Menu
We have an application that is currently running via HTTP protocol. We are aiming to migrate it to HTTPS. We have made the necessary changes, but then during login to the application I am getting a "peer not authenticated" error message.
I am completely new to the SSL world, and so I Google up and have captured the Wireshark trace and the communication looks as below:
ClientHello to the server.ServerHello and then its certificate with the messages “ServerHello, Certificate, ServerHelloDone
Please share your inputs on what could be going wrong. We are stuck here and not able to proceed further.
550
The SSL Handshake Error occurs if the read access has not been granted to the OS, thus preventing the web server from completing authentication. It indicates that the browser's connection to the web server isn't secure.
A TLS/SSL handshake failure occurs when a client and server cannot establish communication using the TLS/SSL protocol. When this error occurs in Apigee Edge, the client application receives an HTTP status 503 with the message Service Unavailable.
UPDATED
This is a strange error. The Certificate Unknown should usually be accompanied by a Alert code of 46 and not 61.
If you see, SSL Alert 61 is not mentioned in the Alert Protocol (RFC 5246)
enum {
close_notify(0),
unexpected_message(10),
bad_record_mac(20),
decryption_failed_RESERVED(21),
record_overflow(22),
decompression_failure(30),
handshake_failure(40),
no_certificate_RESERVED(41),
bad_certificate(42),
unsupported_certificate(43),
certificate_revoked(44),
certificate_expired(45),
certificate_unknown(46),
illegal_parameter(47),
unknown_ca(48),
access_denied(49),
decode_error(50),
decrypt_error(51),
export_restriction_RESERVED(60),
protocol_version(70),
insufficient_security(71),
internal_error(80),
user_canceled(90),
no_renegotiation(100),
unsupported_extension(110),
(255)
} AlertDescription;
Without looking at the trace, it is difficult to investigate further.
It Looks like the Server certificate provided in the Server Hello wasn't trusted by the client.
I would recommend to test this using cURL.exe with the -v option.
147
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
