<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] (often seen as Error 525: SSL handshake failed) is when there is an [Error] with the [TLS Handshake]

!! Cause of [{$pagename}]
[{$pagename}] is a message you receive when the [TLS Handshake] process fails.

After you send the secure connection request to the [client], the client is supposed to send a [Public Key] to your computer that’s automatically checked against a list of certificate authorities. Once the [certificate] has been received, the computer generates a key and encrypts it using the [Public Key].

[{$pagename}] occurs if the [access] has not been granted to the system, thus preventing the [client] from completing [authentication] which indicates that the [clients]’s connection to the [server] is NOT secure.

This can be caused for a number of different reasons:
* The [SSL]/[TLS] [protocol] version being requested is not supported by the [server]
* The [Cipher Suite] being requested is not supported by the [server] 
* The [hostname] in the URL doesn’t match what’s on the [certificate] ([Certificate Validation])
* The [Certificate Chain] is invalid or incomplete ([Certificate Validation])
* The certificate has expired and or is no longer valid ([Certificate Validation])
* The client or server cannot communicate with the [Server Name Indication] ([SNI]) servers

!! [{$pagename}] [Examples]

! [Certificate Validation]

This example there is a server name does not match common name in certificate
{{{
ldapsearch -d1 -x -LLL -H &quot;ldaps://ldapServer.example.com:636&quot; -b &quot;&quot; -s base -a never -z 10 &quot;(objectClass=*)&quot; &quot;namingContexts&quot;
ldap_url_parse_ext(ldaps://ldapServer.example.com:636)
ldap_create
ldap_url_parse_ext(ldaps://ldapServer.example.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldapServer.example.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.92.181.29:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/certs/'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/certs/'.
tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap/certs` prefix ``.
tlsmc_open_nssdb: INFO: initialized MozNSS context.
tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-certs--001980C4268A97C9710D...CB9BA81FA76D9'.
tlsmc_convert: INFO: using the existing PEM dir.
tlsmc_convert: WARN: extracted cert file is not present.
tlsmc_convert: WARN: extracted key file is not present.
tlsmc_intercept_initialization: INFO: altered options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/tmp/openldap-tlsmc-certs--001980C4268A97C9710D...CB9BA81FA76D9/cacerts'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject: /OU=LDAPAUTH/OU=Example1 CA, issuer: /OU=LDAPAUTH/OU=Example1 CA
TLS certificate verification: depth: 0, err: 0, subject: /O=LDAPAUTH/CN=ldapServer.example.com, issuer: /OU=LDAPAUTH/OU=Example1 CA
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read server session ticket A
TLS trace: SSL_connect:SSLv3 read finished A
TLS: hostname (ldapServer.example.com) does not match common name in certificate (ldapServers.example.com).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
}}}
We have seen [Client-side] [LDAP] [Software Development Kits] return [LDAP_SERVER_DOWN] with these type of errors.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]

</pre>