I'm trying to run an openssl command to narrow down what the SSL issue might be when trying to send an outbound message from our system.
I found this command in another topic: Using openssl to get the certificate from a server
openssl s_client -connect ip:port -prexit
The output of this results in
CONNECTED(00000003) 15841:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 121 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---
Does this mean the server isn't presenting any certificate? I tried other systems on a different ip:port and they present a certificate successfully.
Does mutual authentication affect this command with -prexit?
--Update--
I ran the command again
openssl s_client -connect ip:port -prexit
And I get this response now
CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 121 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---
I added -ssl3 to the command
openssl s_client -connect ip:port -prexit -ssl3
Response:
CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None Start Time: 1403907236 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
Also trying -tls1
CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None Start Time: 1403907267 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
For most browsers, look to see if a site URL begins with “https,” which indicates it has an SSL certificate. Then click on the padlock icon in the address bar to view the certificate information.
To view certificates for the local deviceSelect Run from the Start menu, and then enter certlm. msc. The Certificate Manager tool for the local device appears. To view your certificates, under Certificates - Local Computer in the left pane, expand the directory for the type of certificate you want to view.
DESCRIPTION. The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. It is a very useful diagnostic tool for SSL servers.
Check SSL certificate with OpenSSL Command Check Private key info: openssl rsa -text -in privateKey.key -noout Check CSR info: openssl req -text -in CSR.csr -noout
Verify open ports using OpenSSL: OpenSSL can be used to verify if a port is listening, accepting connections, and if an SSL certificate is present. OpenSSL can be used for validation in the event plugin 51192 'SSL Certificate cannot be trusted' unexpectedly finds unknown certificates on a port: # openssl s_client -connect <URL or IP>:<port>
Or, for example, which CSR has been generated using which Private Key. From the Linux command line, you can easily check whether an SSL Certificate or a CSR match a Private Key using the OpenSSL utility.
Check SSL Certificate with OpenSSL Updated: Aug 28 OpenSSL is an open-source command-line tool that is commonly used to generate private keys, create CSRs, install our SSL/TLS certificate, and identify certificate information. This quick reference can help us understand the most common OpenSSL commands and how to use them.
I was debugging an SSL issue today which resulted in the same write:errno=104
error. Eventually I found out that the reason for this behaviour was that the server required SNI (servername
TLS extensions) to work correctly. Supplying the -servername
option to openssl made it connect successfully:
openssl s_client -connect domain.tld:443 -servername domain.tld
Hope this helps.
15841:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: ... SSL handshake has read 0 bytes and written 121 bytes
This is a handshake failure. The other side closes the connection without sending any data ("read 0 bytes"). It might be, that the other side does not speak SSL at all. But I've seen similar errors on broken SSL implementation, which do not understand newer SSL version. Try if you get a SSL connection by adding -ssl3
to the command line of s_client.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With