ssl_error_handshake_failure_alert on https site

konzo · 09-05-2010, 01:17 PM

Hi all,

I am trying to configure local https server but I get this message:

"ssl_error_handshake_failure_alert"

I configured my apache and make cert and key files from this article, following section 1B:

http://www.tc.umn.edu/~brams006/selfsign.html

I try to add server.crt and ca.crt files in firefox, but it didn't help. I googled and didn't find any information. I try also with 1024bit key.

Can anyone suggest something?

acid_kewpie · 09-05-2010, 01:20 PM

Initially I'd suggest increasing logging and looking at things in more detail. A good way is to use a tool like curl with the -v option to see what a client thinks about the certificate. Most common thing would be something like a host name mismatch or a broken ca chain.

konzo · 09-05-2010, 01:59 PM

As you suppose ca.crt is broken or something. I try to build it agian from the how-to. Unfortunately Same error occurs and I have no idea what to do.

Here is what curl give

Code:

debian:/etc/ssl/ssl.crt# curl -v https://localhost
* About to connect() to localhost port 443 (#0)
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). The default
 bundle is named curl-ca-bundle.crt; you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

and here is with -k to skip ca.crt verification

Code:

debian:/etc/ssl/ssl.crt# curl -k -v https://localhost
* About to connect() to localhost port 443 (#0)
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS alert, Server hello (2):
* error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
* Closing connection #0
curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

This are the commands i use to build ca.crt and server.crt and key files

Code:

openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr

openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

acid_kewpie · 09-05-2010, 03:19 PM

Hmm, add a few more -v's, I'd guess that it could be something like your server not providing a suitable cipher suite to agree on. Personally my style would be to capture the exchange in wireshark and step through it in real detail there. Can you print out the cert? "openssl x509 -noout -text -in server.crt" if i remember right.

konzo · 09-05-2010, 03:37 PM

Here is the output

Code:

debian:/etc/ssl/ssl.crt# openssl x509 -noout -text -in server.crt
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=BG, ST=Sofia, L=Sofia, O=kdelchev.com, OU=web, CN=kdelchev.com/emailAddress=kd@gmail.com
        Validity
            Not Before: Sep  5 18:03:58 2010 GMT
            Not After : Sep  5 18:03:58 2011 GMT
        Subject: C=BG, ST=Sofia, L=Sofia, O=KodeImage, OU=ImageSite, CN=localhost/emailAddress=kd@gmail.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    00:c7:8b:0b:04:42:74:d1:89:37:07:1a:65:38:68:
                    db:87:6d:c2:fc:f5:cc:65:83:e9:53:72:54:fe:cd:
                    7d:8c:36:ff:83:73:31:ee:63:af:be:0a:a0:f9:95:
                    77:3f:43:23:03:b6:69:85:97:87:7c:c0:27:86:e6:
                    d6:af:1d:36:90:31:17:91:ee:12:e2:fd:4c:00:7b:
                    f4:40:53:db:df:fa:fe:15:58:4c:87:4c:af:ad:74:
                    e6:5c:41:81:9d:0a:4d:d4:7d:71:e7:38:96:f4:1c:
                    a6:97:2c:ec:73:cb:a9:71:c6:31:87:0b:e9:71:b7:
                    3a:2f:df:25:22:d2:56:d0:96:56:53:d2:77:1f:7e:
                    f5:38:38:c1:5c:c1:d2:1c:5e:45:a0:1e:c7:56:31:
                    9f:1c:55:62:b1:83:89:4c:49:ca:3d:c7:9a:aa:d8:
                    3c:3b:58:46:77:dd:97:29:f8:41:ed:80:9c:65:f8:
                    c2:57:86:a0:e0:98:3f:45:e9:6a:bd:37:3f:e9:09:
                    7c:16:74:fa:fb:96:c8:eb:94:21:36:2f:57:a2:8a:
                    41:19:71:f5:b0:91:e4:0a:27:8c:fb:3b:d0:80:34:
                    7e:63:fd:7e:c0:58:9f:6d:d0:3f:25:43:5d:dc:51:
                    0e:8a:42:6d:46:2a:f8:c1:2f:55:04:0f:d1:4f:46:
                    2b:02:6a:b7:e3:b5:c2:e4:aa:6f:e1:8a:24:39:7d:
                    7d:9c:b0:5c:55:36:9b:f6:60:5d:f3:61:15:f1:de:
                    ea:6a:8d:31:75:96:7f:0b:30:6a:0c:11:09:df:11:
                    e8:9f:73:18:a2:d0:09:5f:98:bc:0f:72:3a:c9:f5:
                    04:c8:fc:8a:bf:9b:5f:24:e5:9b:6d:37:3e:bd:6b:
                    e5:be:cd:d9:81:60:bd:66:b6:6d:3b:fa:46:a4:b8:
                    d4:df:65:14:ab:3d:81:2f:ec:4a:18:98:5e:29:8c:
                    45:96:c3:37:ac:3f:da:cd:2d:d6:35:d6:b5:ac:2e:
                    e6:58:17:28:db:5e:ae:5c:12:d3:96:d0:55:11:cc:
                    83:31:a4:3c:4c:d7:81:79:b5:95:04:98:cc:b6:eb:
                    1d:b6:12:2b:46:a7:b0:61:d9:75:97:a9:33:8b:40:
                    59:c1:52:a2:8c:54:22:8b:19:49:13:72:d0:be:e2:
                    0c:f5:a8:f3:f5:1d:b9:6e:dd:8c:4b:12:26:91:67:
                    73:e8:c2:d9:94:4d:29:0a:b2:71:23:62:95:6a:0e:
                    78:58:22:b0:ed:40:b9:fc:ff:2f:8d:9d:28:f9:60:
                    4a:72:d1:d7:7d:58:75:0a:7d:5f:1d:14:93:cd:77:
                    3f:33:c4:88:40:b0:aa:d3:e1:12:d1:71:fe:d9:2f:
                    33:08:43
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        23:9f:df:27:f9:44:b9:b7:d0:1b:64:20:35:c9:96:a6:d3:84:
        49:e0:68:a3:b8:01:8e:b5:40:b8:6c:74:e8:a0:71:9b:91:47:
        7b:98:88:71:ab:53:eb:27:35:8e:0c:6c:8f:69:ab:67:54:c0:
        23:db:66:7e:ec:55:27:0a:b3:39:7f:6a:23:57:a5:f8:a6:46:
        43:74:1a:c1:f0:21:c1:ab:ea:1e:c5:c9:e2:a2:9a:d5:6b:08:
        fe:4e:72:08:c4:8f:ba:01:3b:ae:28:28:22:d4:c5:91:dd:62:
        34:2b:71:b9:90:da:3d:63:bc:7f:e4:b0:48:82:21:53:16:9d:
        70:bc:f7:34:ac:a7:88:3e:b3:3e:a5:cf:ad:6e:7c:e3:d7:4e:
        5e:e8:65:8d:d4:74:23:c7:6c:b5:66:75:8e:76:b1:0f:1d:0a:
        65:1e:3d:de:52:26:41:6f:e8:c3:25:d3:63:44:df:84:71:a0:
        da:84:6f:03:a1:de:bc:81:35:a1:34:85:9e:7d:0e:0a:25:f1:
        f6:45:51:63:6e:85:54:40:14:a1:eb:a6:21:67:e4:15:d1:25:
        69:4c:31:f1:39:0a:c7:a7:e4:c2:ac:4c:cb:c9:cd:f7:dd:82:
        df:8f:d6:b5:22:6e:66:a8:55:13:12:56:79:5f:80:48:55:9a:
        f3:01:e3:66:72:57:d5:0d:89:73:1f:7b:c4:30:31:2e:29:78:
        ae:c7:0d:0d:fa:19:bb:7b:dd:c2:13:a9:9b:9a:56:c0:82:c6:
        e9:b1:ec:d7:84:c2:de:9b:76:22:8a:25:0a:ee:3b:d5:ff:3c:
        d8:9a:90:f1:64:ed:31:01:0b:81:46:8c:7e:3d:1e:f3:3a:78:
        20:96:96:fb:ab:ac:44:64:d4:05:7f:b2:1a:d8:ed:e1:9d:9b:
        00:d5:b4:63:f2:b8:0a:7d:e2:5f:71:47:f8:e1:cd:32:a3:62:
        3d:cc:15:b9:1c:45:74:7e:21:52:07:fe:b7:0d:1f:a2:e5:66:
        fe:68:2d:8d:7c:3f:63:8e:5b:f0:a1:49:90:c5:d5:4b:3b:60:
        48:a2:35:33:d3:1b:38:8e:0d:30:b7:3c:cd:e5:bc:49:00:d0:
        ed:a3:38:11:39:28:95:89:aa:60:b1:93:ae:4e:ab:40:f7:b3:
        47:e4:1d:63:69:25:b6:03:f1:a2:34:a2:7e:3c:33:32:cd:0a:
        aa:82:9b:42:78:7a:f9:6a:fb:aa:6c:a9:7f:45:a8:4c:d3:69:
        e2:32:a5:e0:14:aa:68:92:60:1e:16:b4:ae:b5:cd:07:67:1a:
        69:46:76:86:2f:d9:d1:e2:3e:08:eb:1f:22:6e:a4:8b:4c:80:
        2a:bb:49:b1:db:1d:b9:34

sampappachan_nyc · 09-06-2010, 01:28 AM

make sure you have the correct time settings,

correct time server config in /etc/ntp.conf

service ntpd stop
ntpdate time.server.com
service ntpd start
hwclock –systohc

#check:
ntpq –p

date

konzo · 09-06-2010, 05:21 AM

Today when I start the pc the previous error didn't appear. On its place I get this when run curl

Code:

debian:/etc/apache2/sites-enabled# curl -v https://localhost
* About to connect() to localhost port 443 (#0)
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection #0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

@sampappachan_nyc

I didn't have ntp installed. I installed in and try to run some of the commands you provide, but I get errors(I am not so skilled). I try to change the date of the pc since I barely remember I do that when I configure openvpn with ssl on other machine and there that was the problem. I try to change the date with few days ahead and beyond the current date, but that didn't helped.

I think handshake is OK now(maybe after restart). What is that with the unknown protocol thing?