Analysis and Solutions for OpenSSL Connection Error: socket: Connection refused connect:errno=111

Keywords: OpenSSL | SSL connection error | port checking

Abstract: This paper provides an in-depth analysis of the "socket: Connection refused connect:errno=111" error encountered when using OpenSSL s_client to connect to servers. By examining the best answer from the Q&A data, it systematically explores core issues including port status checking, firewall configuration, and hostname verification, offering practical diagnostic methods using tools like nmap and telnet. The article also incorporates insights from other answers on firewall rule adjustments and port selection strategies, providing comprehensive technical guidance for SSL/TLS connection troubleshooting.

Error Phenomenon and Preliminary Analysis

When using OpenSSL's s_client command to connect to remote servers, developers may encounter the "socket: Connection refused connect:errno=111" error. This error indicates that the client cannot establish a TCP connection to the target server, typically meaning the target port is unreachable or connection requests are being rejected. Error code 111 corresponds to ECONNREFUSED in system calls, indicating an explicit connection refusal.

Port Status Checking: Using nmap Tool

Following the best answer's recommendation, the first step is to verify the target server's port status. The nmap tool can quickly scan open ports on the target IP:

nmap <IP address>

Sample output might show:

Starting Nmap 5.21 ( http://nmap.org ) at 2015-05-05 09:33 IST
Nmap scan report for <IP address>
Host is up (0.00036s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
111/tcp open  *****
139/tcp open  *****
443/tcp open  openssl
MAC Address: 18:03:73:DF:DC:62 (Unknown)

The key observation is the STATE field for port 443. If it shows "open", the port should theoretically be accessible; if it shows "closed" or "filtered", further investigation is needed.

Correct Connection Command Format

Supplementary answers note that the connection command requires proper hostname or IP address format:

openssl s_client -connect hostname:443

openssl s_client -connect IPaddress:443

Ensure the hostname or IP address is separated from the port number by a colon, with no extra spaces or special characters.

Firewall and Network Configuration Check

If ping succeeds but SSL connection fails, firewall rules are likely blocking the connection. In Linux systems, check firewall rules using:

sudo iptables -L -n -v

To temporarily allow port 443 connections (for testing only, use caution in production):

sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Basic connection testing can also be done with telnet:

telnet <IP address> 443

If telnet connection is also refused, this further confirms network-level issues.

Server-Side Configuration Verification

Ensure SSL services are actually running on the target server. Check configuration files for Apache, Nginx, or other web servers to confirm 443 port listening is enabled. For example, in Nginx configuration:

server {
    listen 443 ssl;
    server_name example.com;
    # SSL certificate configuration
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
}

After restarting services, verify port listening status:

sudo netstat -tlnp | grep :443

Comprehensive Troubleshooting Workflow

Use nmap or telnet to verify port reachability
Check OpenSSL command format correctness
Investigate local and remote firewall rules
Verify server-side SSL service configuration
Consider network routing and intermediate device impacts

Through systematic troubleshooting, most "Connection refused" errors can be effectively resolved, ensuring proper establishment of SSL/TLS encrypted communication.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.