a 57 db 82-3f 19 e4 1b a0 85 19 54 .i...W..?......T
0070 - ba e3 4c 0a f7 30 0f 68-16 6b 40 f2 65 81 db 6f [email protected]
0080 - aa 41 4f 75 79 dd 75 1a-aa b3 66 3f 6c dd 19 70 .AOuy.u...f?l..p
0090 - cf b5 87 72 61 40 cb 1e-73 1a bd 69 92 a3 16 66 [email protected]
Start Time: 1537529712
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
This is the relevant ifconfig
details for the proxy connection:
wlp2s0 Link encap:Ethernet HWaddr 9c:b6:d0:8e:76:8f
inet addr:10.1.64.58 Bcast:10.1.79.255 Mask:255.255.240.0
inet6 addr: fe80::75a:cefe:ae7f:73f1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:24463 errors:0 dropped:0 overruns:0 frame:0
TX packets:25120 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:13605579 (13.6 MB) TX bytes:5419669 (5.4 MB)
Edit: Output of ldd $(which curl)
:
$ ldd $(which curl)
linux-vdso.so.1 => (0x00007ffd885fc000)
libcurl-gnutls.so.4 => /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 (0x00007fd8d24f7000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fd8d22dd000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fd8d20c0000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd8d1cf6000)
libidn.so.11 => /usr/lib/x86_64-linux-gnu/libidn.so.11 (0x00007fd8d1ac3000)
librtmp.so.1 => /usr/lib/x86_64-linux-gnu/librtmp.so.1 (0x00007fd8d18a7000)
libnettle.so.6 => /usr/lib/x86_64-linux-gnu/libnettle.so.6 (0x00007fd8d1671000)
libgnutls.so.30 => /usr/lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007fd8d1341000)
libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007fd8d10f7000)
liblber-2.4.so.2 => /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2 (0x00007fd8d0ee8000)
libldap_r-2.4.so.2 => /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2 (0x00007fd8d0c97000)
/lib64/ld-linux-x86-64.so.2 (0x00007fd8d2993000)
libhogweed.so.4 => /usr/lib/x86_64-linux-gnu/libhogweed.so.4 (0x00007fd8d0a64000)
libgmp.so.10 => /usr/lib/x86_64-linux-gnu/libgmp.so.10 (0x00007fd8d07e4000)
libp11-kit.so.0 => /usr/lib/x86_64-linux-gnu/libp11-kit.so.0 (0x00007fd8d0580000)
libtasn1.so.6 => /usr/lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007fd8d036d000)
libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007fd8d009b000)
libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 (0x00007fd8cfe6c000)
libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007fd8cfc68000)
libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007fd8cfa5d000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fd8cf842000)
libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007fd8cf627000)
libgssapi.so.3 => /usr/lib/x86_64-linux-gnu/libgssapi.so.3 (0x00007fd8cf3e6000)
libffi.so.6 => /usr/lib/x86_64-linux-gnu/libffi.so.6 (0x00007fd8cf1de000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fd8cefda000)
libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 (0x00007fd8cedd6000)
libheimntlm.so.0 => /usr/lib/x86_64-linux-gnu/libheimntlm.so.0 (0x00007fd8cebcd000)
libkrb5.so.26 => /usr/lib/x86_64-linux-gnu/libkrb5.so.26 (0x00007fd8ce943000)
libasn1.so.8 => /usr/lib/x86_64-linux-gnu/libasn1.so.8 (0x00007fd8ce6a1000)
libhcrypto.so.4 => /usr/lib/x86_64-linux-gnu/libhcrypto.so.4 (0x00007fd8ce46e000)
libroken.so.18 => /usr/lib/x86_64-linux-gnu/libroken.so.18 (0x00007fd8ce258000)
libwind.so.0 => /usr/lib/x86_64-linux-gnu/libwind.so.0 (0x00007fd8ce02f000)
libheimbase.so.1 => /usr/lib/x86_64-linux-gnu/libheimbase.so.1 (0x00007fd8cde20000)
libhx509.so.5 => /usr/lib/x86_64-linux-gnu/libhx509.so.5 (0x00007fd8cdbd5000)
libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 (0x00007fd8cd900000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fd8cd6c8000)
Edit 2: Thanks to Simon Sutter for his comments. I have updated to Ubuntu 18.04 in an attempt to resolve it but there are still the similar problems.
Actually the curl error is now slightly different which is useful:
$ curl -v https://google.com
* Rebuilt URL to: https://google.com/
* Trying 172.217.19.206...
* TCP_NODELAY set
* Connected to google.com (172.217.19.206) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to google.com:443
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to google.com:443
Searching for the SSL_ERROR_SYSCALL
bug I came across a SO answer that suggests it might have something to do with IPv6 and suggests trying wget
. This is what I get with wget
:
$ wget https://stackoverflow.com
--2018-09-26 09:33:12-- https://stackoverflow.com/
Resolving stackoverflow.com (stackoverflow.com)... 151.101.129.69, 151.101.193.69, 151.101.1.69, ...
Connecting to stackoverflow.com (stackoverflow.com)|151.101.129.69|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 263668 (257K) [text/html]
Saving to: ‘index.html’
index.html 100%[=============>] 257.49K 864KB/s in 0.3s
2018-09-26 09:33:13 (864 KB/s) - ‘index.html’ saved [263668/263668]
$ wget https://google.com
--2018-09-26 09:33:25-- https://google.com/
Resolving google.com (google.com)... 172.217.20.110, 2a00:1450:400e:80a::200e
Connecting to google.com (google.com)|172.217.20.110|:443... connected.
Unable to establish SSL connection.
Interestingly from that google makes an IPv6 request but stackoverflow doesn't. However a further check shows that I have an issue with bitbucket.org too and that makes no indication of an IPv6 connection:
$ wget https://bitbucket.org/
--2018-09-26 10:03:40-- https://bitbucket.org/
Resolving bitbucket.org (bitbucket.org)... 18.205.93.2, 18.205.93.1, 18.205.93.0, ...
Connecting to bitbucket.org (bitbucket.org)|18.205.93.2|:443... connected.
Unable to establish SSL connection.
I did some further checking on this by disabling IPv6 but that made no difference - as in I get the same errors when running curl
or wget
.
Now because I'm on Ubuntu 18.04 here's an updated set of checks.
$ curl --version
curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.0g zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL
Relevant ifconfig
details:
wlp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.64.53 netmask 255.255.240.0 broadcast 10.1.79.255
inet6 fe80::75a:cefe:ae7f:73f1 prefixlen 64 scopeid 0x20<link>
ether 9c:b6:d0:8e:76:8f txqueuelen 1000 (Ethernet)
RX packets 1203608 bytes 1323281319 (1.3 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 434207 bytes 63876155 (63.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Curl libraries:
$ ldd $(which curl)
linux-vdso.so.1 (0x00007ffcba0bb000)
libcurl.so.4 => /usr/lib/x86_64-linux-gnu/libcurl.so.4 (0x00007ff5cba6b000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007ff5cb84e000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007ff5cb62f000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ff5cb23e000)
libnghttp2.so.14 => /usr/lib/x86_64-linux-gnu/libnghttp2.so.14 (0x00007ff5cb019000)
libidn2.so.0 => /usr/lib/x86_64-linux-gnu/libidn2.so.0 (0x00007ff5cadfc000)
librtmp.so.1 => /usr/lib/x86_64-linux-gnu/librtmp.so.1 (0x00007ff5cabe0000)
libpsl.so.5 => /usr/lib/x86_64-linux-gnu/libpsl.so.5 (0x00007ff5ca9d2000)
libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007ff5ca768000)
libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007ff5ca2f0000)
libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007ff5ca0a5000)
libldap_r-2.4.so.2 => /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2 (0x00007ff5c9e53000)
liblber-2.4.so.2 => /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2 (0x00007ff5c9c45000)
/lib64/ld-linux-x86-64.so.2 (0x00007ff5cbf21000)
libunistring.so.2 => /usr/lib/x86_64-linux-gnu/libunistring.so.2 (0x00007ff5c98c7000)
libgnutls.so.30 => /usr/lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007ff5c9562000)
libhogweed.so.4 => /usr/lib/x86_64-linux-gnu/libhogweed.so.4 (0x00007ff5c932e000)
libnettle.so.6 => /usr/lib/x86_64-linux-gnu/libnettle.so.6 (0x00007ff5c90f8000)
libgmp.so.10 => /usr/lib/x86_64-linux-gnu/libgmp.so.10 (0x00007ff5c8e77000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ff5c8c73000)
libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007ff5c899d000)
libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 (0x00007ff5c876b000)
libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007ff5c8567000)
libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007ff5c835c000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007ff5c8141000)
libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007ff5c7f26000)
libgssapi.so.3 => /usr/lib/x86_64-linux-gnu/libgssapi.so.3 (0x00007ff5c7ce5000)
libp11-kit.so.0 => /usr/lib/x86_64-linux-gnu/libp11-kit.so.0 (0x00007ff5c79b6000)
libtasn1.so.6 => /usr/lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007ff5c77a3000)
libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 (0x00007ff5c759f000)
libheimntlm.so.0 => /usr/lib/x86_64-linux-gnu/libheimntlm.so.0 (0x00007ff5c7396000)
libkrb5.so.26 => /usr/lib/x86_64-linux-gnu/libkrb5.so.26 (0x00007ff5c7109000)
libasn1.so.8 => /usr/lib/x86_64-linux-gnu/libasn1.so.8 (0x00007ff5c6e67000)
libhcrypto.so.4 => /usr/lib/x86_64-linux-gnu/libhcrypto.so.4 (0x00007ff5c6c31000)
libroken.so.18 => /usr/lib/x86_64-linux-gnu/libroken.so.18 (0x00007ff5c6a1b000)
libffi.so.6 => /usr/lib/x86_64-linux-gnu/libffi.so.6 (0x00007ff5c6813000)
libwind.so.0 => /usr/lib/x86_64-linux-gnu/libwind.so.0 (0x00007ff5c65ea000)
libheimbase.so.1 => /usr/lib/x86_64-linux-gnu/libheimbase.so.1 (0x00007ff5c63db000)
libhx509.so.5 => /usr/lib/x86_64-linux-gnu/libhx509.so.5 (0x00007ff5c6191000)
libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 (0x00007ff5c5e88000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007ff5c5c50000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007ff5c58b2000)
env | grep -i proxy
returns nothing.
Package statuses:
$ dpkg -l curl ca-certificates
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============================-====================-====================-==================================================================
ii ca-certificates 20180409 all Common CA certificates
ii curl 7.58.0-2ubuntu3.3 amd64 command line tool for transferring data with URL syntax
If it is a certificate error somewhere in the chain I know that I did install a work CA certificate when I first setup the computer.
Edit 3:
Here's a list of the sites that work:
https://duckduckgo.com
https://*.stackexchange.com
https://stackoverflow.com
https://www.getharvest.com/
https://www.bbc.com/news
https://egghead.io
https://news.ycombinator.com
https://www.speedtest.net/
https://ipleak.net/
- indicates that I have no IPv6 connectionhttps://*.atlassian.net
(but bitbucket.org fails)
A list of the sites that fail:
https://google.com
https://dropbox.com
https://outlook.live.com/owa/
https://bitbucket.org
https://www.facebook.com/
https://www.slack.com
https://twitter.com
https://github.com
Half works:
https://outlook.office.com/owa/
The site at https://outlook.office.com/owa/?bO=1 has experienced a network protocol violation that cannot be repaired.
Edit 4:
I think I've made some progress with my Ubuntu problems. It works on a separate Ubuntu 16 laptop that I've tried. Further, I think I've tracked it down to a firewall issue (via this Security.SE answer) and the handling of TLS v1.1 vs TLS v1.2.
I tracked down which sites I could access vs not access (above). An interesting example is bitbucket.org (fails) vs atlassian.net (works).
Then if I try with openssl (forcing TLS v1.1):
openssl s_client -connect bitbucket.org:443 -tls1_1 # this fails
openssl s_client -connect atlassian.net:443 -tls1_1 # this works
So I think that the firewall might be blocking TLS v1.2 traffic in some way.
On my other Ubuntu machine when I run:
openssl s_client -connect bitbucket.org:443 -tls1_1 # this works!
Also the same works on a Mac that I tried.
The very boring answer to this is that I was behind a firewall. I'd ruled out a firewall because it was blocking things like google.com and outlook.office.com and I was the only one having the problem.
It turns out that because I'm new in the company I have some configuration (I suspect it's just that my MAC is recognised) on new company laptop (even though it's a fresh Ubuntu install) that means that my traffic gets intercepted by the firewall.