LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 09-05-2010, 01:17 PM   #1
konzo
Member
 
Registered: Dec 2008
Location: Bulgaria
Distribution: Debian / Slackware / Ubuntu
Posts: 230

Rep: Reputation: 33
ssl_error_handshake_failure_alert on https site - localhost


Hi all,

I am trying to configure local https server but I get this message:

"ssl_error_handshake_failure_alert"

I configured my apache and make cert and key files from this article, following section 1B:

http://www.tc.umn.edu/~brams006/selfsign.html

I try to add server.crt and ca.crt files in firefox, but it didn't help. I googled and didn't find any information. I try also with 1024bit key.

Can anyone suggest something?
 
Old 09-05-2010, 01:20 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
Initially I'd suggest increasing logging and looking at things in more detail. A good way is to use a tool like curl with the -v option to see what a client thinks about the certificate. Most common thing would be something like a host name mismatch or a broken ca chain.
 
Old 09-05-2010, 01:59 PM   #3
konzo
Member
 
Registered: Dec 2008
Location: Bulgaria
Distribution: Debian / Slackware / Ubuntu
Posts: 230

Original Poster
Rep: Reputation: 33
As you suppose ca.crt is broken or something. I try to build it agian from the how-to. Unfortunately Same error occurs and I have no idea what to do.

Here is what curl give
Code:
debian:/etc/ssl/ssl.crt# curl -v https://localhost
* About to connect() to localhost port 443 (#0)
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). The default
 bundle is named curl-ca-bundle.crt; you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
and here is with -k to skip ca.crt verification

Code:
debian:/etc/ssl/ssl.crt# curl -k -v https://localhost
* About to connect() to localhost port 443 (#0)
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS alert, Server hello (2):
* error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
* Closing connection #0
curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
This are the commands i use to build ca.crt and server.crt and key files

Code:
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr

openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
 
Old 09-05-2010, 03:19 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
Hmm, add a few more -v's, I'd guess that it could be something like your server not providing a suitable cipher suite to agree on. Personally my style would be to capture the exchange in wireshark and step through it in real detail there. Can you print out the cert? "openssl x509 -noout -text -in server.crt" if i remember right.
 
Old 09-05-2010, 03:37 PM   #5
konzo
Member
 
Registered: Dec 2008
Location: Bulgaria
Distribution: Debian / Slackware / Ubuntu
Posts: 230

Original Poster
Rep: Reputation: 33
Here is the output

Code:
debian:/etc/ssl/ssl.crt# openssl x509 -noout -text -in server.crt
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=BG, ST=Sofia, L=Sofia, O=kdelchev.com, OU=web, CN=kdelchev.com/emailAddress=kd@gmail.com
        Validity
            Not Before: Sep  5 18:03:58 2010 GMT
            Not After : Sep  5 18:03:58 2011 GMT
        Subject: C=BG, ST=Sofia, L=Sofia, O=KodeImage, OU=ImageSite, CN=localhost/emailAddress=kd@gmail.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    00:c7:8b:0b:04:42:74:d1:89:37:07:1a:65:38:68:
                    db:87:6d:c2:fc:f5:cc:65:83:e9:53:72:54:fe:cd:
                    7d:8c:36:ff:83:73:31:ee:63:af:be:0a:a0:f9:95:
                    77:3f:43:23:03:b6:69:85:97:87:7c:c0:27:86:e6:
                    d6:af:1d:36:90:31:17:91:ee:12:e2:fd:4c:00:7b:
                    f4:40:53:db:df:fa:fe:15:58:4c:87:4c:af:ad:74:
                    e6:5c:41:81:9d:0a:4d:d4:7d:71:e7:38:96:f4:1c:
                    a6:97:2c:ec:73:cb:a9:71:c6:31:87:0b:e9:71:b7:
                    3a:2f:df:25:22:d2:56:d0:96:56:53:d2:77:1f:7e:
                    f5:38:38:c1:5c:c1:d2:1c:5e:45:a0:1e:c7:56:31:
                    9f:1c:55:62:b1:83:89:4c:49:ca:3d:c7:9a:aa:d8:
                    3c:3b:58:46:77:dd:97:29:f8:41:ed:80:9c:65:f8:
                    c2:57:86:a0:e0:98:3f:45:e9:6a:bd:37:3f:e9:09:
                    7c:16:74:fa:fb:96:c8:eb:94:21:36:2f:57:a2:8a:
                    41:19:71:f5:b0:91:e4:0a:27:8c:fb:3b:d0:80:34:
                    7e:63:fd:7e:c0:58:9f:6d:d0:3f:25:43:5d:dc:51:
                    0e:8a:42:6d:46:2a:f8:c1:2f:55:04:0f:d1:4f:46:
                    2b:02:6a:b7:e3:b5:c2:e4:aa:6f:e1:8a:24:39:7d:
                    7d:9c:b0:5c:55:36:9b:f6:60:5d:f3:61:15:f1:de:
                    ea:6a:8d:31:75:96:7f:0b:30:6a:0c:11:09:df:11:
                    e8:9f:73:18:a2:d0:09:5f:98:bc:0f:72:3a:c9:f5:
                    04:c8:fc:8a:bf:9b:5f:24:e5:9b:6d:37:3e:bd:6b:
                    e5:be:cd:d9:81:60:bd:66:b6:6d:3b:fa:46:a4:b8:
                    d4:df:65:14:ab:3d:81:2f:ec:4a:18:98:5e:29:8c:
                    45:96:c3:37:ac:3f:da:cd:2d:d6:35:d6:b5:ac:2e:
                    e6:58:17:28:db:5e:ae:5c:12:d3:96:d0:55:11:cc:
                    83:31:a4:3c:4c:d7:81:79:b5:95:04:98:cc:b6:eb:
                    1d:b6:12:2b:46:a7:b0:61:d9:75:97:a9:33:8b:40:
                    59:c1:52:a2:8c:54:22:8b:19:49:13:72:d0:be:e2:
                    0c:f5:a8:f3:f5:1d:b9:6e:dd:8c:4b:12:26:91:67:
                    73:e8:c2:d9:94:4d:29:0a:b2:71:23:62:95:6a:0e:
                    78:58:22:b0:ed:40:b9:fc:ff:2f:8d:9d:28:f9:60:
                    4a:72:d1:d7:7d:58:75:0a:7d:5f:1d:14:93:cd:77:
                    3f:33:c4:88:40:b0:aa:d3:e1:12:d1:71:fe:d9:2f:
                    33:08:43
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        23:9f:df:27:f9:44:b9:b7:d0:1b:64:20:35:c9:96:a6:d3:84:
        49:e0:68:a3:b8:01:8e:b5:40:b8:6c:74:e8:a0:71:9b:91:47:
        7b:98:88:71:ab:53:eb:27:35:8e:0c:6c:8f:69:ab:67:54:c0:
        23:db:66:7e:ec:55:27:0a:b3:39:7f:6a:23:57:a5:f8:a6:46:
        43:74:1a:c1:f0:21:c1:ab:ea:1e:c5:c9:e2:a2:9a:d5:6b:08:
        fe:4e:72:08:c4:8f:ba:01:3b:ae:28:28:22:d4:c5:91:dd:62:
        34:2b:71:b9:90:da:3d:63:bc:7f:e4:b0:48:82:21:53:16:9d:
        70:bc:f7:34:ac:a7:88:3e:b3:3e:a5:cf:ad:6e:7c:e3:d7:4e:
        5e:e8:65:8d:d4:74:23:c7:6c:b5:66:75:8e:76:b1:0f:1d:0a:
        65:1e:3d:de:52:26:41:6f:e8:c3:25:d3:63:44:df:84:71:a0:
        da:84:6f:03:a1:de:bc:81:35:a1:34:85:9e:7d:0e:0a:25:f1:
        f6:45:51:63:6e:85:54:40:14:a1:eb:a6:21:67:e4:15:d1:25:
        69:4c:31:f1:39:0a:c7:a7:e4:c2:ac:4c:cb:c9:cd:f7:dd:82:
        df:8f:d6:b5:22:6e:66:a8:55:13:12:56:79:5f:80:48:55:9a:
        f3:01:e3:66:72:57:d5:0d:89:73:1f:7b:c4:30:31:2e:29:78:
        ae:c7:0d:0d:fa:19:bb:7b:dd:c2:13:a9:9b:9a:56:c0:82:c6:
        e9:b1:ec:d7:84:c2:de:9b:76:22:8a:25:0a:ee:3b:d5:ff:3c:
        d8:9a:90:f1:64:ed:31:01:0b:81:46:8c:7e:3d:1e:f3:3a:78:
        20:96:96:fb:ab:ac:44:64:d4:05:7f:b2:1a:d8:ed:e1:9d:9b:
        00:d5:b4:63:f2:b8:0a:7d:e2:5f:71:47:f8:e1:cd:32:a3:62:
        3d:cc:15:b9:1c:45:74:7e:21:52:07:fe:b7:0d:1f:a2:e5:66:
        fe:68:2d:8d:7c:3f:63:8e:5b:f0:a1:49:90:c5:d5:4b:3b:60:
        48:a2:35:33:d3:1b:38:8e:0d:30:b7:3c:cd:e5:bc:49:00:d0:
        ed:a3:38:11:39:28:95:89:aa:60:b1:93:ae:4e:ab:40:f7:b3:
        47:e4:1d:63:69:25:b6:03:f1:a2:34:a2:7e:3c:33:32:cd:0a:
        aa:82:9b:42:78:7a:f9:6a:fb:aa:6c:a9:7f:45:a8:4c:d3:69:
        e2:32:a5:e0:14:aa:68:92:60:1e:16:b4:ae:b5:cd:07:67:1a:
        69:46:76:86:2f:d9:d1:e2:3e:08:eb:1f:22:6e:a4:8b:4c:80:
        2a:bb:49:b1:db:1d:b9:34
 
Old 09-06-2010, 01:28 AM   #6
sampappachan_nyc
Member
 
Registered: Jan 2009
Location: New York
Distribution: Red Hat, CentOS,Fedora, Ubuntu, SUSE, linux mint
Posts: 53

Rep: Reputation: 0
Incorrect time maybe,.....

make sure you have the correct time settings,

correct time server config in /etc/ntp.conf


service ntpd stop
ntpdate time.server.com
service ntpd start
hwclock –systohc

#check:
ntpq –p


date
 
Old 09-06-2010, 05:21 AM   #7
konzo
Member
 
Registered: Dec 2008
Location: Bulgaria
Distribution: Debian / Slackware / Ubuntu
Posts: 230

Original Poster
Rep: Reputation: 33
Today when I start the pc the previous error didn't appear. On its place I get this when run curl

Code:
debian:/etc/apache2/sites-enabled# curl -v https://localhost
* About to connect() to localhost port 443 (#0)
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection #0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
@sampappachan_nyc

I didn't have ntp installed. I installed in and try to run some of the commands you provide, but I get errors(I am not so skilled). I try to change the date of the pc since I barely remember I do that when I configure openvpn with ssl on other machine and there that was the problem. I try to change the date with few days ahead and beyond the current date, but that didn't helped.


I think handshake is OK now(maybe after restart). What is that with the unknown protocol thing?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
speed up https (apache) site peridot121 Linux - Server 3 05-18-2010 04:51 PM
ie7 can't view my site over https tuxgirl Linux - Server 3 07-24-2009 01:52 PM
[Apache2] Localhost can connect to HTTPS, but not clients in the LAN Akhran Linux - Newbie 3 09-12-2005 05:13 PM
http and https, setuping up a secure site helpme0904 Linux - Newbie 1 06-04-2005 09:34 PM
page forbidden when checking https://localhost/ .....please help! poncenby_smythe Linux - Security 1 08-27-2003 01:47 PM


All times are GMT -5. The time now is 03:04 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration