I'm trying to run an openssl command to narrow down what the SSL issue might be when trying to send an outbound message from our system.
I found this command in another topic: Using openssl to get the certificate from a server
openssl s_client -connect ip:port -prexit
The output of this results in
CONNECTED(00000003)
15841:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 121 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Does this mean the server isn't presenting any certificate? I tried other systems on a different ip:port and they present a certificate successfully.
Does mutual authentication affect this command with -prexit?
--Update--
I ran the command again
openssl s_client -connect ip:port -prexit
And I get this response now
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 121 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
I added -ssl3 to the command
openssl s_client -connect ip:port -prexit -ssl3
Response:
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
Start Time: 1403907236
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Also trying -tls1
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
Start Time: 1403907267
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
I was debugging an SSL issue today which resulted in the same write:errno=104 error. Eventually I found out that the reason for this behaviour was that the server required SNI (servername TLS extensions) to work correctly. Supplying the -servername option to openssl made it connect successfully:
openssl s_client -connect domain.tld:443 -servername domain.tld
15841:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
...
SSL handshake has read 0 bytes and written 121 bytes
This is a handshake failure. The other side closes the connection without sending any data ("read 0 bytes"). It might be, that the other side does not speak SSL at all. But I've seen similar errors on broken SSL implementation, which do not understand newer SSL version. Try if you get a SSL connection by adding -ssl3 to the command line of s_client.
I encountered the write:errno=104 attempting to test connecting to an SSL-enabled RabbitMQ broker port with openssl s_client.
The issue turned out to be simply that the user RabbitMQ was running as did not have read permissions on the certificate file. There was little-to-no useful logging in RabbitMQ.
In my case the ssl certificate was not configured for all sites (only for the www version which the non-www version redirected to). I am using Laravel forge and the Nginx Boilerplate config
I had the following config for my nginx site:
/etc/nginx/sites-available/timtimer.at
server {
listen [::]:80;
listen 80;
server_name timtimer.at www.timtimer.at;
include h5bp/directive-only/ssl.conf;
# and redirect to the https host (declared below)
# avoiding http://www -> https://www -> https:// chain.
return 301 https://www.timtimer.at$request_uri;
}
server {
listen [::]:443 ssl spdy;
listen 443 ssl spdy;
# listen on the wrong host
server_name timtimer.at;
### ERROR IS HERE ###
# You eighter have to include the .crt and .key here also (like below)
# or include it in the below included ssl.conf like suggested by H5BP
include h5bp/directive-only/ssl.conf;
# and redirect to the www host (declared below)
return 301 https://www.timtimer.at$request_uri;
}
server {
listen [::]:443 ssl spdy;
listen 443 ssl spdy;
server_name www.timtimer.at;
include h5bp/directive-only/ssl.conf;
# Path for static files
root /home/forge/default/public;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/default/2658/server.crt;
ssl_certificate_key /etc/nginx/ssl/default/2658/server.key;
# ...
# Include the basic h5bp config set
include h5bp/basic.conf;
}
So after moving (cutting & pasting) the following part to the /etc/nginx/h5bp/directive-only/ssl.conf file everything worked as expected:
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/default/2658/server.crt;
ssl_certificate_key /etc/nginx/ssl/default/2658/server.key;
So it is not enough to have the keys specified only for the www version even, if you only call the www version directly!
I was getting the below as well trying to get out to github.com as our proxy re-writes the HTTPS connection with their self-signed cert:
no peer certificate available
No client certificate CA names sent
In my output there was also:
Protocol : TLSv1.3
I added -tls1_2 and it worked fine and now I can see which CA it is using on the outgoing request. e.g.:
openssl s_client -connect github.com:443 -tls1_2
I had a similar issue. The root cause was that the sending IP was not in the range of white-listed IPs on the receiving server. So, all requests for communication were killed by the receiving site.
I have met the same problem . but use IP fine;
I specify ip host in /etc/hosts
use IP work fine, but host can't
Related
I currently have a domain named "rabbitmq.<server>.com". I wan't to add SSL certificates to do a AMQPS connection.
I took my nginx certificates generated by certbot (let's encrypt) for the rabbitmq dashboard and i put them into rabbitmq configurations:
#listeners.tcp = none
listeners.ssl.default = 5671
ssl_options.cacertfile = /etc/rabbitmq/certs/fullchain.pem
ssl_options.certfile = /etc/rabbitmq/certs/cert.pem
ssl_options.keyfile = /etc/rabbitmq/certs/privkey.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true
After a restart rabbitmq work and i can diagnostic my connection with openssl on my client computer:
openssl s_client -connect rabbitmq.<server>.com:5671 -cert cert.pem -key privkey.pem -CAfile fullchain.pem -verify 8 -verify_hostname rabbitmq.<server>.com
But openssl raise an error:
00864C1001000000:error:0A000418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:ssl/record/rec_layer_s3.c:1588:SSL alert number 48
I tried to change the verify_peer by verify_none and the SSL client work:
...
SSL handshake has read 4579 bytes and written 405 bytes
Verification error: unable to get issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 2 (unable to get issuer certificate)
---
...
AMQP closed
But i don't appreciate to remove security. And my python pika client doesn't work.
My first question is i am doing the job well ? Do i need to take the server certificates (ca, cert, key) or i need to regenerate another for the client ?
SSL alert number 48 means "unknown_ca". The server cannot verify the client certificate you've sent because it does not find any path to the CA's trusted by the server. You might be missing the root CA for cert the signer of your cert?
I have a website hosted on a VPS running CentOS 6 and running fine. Now I have to make it accesible with SSL, so I configured /etc/httpd/conf/httpd.confand /etc/httpd/conf.d/ssl.conf to make httpd listen to port 443, then binding the virtualhost related to the website to the same port.
The apparent result of the whole configuration may be resumed by the following diagnostics that also resumes some tests I performed (I masked data where necessary, and my.site.com is dummy):
# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
# httpd -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443 my.site.com (/etc/httpd/conf.d/ssl.conf:74)
*:80 my.site.com (/etc/httpd/conf/httpd.conf:1022)
*:8888 my.site.com (/etc/httpd/conf/httpd.conf:1045)
Syntax OK
# openssl s_client -connect localhost:443
CONNECTED(00000003)
depth=2 O = [Some authority here], CN = [Some authority here] Root CA X3
verify return:1
depth=1 C = US, O = [Some authority here], CN = [Some authority here] X3
verify return:1
depth=0 CN = my.site.com
verify return:1
---
Certificate chain
0 s:/CN=my.site.com
i:/C=US/O=[some authority here]/CN=[some authority here] X3
1 s:/C=US/O=[some authority here]/CN=[some authority here] X3
i:/O=[some authority here]/CN=[Some authority here] Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
[some certificate codes here]
-----END CERTIFICATE-----
subject=/CN=my.site.com
issuer=/C=US/O=[some authority here]/CN=[some authority here] X3
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 3672 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: [some coding here]
Session-ID-ctx:
Master-Key:
[some coding here]
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
[other codes here]
Start Time: 1483709215
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
# openssl s_client -connect [my.site.com's IP] -state -nbio 2>&1 | grep "^SSL"
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
SSL handshake has read 3672 bytes and written 373 bytes
SSL-Session:
SSL3 alert read:warning:close notify
SSL3 alert write:warning:close notify
# iptables -L -v | grep https
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
# netstat -lnp | grep 443
tcp 0 0 :::443 :::* LISTEN 22682/httpd
Now, the website is still responding via the usual browser http://my.site.com address, while it return ERR_CONNECTION_TIMED_OUT if trying https://my.site.com.
Furthermore, accessing by remote I obtain:
# openssl s_client -connect [my.site.com's IP:443]
connect: No route to host
connect:errno=113
So, what is the problem or how can I investigate its origin?
Thanks in advance for your help.
This has me stumped, hoping someone could help me out. I had a working rabbitmq cluster until the SSL certificate expired.
After installing a new signed certificate, i'm getting the following errors for all connections:
=INFO REPORT==== 19-Oct-2016::21:39:27 ===
accepting AMQP connection <0.3532.0> (x.x.x.x:43958 -> x.x.x.x:5671)
=ERROR REPORT==== 19-Oct-2016::21:39:33 ===
Error on AMQP connection <0.3536.0>:
{ssl_upgrade_error,{certfile,{badmatch,[]}}}
Trying an openssl s_client connection
openssl s_client -connect x.x.x.x:5671 -cert ssl.crt -key ssl.key -CAfile intermediate.crt
Results in this:
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
But running the SSL key checker with s_server/s_client from https://www.rabbitmq.com/troubleshooting-ssl.html#troubleshooting works via localhost and port 8443.
No files have been moved, the old certificates were simply replaced with the same name in the same dirs. The CSR was generated with the same key, so the only things that were replaced were the certificate and intermediate certificate taken directly from the SSL issuer.
If I revert back to the old certificates, the {ssl_upgrade_error,{certfile,{badmatch,[]}}} doesnt appear and I can s_client without issues (apart from the ssl is expired error)
Turns out the issue was with the certfile itself, went directly to the ssl issuer to download them and move them into the server
I am trying to establish ssl connection with rabbitmq broker.
I follow this page to help me and I find my bug, but I don't know who to resolve it. I am stuck at the test connection with the broker :
openssl s_client -connect localhost:5671 -cert client/cert.pem -key client/key.pem -CAfile testca/cacert.pem
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1470206187
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
And I have no log but I need accepting AMQP connection.
#Rabbimq.conf
[
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,".../testca/cacert.pem"},
{certfile,".../server/cert.pem"},
{keyfile,".../server/key.pem"},
{ciphers, [{rsa,aes_256_cbc,sha256}]},
{verify,verify_peer},
{fail_if_no_peer_cert,false}]}
]}
].
The certificates that I use are validated, verified and created with the doc.
I think is this issue that does not allow me to perform a ssl connection.
Thanks
Edit: I created the certificates at /var/lib/rabbitmq with the user rabbitmq and like this permissions goes right and the server can access to the certs.
Everything worked for me after I replaced in rabbitmq.config
{certfile,".../server/cert.pem"},
to full file path.
{certfile,"/data/server/cert.pem"}
The rabbitmq says nothing when it can't find or can't read certificate file.
Check permissions for certificate files!
I have an Android app that has some trouble with a site's certificate when connecting via https. As I'm experiencing trouble even when using a custom keystore with the certificates ("No peer certificate") I'm trying to get more information about the connection, handshake and certificates actually given by the server.
The version of openssl is follows:
$ openssl version
OpenSSL 1.0.1e 11 Feb 2013
When I just try to get info about the certificates I get this response:
$ openssl s_client -showcerts -connect [hostname]:443 </dev/null
CONNECTED(00000003)
3069977808:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:749:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
This is how Chrome describes the connection (sorry for the Norwegian text, but you get an idea of the connection and encryption type:
Based on the info from Chrome I've tried different commands to get the certificates, but they all seem to fail. My top candidate was this one:
$ openssl s_client -showcerts -connect [hostname]:443 -tls1_2 -cipher RC4-MD5
CONNECTED(00000003)
3069396176:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1258:SSL alert number 40
3069396176:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1414399499
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Anyone got any hints based on the info given?
This might be an SNI issue, where the server has no default certificate defined for non-SNI clients. Android included a version of Apaches httpclient which is known to not support SNI and your openssl s_client command also does not use SNI.
Please try openssl s_client -servername hostname -connect ... to use SNI and see if this helps.