Overview#
SSL Handshake Failed (often seen as Error 525: SSL handshake failed) is when there is an Error with the TLS HandshakeCause of SSL Handshake Failed#
SSL Handshake Failed is a message you receive when the TLS Handshake process fails.After you send the secure connection request to the client, the client is supposed to send a Public Key to your computer that’s automatically checked against a list of certificate authorities. Once the certificate has been received, the computer generates a key and encrypts it using the Public Key.
SSL Handshake Failed occurs if the access has not been granted to the system, thus preventing the client from completing authentication which indicates that the clients’s connection to the server is NOT secure.
This can be caused for a number of different reasons:
- The SSL/TLS protocol version being requested is not supported by the server
- The Cipher Suite being requested is not supported by the server
- The hostname in the URL doesn’t match what’s on the certificate (Certificate Validation)
- The Certificate Chain is invalid or incomplete (Certificate Validation)
- The certificate has expired and or is no longer valid (Certificate Validation)
- The client or server cannot communicate with the Server Name Indication (SNI) servers
SSL Handshake Failed Examples#
Certificate Validation#
This example there is a server name does not match common name in certificate
ldapsearch -d1 -x -LLL -H "ldaps://ldapServer.example.com:636" -b "" -s base -a never -z 10 "(objectClass=*)" "namingContexts" ldap_url_parse_ext(ldaps://ldapServer.example.com:636) ldap_create ldap_url_parse_ext(ldaps://ldapServer.example.com:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldapServer.example.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.92.181.29:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLSMC: MozNSS compatibility interception begins. tlsmc_intercept_initialization: INFO: entry options follow: tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/certs/' tlsmc_intercept_initialization: INFO: certfile = `(null)' tlsmc_intercept_initialization: INFO: keyfile = `(null)' tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/certs/'. tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap/certs` prefix ``. tlsmc_open_nssdb: INFO: initialized MozNSS context. tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-certs--001980C4268A97C9710D...CB9BA81FA76D9'. tlsmc_convert: INFO: using the existing PEM dir. tlsmc_convert: WARN: extracted cert file is not present. tlsmc_convert: WARN: extracted key file is not present. tlsmc_intercept_initialization: INFO: altered options follow: tlsmc_intercept_initialization: INFO: cacertdir = `/tmp/openldap-tlsmc-certs--001980C4268A97C9710D...CB9BA81FA76D9/cacerts' tlsmc_intercept_initialization: INFO: certfile = `(null)' tlsmc_intercept_initialization: INFO: keyfile = `(null)' tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only. TLSMC: MozNSS compatibility interception ends. TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /OU=LDAPAUTH/OU=Example1 CA, issuer: /OU=LDAPAUTH/OU=Example1 CA TLS certificate verification: depth: 0, err: 0, subject: /O=LDAPAUTH/CN=ldapServer.example.com, issuer: /OU=LDAPAUTH/OU=Example1 CA TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read server session ticket A TLS trace: SSL_connect:SSLv3 read finished A TLS: hostname (ldapServer.example.com) does not match common name in certificate (ldapServers.example.com). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)We have seen Client-side LDAP Software Development Kits return LDAP_SERVER_DOWN with these type of errors.