Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SSL Handshake Failing With 'Certificate Unknown'

Tags:

https

tcp

ssl

x509certificate

handshake

We have an application that is currently running via HTTP protocol. We are aiming to migrate it to HTTPS. We have made the necessary changes, but then during login to the application I am getting a "peer not authenticated" error message.

I am completely new to the SSL world, and so I Google up and have captured the Wireshark trace and the communication looks as below:

  1. Client sends [SYN] to server.
  2. Server sends [SYN,ACK] to client.
  3. Client sends [ACK] to server.
  4. Client sends the message ClientHello to the server.
  5. Server sends ServerHello and then its certificate with the messages “ServerHello, Certificate, ServerHelloDone
  6. Alert 61, Level Fatal, Description: Certificate Unknown // Failing here.

Please share your inputs on what could be going wrong. We are stuck here and not able to proceed further.

like image 550
Pavan Dittakavi Avatar asked Aug 04 '17 15:08

Pavan Dittakavi

People also ask

What causes SSL handshake failure?

The SSL Handshake Error occurs if the read access has not been granted to the OS, thus preventing the web server from completing authentication. It indicates that the browser's connection to the web server isn't secure.

What happens if SSL handshake fails?

A TLS/SSL handshake failure occurs when a client and server cannot establish communication using the TLS/SSL protocol. When this error occurs in Apigee Edge, the client application receives an HTTP status 503 with the message Service Unavailable.

1 Answers

UPDATED

This is a strange error. The Certificate Unknown should usually be accompanied by a Alert code of 46 and not 61.

If you see, SSL Alert 61 is not mentioned in the Alert Protocol (RFC 5246)

  enum {
      close_notify(0),
      unexpected_message(10),
      bad_record_mac(20),
      decryption_failed_RESERVED(21),
      record_overflow(22),
      decompression_failure(30),
      handshake_failure(40),
      no_certificate_RESERVED(41),
      bad_certificate(42),
      unsupported_certificate(43),
      certificate_revoked(44),
      certificate_expired(45),
      certificate_unknown(46),
      illegal_parameter(47),
      unknown_ca(48),
      access_denied(49),
      decode_error(50),
      decrypt_error(51),
      export_restriction_RESERVED(60),
      protocol_version(70),
      insufficient_security(71),
      internal_error(80),
      user_canceled(90),
      no_renegotiation(100),
      unsupported_extension(110),
      (255)
  } AlertDescription;

Without looking at the trace, it is difficult to investigate further.

It Looks like the Server certificate provided in the Server Hello wasn't trusted by the client.

I would recommend to test this using cURL.exe with the -v option.

like image 147
Kaushal Kumar Panday Avatar answered Sep 29 '22 16:09

Kaushal Kumar Panday
Sign in to Comment

Related questions

Node.js client certificate authentication on some paths only
Client Certificate Mapping Authentication in self-hosted Owin endpoint
Simple RMI Server with SSL
Nginx ssl_verify_client and proxy_pass [closed]
Trusting self signed certificate with Python requests
Server-side support for TLS-PSK [closed]
Websocket SSL handshake failure
nginx - Disable http to https redirect?
Boost ASIO, SSL: How do strands help the implementation?
How to automatically accept SSL certs in chrome?
Heroku: Spring Boot Gradle app with https tomcat server and certificate pinning
AWS CloudFront to host SSL and forward on to sendgrid not working
How to manage SSL key for self host HTTPS
Unable to verify the first certificate
Retrieve public server certificate key during handshake
docker --tls vs --tlsverify
HTTPS for local IP address
TLS 1.1, 1.2 in WebView for android <= 4.3
Set accepted CA list and ignore SSL errors with chai-http
Add SSL to Heroku app and godaddy - Rails

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!