I have a website hosted on a VPS running CentOS 6 and running fine. Now I have to make it accesible with SSL, so I configured /etc/httpd/conf/httpd.confand /etc/httpd/conf.d/ssl.conf to make httpd listen to port 443, then binding the virtualhost related to the website to the same port.
The apparent result of the whole configuration may be resumed by the following diagnostics that also resumes some tests I performed (I masked data where necessary, and my.site.com is dummy):
# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
# httpd -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443 my.site.com (/etc/httpd/conf.d/ssl.conf:74)
*:80 my.site.com (/etc/httpd/conf/httpd.conf:1022)
*:8888 my.site.com (/etc/httpd/conf/httpd.conf:1045)
Syntax OK
# openssl s_client -connect localhost:443
CONNECTED(00000003)
depth=2 O = [Some authority here], CN = [Some authority here] Root CA X3
verify return:1
depth=1 C = US, O = [Some authority here], CN = [Some authority here] X3
verify return:1
depth=0 CN = my.site.com
verify return:1
---
Certificate chain
0 s:/CN=my.site.com
i:/C=US/O=[some authority here]/CN=[some authority here] X3
1 s:/C=US/O=[some authority here]/CN=[some authority here] X3
i:/O=[some authority here]/CN=[Some authority here] Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
[some certificate codes here]
-----END CERTIFICATE-----
subject=/CN=my.site.com
issuer=/C=US/O=[some authority here]/CN=[some authority here] X3
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 3672 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: [some coding here]
Session-ID-ctx:
Master-Key:
[some coding here]
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
[other codes here]
Start Time: 1483709215
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
# openssl s_client -connect [my.site.com's IP] -state -nbio 2>&1 | grep "^SSL"
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
SSL handshake has read 3672 bytes and written 373 bytes
SSL-Session:
SSL3 alert read:warning:close notify
SSL3 alert write:warning:close notify
# iptables -L -v | grep https
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
# netstat -lnp | grep 443
tcp 0 0 :::443 :::* LISTEN 22682/httpd
Now, the website is still responding via the usual browser http://my.site.com address, while it return ERR_CONNECTION_TIMED_OUT if trying https://my.site.com.
Furthermore, accessing by remote I obtain:
# openssl s_client -connect [my.site.com's IP:443]
connect: No route to host
connect:errno=113
So, what is the problem or how can I investigate its origin?
Thanks in advance for your help.
Related
To reach a target file, I must put specific Host Header in request, because server is using SNI.
My server's ip is 172.1.1.61 and mydomain.com is target host which can give me a file.
I tried to use a curl like that with no success:
curl -I --resolve mydomain.com:443:172.1.1.61 https://172.1.1.61:443/FederationMetadata/2007-06/FederationMetadata.xml -v
* Added mydomain.com:443:172.1.1.61 to DNS cache
* About to connect() to 172.1.1.61 port 443 (#0)
* Trying 172.1.1.61...
* Connected to 172.1.1.61 (172.1.1.61) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -5961 (PR_CONNECT_RESET_ERROR)
* TCP connection reset by peer
* Closing connection 0
curl: (35) TCP connection reset by peer
Also I tried to use an openssl client:
openssl s_client -connect 172.1.1.61:443 -servername mydomain.com
And it has showed me a valid certificate, related to mydomain.com:
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = mydomain.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=mydomain.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
some moar strings
cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMTkwNDAzMDQyODE3Wh==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=mydomain.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4609 bytes and written 438 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 9B020000BE0E627BF16F61C924ED4B90FF698F1868168A0467E0F359F98DE1FA
Session-ID-ctx:
Master-Key: (hidden)
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1602236714
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=104
But the last string is read:errno=104 what is equal to Connection Reset error.
As my last hope I'd installed a Modify Header Value plugin on my Chrome browser and made settings like that:
But still no connection:
What I did wrong?
openssl s_client -connect 172.1.1.61:443 -servername mydomain.com
...
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
...
But the last string is read:errno=104 what is equal to Connection Reset error.
The error you see here means that the connection reset happens in the final stages or directly after the TLS handshake. In this stage SNI is already used to select the certificate and the HTTP request with the Host header is not yet sent. This means that neither SNI nor the Host header are the actual problem here.
This means one can exclude wrong SNI and Host header as the possible reasons for the connection reset. A shared cipher is also found so this is also not a problem. It might be for example a missing client certificate or something else. Maybe the server logs will show.
TIBCO version - TIBCO ActiveMatrix BusinessWorks 5.7.2
Problem:
I am the consumer of the TIBCO server, getting SSL handshake failure. I have tried the following openssl commands to see if it can accept connections. Below are my results:
openssl s_client -showcerts -connect tibco-server:port -verify 3 -tls1 -state
verify depth is 3
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL3 alert read:fatal:unexpected_message
SSL_connect:failed in error
139827261306768:error:140943F2:SSL routines:ssl3_read_bytes:sslv3 alert unexpected message:s3_pkt.c:1493:SSL alert number 10
139827261306768:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1581402078
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
However the same is working when I hit with ssl3 option
openssl s_client -showcerts -connect tibco-server:port -verify 3 -ssl3 -state
verify depth is 3
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 C = AU, ST = <state>, L = <location>, O = <org>, OU = <unit>, CN = <cn>
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = <state>, L = <location>, O = <org>, OU = <unit>, CN = <cn>
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
-----BEGIN CERTIFICATE-----
.....
.....
-----END CERTIFICATE-----
---
Server certificate
subject=...
issuer=...
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 1779 bytes and written 362 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES128-SHA
Session-ID: 8BCEAEADC85613876FFF0E2EAB590A92
Session-ID-ctx:
Master-Key: <master-key-here>
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1581402661
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
I have masked some of the output data.
Any help on why, openssl can connect TIBCO via ssl3 but not tls1.0 ?
This issue got resolved after the security configuration changes in TIBCO server. Now the clients can successfully negotiate TLS1.0 connections with TIBCO server.
FIX
Changed security to be j2se instead of entrust
java.property.TIBCO_SECURITY_VENDOR=j2se
References
https://support.tibco.com/s/article/Tibco-KnowledgeArticle-Article-38616
https://community.tibco.com/questions/tls-compatibility-tibco-bw
I have created a private mail server using iRedMail & Nginx. I have installed SSL certificates and keys into Nginx and iRedMail itself at the below locations. The server runs great and everything works via web mail. The browser agrees that the SSL certificate is valid and HTTPS works.
The issue is when I add the mail account to my email client, I get an invalid certificate error, and the same issue when using CalDav. It still works, but this makes me think that I'm missing some certificate install somewhere. Any suggestions? Thank you!
/etc/ssl/certs/iRedMail.crt
/etc/ssl/private/iRedMail.key
Here is the output of openssl s_client -showcerts -connect mail.bragsdale.dev:993
CONNECTED(00000003)
depth=0 CN = bragsdale.dev
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = bragsdale.dev
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=bragsdale.dev
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
...CERTIFICATE HERE...
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=bragsdale.dev
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2064 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 3DD2E8B607CF5B4ACECDB995078FDAE80C210097372B80CD1409E90A0A523E0A
Session-ID-ctx:
Master-Key: F1953ABEAC1024279DA6D0E17D26E3305E7C2A9589976FDFD2DBF22E4B6280415BC271E5228045B7D0C5E8A0B3921B11
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
....DATA HERE...
Start Time: 1551664367
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready
Fixed it. The problem was I wasn't using my intermediary certificate. See this answer for details.
A note, when I cat'ed the certificates together it was malformed, with the END CERTIFICATE/BEGIN CERTIFICATE being on one line. Easily fixed with a text editor.
I was previously able to access the site roughly a week or two ago. Lately, no matter what browser, computer, or device I use to access dmv.ca.gov from inside my network the SSL handshake fails and the site gives an empty response. I can access other sites, including ca.gov, but just not dmv.ca.gov. The handshake fails, I think, because I get no response from the server.
When I run openssl from my ubuntu box I get the following output:
captain#HARM01NGINX01:~$ openssl s_client -state -nbio -connect dmv.ca.gov:443 -servername dmv.ca.gov
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL_connect:error in SSLv2/v3 read server hello A
read:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 324 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1531959808
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
However, what I would expect is the following (same command on an AWS instance I have:
ubuntu#ip-10-0-144-141:~$ openssl s_client -state -nbio -connect dmv.ca.gov:443 -servername dmv.ca.gov
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL_connect:unknown state
SSL_connect:error in unknown state
SSL_connect:error in unknown state
read R BLOCK
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Organization Validation Secure Server CA
verify return:1
depth=0 C = US, postalCode = 95814, ST = CA, L = Sacramento, street = "1325 J Street, Suite 1600", O = State of California, OU = Department of Motor Vehicles, OU = Hosted by State of California, OU = Multi-Domain SSL, CN = www.dmv.ca.gov
verify return:1
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:error in unknown state
read R BLOCK
SSL_connect:error in unknown state
read R BLOCK
SSL_connect:unknown state
read R BLOCK
---
Certificate chain
0 s:/C=US/postalCode=95814/ST=CA/L=Sacramento/street=1325 J Street, Suite 1600/O=State of California/OU=Department of Motor Vehicles/OU=Hosted by State of California/OU=Multi-Domain SSL/CN=www.dmv.ca.gov
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIINzCCBx+gAwIBAgIRAJ2VHzZ23HIPwp3suYpAPogwDQYJKoZIhvcNAQELBQAw
gZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTwwOgYD
VQQDEzNDT01PRE8gUlNBIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIFNlY3VyZSBT
ZXJ2ZXIgQ0EwHhcNMTgwNDI3MDAwMDAwWhcNMjAwNDI2MjM1OTU5WjCCAQQxCzAJ
BgNVBAYTAlVTMQ4wDAYDVQQREwU5NTgxNDELMAkGA1UECBMCQ0ExEzARBgNVBAcT
ClNhY3JhbWVudG8xIjAgBgNVBAkTGTEzMjUgSiBTdHJlZXQsIFN1aXRlIDE2MDAx
HDAaBgNVBAoTE1N0YXRlIG9mIENhbGlmb3JuaWExJTAjBgNVBAsTHERlcGFydG1l
bnQgb2YgTW90b3IgVmVoaWNsZXMxJjAkBgNVBAsTHUhvc3RlZCBieSBTdGF0ZSBv
ZiBDYWxpZm9ybmlhMRkwFwYDVQQLExBNdWx0aS1Eb21haW4gU1NMMRcwFQYDVQQD
Ew53d3cuZG12LmNhLmdvdjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANICIjcwXvW6kwMzboV0jD0eTSfH6ZXTZWRW6cDCHKV+cn2Ut4AVjLduJ++3GH3T
XzGlBFKTjccs+CB3lZJCk/8CbCr0zWuxVvIn+EQlTU5bjxK8hpZxGMk4Xqck8UOQ
k3slP/DeQ6e59bxBiNXXfDSlMIti75oVN6Q9IKMNRSY78xOtIyath8EGS0QxeHmU
AlLvtreKPsi/s1zwc9sCi6o+KLthiQOBV0tBcaMwH3O0zWU6izo4urOZnGdtcEto
3WClQIODfDey2oMtJIZg7zi9U2PjInJHX/NHLbDTT/50C6gEuTsVDUecc51tlkuX
5/PPh7qBQeffLqeACCbi0AUCAwEAAaOCBA0wggQJMB8GA1UdIwQYMBaAFJrzK9rP
rU+2L7sqSEgqErcbQsEkMB0GA1UdDgQWBBQCpbBSuY1+fz9cPVBsP2qXDy7OgzAO
BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwUAYDVR0gBEkwRzA7BgwrBgEEAbIxAQIBAwQwKzApBggrBgEF
BQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYGZ4EMAQICMFoG
A1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JT
QU9yZ2FuaXphdGlvblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYsGCCsG
AQUFBwEBBH8wfTBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5jb21vZG9jYS5jb20v
Q09NT0RPUlNBT3JnYW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
dDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMIHJBgNVHREE
gcEwgb6CDnd3dy5kbXYuY2EuZ292ggpkbXYuY2EuZ292gg5lZGwuZG12LmNhLmdv
doIRZWRsYXBwLmRtdi5jYS5nb3aCEXJlYWxpZC5kbXYuY2EuZ292ghFzdXJ2ZXku
ZG12LmNhLmdvdoISd3d3LmVkbC5kbXYuY2EuZ292ghV3d3cuZWRsYXBwLmRtdi5j
YS5nb3aCFXd3dy5yZWFsaWQuZG12LmNhLmdvdoIVd3d3LnN1cnZleS5kbXYuY2Eu
Z292MIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoAdwDuS723dc5guuFCaR+r4Z5m
ow9+X7By2IMAxHuJeqj9ywAAAWMJf5JMAAAEAwBIMEYCIQClJmCF9j3SuP7g9By5
MtBXlmWmJkyVbdWi6kke6bhWcwIhAJwe9WqgMawyVYZ832Kf9av6pqqdTG/gSlM+
c3XXkeWaAHcAXqdz+d9WwOe1Nkh90EngMnqRmgyEoRIShBh1loFxRVgAAAFjCX+U
YgAABAMASDBGAiEA1icqpmdKyGl4Wj1iYjxzt52uDsVlKR7m8VqEnd5ke4wCIQCp
9zFllGV53sreB5FvPv8R51l91/JSlup21Sf3me+ugQB2AFWB1MIWkDYBSuoLm1c8
U/DA5Dh4cCUIFy+jqh0HE9MMAAABYwl/kmwAAAQDAEcwRQIgfYoeUJVqJm6+hVwT
IJIxsIuOrBHOT9qCALxHknWXRqoCIQCZStG+T0f+FTPhbhmpmSTRv5cccuuxHEIh
iVo/R+hHMzANBgkqhkiG9w0BAQsFAAOCAQEAYzW4ZehiSJGiEAd+yg3pvYlzD3E7
WYbU8zzBXzo6CoPlpV5Ev4XHUXqawZ5tQO9H03yFHhoSjymLsnIa5URhday0z81s
yIasFymBYGwyccRgzX4Qd6V3tiArY7zDY9Hf00/yp9SSJe6a4KX/aCibsGnX/DIq
91RJNdGfOjd/94jMz9X/umrlvLWJ9ZqVMZYycLO9hkgGdYJQjYDf0wFd+jQ+c+b5
BjVOuO0HHWMfkE+CprcwNSJFzcKHuRUX0gn7EmiYebOLf2P5sRpMN51NQBD0RCSg
ZPOqG1ImhxRaWREfMm4uXJIYZeFU+Xt1NS+gCw752lm4tibJnn3wG1lVYg==
-----END CERTIFICATE-----
subject=/C=US/postalCode=95814/ST=CA/L=Sacramento/street=1325 J Street, Suite 1600/O=State of California/OU=Department of Motor Vehicles/OU=Hosted by State of California/OU=Multi-Domain SSL/CN=www.dmv.ca.gov
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5576 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 789084EE893DD466F4A9A06493691CAF46BCFC14728AF6FBB2A5D6AFEFAEE9CE
Session-ID-ctx:
Master-Key: F88F1EF27749B19B08AC56049072A8C69534D0157E0642CB73952DA1A1F66371C3C32C05AEA248A9272D16D6766483CB
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1531959941
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=104
DIG gives me the same dns records, so I know I'm connecting to the correct server.
At this point I'm running out of ideas. So, I ask of you all, what can I look at or test next?
I've got an actiontec router provided by Verizon, if there are any settings located on that device I need to check.
EDIT: With tls and curl and wget:
captain#HARM01NGINX01:~$ openssl s_client -state -nbio -connect dmv.ca.gov:443 -servername dmv.ca.gov -tls1_2
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:unknown state
SSL_connect:error in unknown state
write R BLOCK
SSL_connect:error in unknown state
read:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1532398652
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
captain#HARM01NGINX01:~$ openssl s_client -state -nbio -connect dmv.ca.gov:443 -servername dmv.ca.gov -tls1
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:unknown state
SSL_connect:error in unknown state
write R BLOCK
SSL_connect:error in unknown state
read:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1532398670
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
captain#HARM01NGINX01:~$ curl dmv.ca.gov
curl: (56) Recv failure: Connection reset by peer
captain#HARM01NGINX01:~$ wget dmv.ca.gov
--2018-07-23 19:18:52-- http://dmv.ca.gov/
Resolving dmv.ca.gov (dmv.ca.gov)... 107.162.129.29
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.
--2018-07-23 19:18:57-- (try: 2) http://dmv.ca.gov/
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.
--2018-07-23 19:19:03-- (try: 3) http://dmv.ca.gov/
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.
--2018-07-23 19:19:10-- (try: 4) http://dmv.ca.gov/
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:80... connected.
HTTP request sent, awaiting response... ^C
captain#HARM01NGINX01:~$ wget https://dmv.ca.gov
--2018-07-23 19:19:21-- https://dmv.ca.gov/
Resolving dmv.ca.gov (dmv.ca.gov)... 107.162.129.29
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:443... connected.
Unable to establish SSL connection.
I'm trying to run an openssl command to narrow down what the SSL issue might be when trying to send an outbound message from our system.
I found this command in another topic: Using openssl to get the certificate from a server
openssl s_client -connect ip:port -prexit
The output of this results in
CONNECTED(00000003)
15841:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 121 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Does this mean the server isn't presenting any certificate? I tried other systems on a different ip:port and they present a certificate successfully.
Does mutual authentication affect this command with -prexit?
--Update--
I ran the command again
openssl s_client -connect ip:port -prexit
And I get this response now
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 121 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
I added -ssl3 to the command
openssl s_client -connect ip:port -prexit -ssl3
Response:
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
Start Time: 1403907236
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Also trying -tls1
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
Start Time: 1403907267
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
I was debugging an SSL issue today which resulted in the same write:errno=104 error. Eventually I found out that the reason for this behaviour was that the server required SNI (servername TLS extensions) to work correctly. Supplying the -servername option to openssl made it connect successfully:
openssl s_client -connect domain.tld:443 -servername domain.tld
15841:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
...
SSL handshake has read 0 bytes and written 121 bytes
This is a handshake failure. The other side closes the connection without sending any data ("read 0 bytes"). It might be, that the other side does not speak SSL at all. But I've seen similar errors on broken SSL implementation, which do not understand newer SSL version. Try if you get a SSL connection by adding -ssl3 to the command line of s_client.
I encountered the write:errno=104 attempting to test connecting to an SSL-enabled RabbitMQ broker port with openssl s_client.
The issue turned out to be simply that the user RabbitMQ was running as did not have read permissions on the certificate file. There was little-to-no useful logging in RabbitMQ.
In my case the ssl certificate was not configured for all sites (only for the www version which the non-www version redirected to). I am using Laravel forge and the Nginx Boilerplate config
I had the following config for my nginx site:
/etc/nginx/sites-available/timtimer.at
server {
listen [::]:80;
listen 80;
server_name timtimer.at www.timtimer.at;
include h5bp/directive-only/ssl.conf;
# and redirect to the https host (declared below)
# avoiding http://www -> https://www -> https:// chain.
return 301 https://www.timtimer.at$request_uri;
}
server {
listen [::]:443 ssl spdy;
listen 443 ssl spdy;
# listen on the wrong host
server_name timtimer.at;
### ERROR IS HERE ###
# You eighter have to include the .crt and .key here also (like below)
# or include it in the below included ssl.conf like suggested by H5BP
include h5bp/directive-only/ssl.conf;
# and redirect to the www host (declared below)
return 301 https://www.timtimer.at$request_uri;
}
server {
listen [::]:443 ssl spdy;
listen 443 ssl spdy;
server_name www.timtimer.at;
include h5bp/directive-only/ssl.conf;
# Path for static files
root /home/forge/default/public;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/default/2658/server.crt;
ssl_certificate_key /etc/nginx/ssl/default/2658/server.key;
# ...
# Include the basic h5bp config set
include h5bp/basic.conf;
}
So after moving (cutting & pasting) the following part to the /etc/nginx/h5bp/directive-only/ssl.conf file everything worked as expected:
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/default/2658/server.crt;
ssl_certificate_key /etc/nginx/ssl/default/2658/server.key;
So it is not enough to have the keys specified only for the www version even, if you only call the www version directly!
I was getting the below as well trying to get out to github.com as our proxy re-writes the HTTPS connection with their self-signed cert:
no peer certificate available
No client certificate CA names sent
In my output there was also:
Protocol : TLSv1.3
I added -tls1_2 and it worked fine and now I can see which CA it is using on the outgoing request. e.g.:
openssl s_client -connect github.com:443 -tls1_2
I had a similar issue. The root cause was that the sending IP was not in the range of white-listed IPs on the receiving server. So, all requests for communication were killed by the receiving site.
I have met the same problem . but use IP fine;
I specify ip host in /etc/hosts
use IP work fine, but host can't