Some servers have trouble talking to Ubuntu 14.04+. This is because OpenSSL 1.0.1g, which included a patch to use a different TLS padding value, was not packaged for Ubuntu; OpenSSL security fixes have been backported to Ubuntu’s 1.0.1f since then. The patch in question bears this commit manifest:
Author: Dr. Stephen Henson <firstname.lastname@example.org>
Date: Sat Apr 5 20:43:54 2014 +0100
Set TLS padding extension value.
Enable TLS padding extension using official value from:
(cherry picked from commit cd6bd5ffda616822b52104fee0c4c7d623fd4f53)
It seems that some MS IIS servers are configured to reject TLS connections that advertise a particular version and do not use this new padding spec, probably in an attempt to mitigate the POODLE attack. Interestingly, OpenSSL 1.0.1a still seems to work.
This problem will often manifest as a hung connection on SSL protocol negotiation, or an error stating that there was an unknown SSL protocol error. It can be worked around without patches by manually specifying the cipher on the commandline.