jspωiki
SSL Handshake Failed

Overview#

SSL Handshake Failed (often seen as Error 525: SSL handshake failed) is when there is an Error with the TLS Handshake

Cause of SSL Handshake Failed#

SSL Handshake Failed is a message you receive when the TLS Handshake process fails.

After you send the secure connection request to the client, the client is supposed to send a Public Key to your computer that’s automatically checked against a list of certificate authorities. Once the certificate has been received, the computer generates a key and encrypts it using the Public Key.

SSL Handshake Failed occurs if the access has not been granted to the system, thus preventing the client from completing authentication which indicates that the clients’s connection to the server is NOT secure.

This can be caused for a number of different reasons:

SSL Handshake Failed Examples#

Certificate Validation#

This example there is a server name does not match common name in certificate

ldapsearch -d1 -x -LLL -H "ldaps://ldapServer.example.com:636" -b "" -s base -a never -z 10 "(objectClass=*)" "namingContexts"
ldap_url_parse_ext(ldaps://ldapServer.example.com:636)
ldap_create
ldap_url_parse_ext(ldaps://ldapServer.example.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldapServer.example.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.92.181.29:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/certs/'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/certs/'.
tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap/certs` prefix ``.
tlsmc_open_nssdb: INFO: initialized MozNSS context.
tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-certs--001980C4268A97C9710D...CB9BA81FA76D9'.
tlsmc_convert: INFO: using the existing PEM dir.
tlsmc_convert: WARN: extracted cert file is not present.
tlsmc_convert: WARN: extracted key file is not present.
tlsmc_intercept_initialization: INFO: altered options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/tmp/openldap-tlsmc-certs--001980C4268A97C9710D...CB9BA81FA76D9/cacerts'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject: /OU=LDAPAUTH/OU=Example1 CA, issuer: /OU=LDAPAUTH/OU=Example1 CA
TLS certificate verification: depth: 0, err: 0, subject: /O=LDAPAUTH/CN=ldapServer.example.com, issuer: /OU=LDAPAUTH/OU=Example1 CA
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read server session ticket A
TLS trace: SSL_connect:SSLv3 read finished A
TLS: hostname (ldapServer.example.com) does not match common name in certificate (ldapServers.example.com).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
We have seen Client-side LDAP Software Development Kits return LDAP_SERVER_DOWN with these type of errors.

More Information#

There might be more information for this subject on one of the following: