This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
SSL Handshake Failed
SSL Handshake Failed

Version management

Difference between version and

At line 1 added 80 lines
!!! Overview
[{$pagename}] (often seen as Error 525: SSL handshake failed) is when there is an [Error] with the [TLS Handshake]
!! Cause of [{$pagename}]
[{$pagename}] is a message you receive when the [TLS Handshake] process fails.
After you send the secure connection request to the [client], the client is supposed to send a [Public Key] to your computer that’s automatically checked against a list of certificate authorities. Once the [certificate] has been received, the computer generates a key and encrypts it using the [Public Key].
[{$pagename}] occurs if the [access] has not been granted to the system, thus preventing the [client] from completing [authentication] which indicates that the [clients]’s connection to the [server] is NOT secure.
This can be caused for a number of different reasons:
* The [SSL]/[TLS] [protocol] version being requested is not supported by the [server]
* The [Cipher Suite] being requested is not supported by the [server]
* The [hostname] in the URL doesn’t match what’s on the [certificate] ([Certificate Validation])
* The [Certificate Chain] is invalid or incomplete ([Certificate Validation])
* The certificate has expired and or is no longer valid ([Certificate Validation])
* The client or server cannot communicate with the [Server Name Indication] ([SNI]) servers
!! [{$pagename}] [Examples]
! [Certificate Validation]
This example there is a server name does not match common name in certificate
{{{
ldapsearch -d1 -x -LLL -H "ldaps://ldapServer.example.com:636" -b "" -s base -a never -z 10 "(objectClass=*)" "namingContexts"
ldap_url_parse_ext(ldaps://ldapServer.example.com:636)
ldap_create
ldap_url_parse_ext(ldaps://ldapServer.example.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldapServer.example.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.92.181.29:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/certs/'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/certs/'.
tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap/certs` prefix ``.
tlsmc_open_nssdb: INFO: initialized MozNSS context.
tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-certs--001980C4268A97C9710D...CB9BA81FA76D9'.
tlsmc_convert: INFO: using the existing PEM dir.
tlsmc_convert: WARN: extracted cert file is not present.
tlsmc_convert: WARN: extracted key file is not present.
tlsmc_intercept_initialization: INFO: altered options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/tmp/openldap-tlsmc-certs--001980C4268A97C9710D...CB9BA81FA76D9/cacerts'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject: /OU=LDAPAUTH/OU=Example1 CA, issuer: /OU=LDAPAUTH/OU=Example1 CA
TLS certificate verification: depth: 0, err: 0, subject: /O=LDAPAUTH/CN=ldapServer.example.com, issuer: /OU=LDAPAUTH/OU=Example1 CA
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read server session ticket A
TLS trace: SSL_connect:SSLv3 read finished A
TLS: hostname (ldapServer.example.com) does not match common name in certificate (ldapServers.example.com).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
}}}
We have seen [Client-side] [LDAP] [Software Development Kits] return [LDAP_SERVER_DOWN] with these type of errors.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop