I have a EC2 instance on AWS, that I want to make a curl in one specific website. When I try, a receive the error "OpenSSL SSL_connect: Connection reset by peer in connection to host" when I try to use the openssl s_client -connect host:443 -showcerts command to retrieve the ssl certificate, I receive the message:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
But, when I try to do it on my personal computer, I can do both: the openssl and the curl command without errors.
Related
I type the following command
openssl s_client -showcerts -connect servername:443
In the SSL session I get the certificates and
Verify return code: 18 (self signed certificate)
I have a program that is using the certificate to talk to the server, but is not able to ..it says
Error: Failed to initiate SSL handshake with peer. There is possibly problem with your your SSL certificate.
I have another server and an openssl command gives Verify return code: 0 (ok) and the program connects to it with no problem.
I donot know how the program(c++ program) is trying to connect to the servers. But does anybody know any of the possible reasons why it is not able to connect to a server with self signed certificate?
I am not able to verify webmaster account of one of my client.
Google is saying "Verification failed - The connection to your server timed out."
When I tried to do wget the URL, I found below error. Can someone please help me resolving this?
[pdurgapal]$ wget https://atlanticdiscountstore.com
--2017-06-28 11:48:48-- https://atlanticdiscountstore.com
Resolving atlanticdiscountstore.com... 188.241.58.18
Connecting to atlanticdiscountstore.com|188.241.58.18|:443... connected.
ERROR: cannot verify atlanticdiscountstore.com’s certificate, issued by “/CN=baldwincountyunited.com”:
Self-signed certificate encountered.
ERROR: certificate common name “baldwincountyunited.com” doesn’t match requested host name “atlanticdiscountstore.com”.
To connect to atlanticdiscountstore.com insecurely, use ‘--no-check-certificate’.
[pdurgapal]$
You must be using a very old version of wget which has no support for SNI. When using a proper client with support for SNI the certificate can be verified. Apart from that the server is terrible slow in responding after the TLS handshake is successfully done, but this is not the issue you asked about.
To demonstrate the problem an access to the site without SNI:
$ openssl s_client -connect atlanticdiscountstore.com:443 |\
openssl x509 -text
...
Subject: CN=baldwincountyunited.com
...
X509v3 Subject Alternative Name:
DNS:baldwincountyunited.com, DNS:mail.baldwincountyunited.com, DNS:www.baldwincountyunited.com
and with SNI:
$ openssl s_client -connect atlanticdiscountstore.com:443 \
-servername atlanticdiscountstore.com |\
openssl x509 -text
...
Subject: ... CN=*.atlanticdiscountstore.com
...
X509v3 Subject Alternative Name:
DNS:*.atlanticdiscountstore.com, DNS:atlanticdiscountstore.com
This has me stumped, hoping someone could help me out. I had a working rabbitmq cluster until the SSL certificate expired.
After installing a new signed certificate, i'm getting the following errors for all connections:
=INFO REPORT==== 19-Oct-2016::21:39:27 ===
accepting AMQP connection <0.3532.0> (x.x.x.x:43958 -> x.x.x.x:5671)
=ERROR REPORT==== 19-Oct-2016::21:39:33 ===
Error on AMQP connection <0.3536.0>:
{ssl_upgrade_error,{certfile,{badmatch,[]}}}
Trying an openssl s_client connection
openssl s_client -connect x.x.x.x:5671 -cert ssl.crt -key ssl.key -CAfile intermediate.crt
Results in this:
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
But running the SSL key checker with s_server/s_client from https://www.rabbitmq.com/troubleshooting-ssl.html#troubleshooting works via localhost and port 8443.
No files have been moved, the old certificates were simply replaced with the same name in the same dirs. The CSR was generated with the same key, so the only things that were replaced were the certificate and intermediate certificate taken directly from the SSL issuer.
If I revert back to the old certificates, the {ssl_upgrade_error,{certfile,{badmatch,[]}}} doesnt appear and I can s_client without issues (apart from the ssl is expired error)
Turns out the issue was with the certfile itself, went directly to the ssl issuer to download them and move them into the server
I'm trying to set up an SSL connection to SagePay from my website. I can run the openssl s_client successfully, it returns: Verify return code: 0 (ok), but only if I specify the CApath e.g.
openssl s_client -connect test.sagepay.com:443 -CApath /usr/local/ssl/certs/
When I try using the website I get an error:
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):
How do I tell NGINX where to find the ssl certs I have installed?
I have a problem, i made a command "openssl s_client -connect server.server:143", and the error is:
CONNECTED(00000003)
140719622096768:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown proto col:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 249 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
I made that because the horde connection gives an error in login.
How can i resolve this?
openssl s_client -connect server.server:143
Port 143 is plain IMAP, that is you can not talk directly TLS to this port. If you try it you will get some data back which are not TLS, and thus strange error messages will occure. If you want to have TLS you have to either use imaps (port 993) or issue a STARTTLS command. You can also use openssl for this with
openssl s_client -connect server:143 -starttls imap
From your output it might even be that you used this option but did not put it into your question (because 7 bytes from the server would match a TLS alert, but is unusually short for an IMAP greeting). If this is the case there might be lots of reasons why the connection fails and it is not possible to pin the problem down just from your description. If you get more help look at http://noxxi.de/howto/ssl-debugging.html#hdr2.2 on how you could narrow down the problem and what you should provide on information if you need help from others.