SSL Cannot Make A Handshake - ssl

After strictly following the SSL certificate authority documentation, I'm stumped to solve the reason for this error. When accessing my website via HTTPS Firefox spits out the following error:
SSL peer was unable to negotiate an acceptable set of security parameters.
(Error code: ssl_error_handshake_failure_alert)
I went back and found this in the SSL error log (domain was modified on purpose):
[Mon May 09 02:11:05 2011] [warn] RSA server certificate wildcard CommonName (CN) `*.domain.com' does NOT match server name!?
Where is the server name defined? I can't find a reasonable explanation in my httpd-ssl.conf file to solve this error. Thanks for your help!
Update Finally solved the problem, detailed below:
Unfortunately it was created by a default value in my Apache distribution. The option:
SSLVerifyClient require
Actually needed to be set as:
SSLVerifyClient optional
I'm not issuing client certs just yet. However credit is due to the answers for narrowing the problem. I appreciate the help!

That line in your logfile might matter later, but it's only a [warn] and it's not what handshake_failure means. Handshake_failure means that a cipher suite could not be negotiated -- no cipher suite is supported by both client and server. Look at what ciphers are supported by your server.
Edit: I always forget that if a client fails to provide a required certificate, that also results in handshake_failure (section 7.4.6).

SSL compares the CommonName with the name of the server you actually try to connect to.
Possibly you are using an alternative name like 'localhost' or an IP Adress.

Solved the problem, and unfortunately it was created by a default value in my Apache distribution. The option:
SSLVerifyClient require
Actually needed to be set as:
SSLVerifyClient optional
I'm not issuing client certs just yet. However credit is due to the answers for narrowing the problem. I appreciate the help!

Related

Ubuntu Server 16.04 error 60: SSL certificate problem

Ubuntu server 16.04 PHP7.4 Apache2 running wordpress Geotrust SHA256 certificate
I have started getting the following error
cURL error 60: SSL certificate problem: unable to get local issuer certificate
I have read through and tried most solutions on the many questions on here, but to no avail
The latest 2 i have tried is adding to php.ini the following 2 lines and restarted Apache and rebooted after each one to see if it solves the issue. But it does not
After downloading a fresh copy of cacert.pem The first one i tried was
curl.cainfo = "/path/to/cacert.pem"
Then i tried
openssl.cafile = "/path/to/cacert.pem"
But i still get the same error
Any assistance greatly appreciated.
Many thanks
This is likely to be a server problem ("unable to get local issuer certificate" often is):
Even when using a CA bundle to verify a server cert, you might still experience problems if your CA store does not contain the certificates for the intermediates if the server doesn't provide them.
The TLS protocol mandates that the intermediate certificates are sent in the handshake, but as browsers have ways to survive or work around such omissions, missing intermediates in TLS handshakes still happen that browser-users won't notice.
Browsers work around this problem in two ways: they cache intermediate certificates from previous transfers and some implement the TLS "AIA" extension that lets the client explicitly download such cerfificates on demand.
To figure out for sure if this is your problem, use a TLS test service like perhaps this one: https://www.ssllabs.com/ssltest/

Kafka SSL handshake failed issue

I am trying to enable SSL Authentication on my Kafka server. I am following 7.2 section in the Kafka documentation.
Followed all steps, but while calling the producer.bat file to send data in to the topic i get below error.
ERROR [Producer clientId=console-producer] Connection to node -1 failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
Caused by: java.security.cert.CertificateException: No name matching localhost found
I did create the certificate with CN=localhost.
The server host name verification may be disabled by setting ssl.endpoint.identification.algorithm to an empty string on the client.
Just set
ssl.endpoint.identification.algorithm=
It can help you.
I.e with an empty value:
ssl.endpoint.identification.algorithm=
For me it is an issue with input given to first name and last name for Keytool
Generally java.security.cert.CertificateException: No name matching localhost found means that the hostname in the certificate does not match the hostname of the server.
There is a great explanation of this error here: CertificateException: No name matching ssl.someUrl.de found
We encounterd the following errors, this might because the upgrade of Kafka's version from 1.x to 2.x.
javax.net.ssl.SSLHandshakeException: General SSLEngine problem ... javax.net.ssl.SSLHandshakeException: General SSLEngine problem ... java.security.cert.CertificateException: No name matching *** found
or
[Producer clientId=producer-1] Connection to node -2 failed authentication due to: SSL handshake failed
The default value for ssl.endpoint.identification.algorithm was changed to https, which performs hostname verification (man-in-the-middle attacks are possible otherwise). Set ssl.endpoint.identification.algorithm to an empty string to restore the previous behaviour. Apache Kafka Notable changes in 2.0.0
Solution:
SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG, ""
When using Strimzi Kafka operator, use the cluster ca cert (add to jks truststore) to avoid this error. The client CA certificate was always throwing this error for me.
I got this error because of connection problems. Cause by me firewall.
The connection can be checked with:
openssl s_client -debug -connect servername:port -tls1_2
Answer should be "Verify return code: 0 (ok)
Other return codes could suggest that you have no access.

NGINX: Each domain shares multiple ssl_certificate's

Is it possible to have each domain use multiple ssl certificates? When I google for this, the top result is an article on how to have two ssl_certificates for two domains, but each domain is tied to one ssl_certificate. Is there a way to have each tied to multiple certificates? The way I'd want it to work is to try with the first ssl certificate and if it fails, try with the second, and if that didn't work, fallback to other options. We attempted this using techniques from the article, but when we did nginx gave us this warning:
2016/12/30 20:31:41 [warn] 186#186: conflicting server name "domain1" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "domain1" on 0.0.0.0:443, ignored
2016/12/30 20:31:41 [warn] 186#186: conflicting server name "domain2" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "domain2" on 0.0.0.0:443, ignored
Why do we want to do this? The ssl_certificate refers to a file that allows access to one inbound domain, and we also want the nginx to allow access from another domain. I don't know much about ssl/certificates. Is there an easy way to modify the ssl_certificate to allow multiple domains? That would be an alternative solution to this problem.
There is only a single leaf certificate served inside the TLS handshake. If the validation of this certificate fails the handshake will fail. While many browsers will retry with a lower protocol TLS version as a fallback against broken servers this is not intended to be used to serve different certificates. Apart from that almost no TLS implementations outside browsers implement this fallback.
Thus servers don't support serving multiple leaf certificates within a single host configuration. They usually do support having different certificates for different subdomains and it is also possible to have different servers for the same domain using different certificates (i.e. different IP address or port). It is also possible in newer servers that a single configuration allows both RSA and ECC certificates (i.e. ECDSA authentication) but in this case the server will simply pick the relevant certificate based on which ciphers the client supports and will still send only a single leaf certificate.

Let Apache reply TLS error OR close connection if SNI not match any enabled name-based virtualhost

##What I want:
I'm looking for a way to let Apache either send a handshake_failure error or close the connection if the client has the wrong SNI within the Client Hello message.
Break this problem into parts, and the research I've done:
Apache is able to get the SNI value from the client
Solved: Apache - mod_ssl has "SSL_TLS_SNI" in its Environment Variables.
Apache can check if the SNI is included in the current list of name-based vhosts.
Not Solved: But this is not that important, I can use SetEnvIf and match manually.
This is the hardest part for me: Let Apache close the connection or reply a TLS error (RFC 5246 - 7.2.2. Error Alerts) to client. I can not find any way to do that.
Other Questions you may ask
What if client doesn't support SNI?
I enabled the SSLStrictSNIVHostCheck, therefore, Clients will get a handshake_failure error if SNI was not sent.
Why you prefer close the connection / reply TLS error instead of just show the error?
I don't want my server send the cert info before the client know the correct domain. (I know there are other ways to get around this) And I am just trying to challenge myself finding a way to intercept a connection on TCP/TLS layer on Apache. This is the precondition, no need to discuss.
###Please give me some hints or share your similar experience with me.
Thanks.

OpenLDAP: TLS error -8179:Peer's Certificate issuer is not recognized

I'm not familiar with certificates and openldap. I'm trying to port someone elses work from an older OS to CentOS-6 with openldap-2.4.23. On the old OS, an ldap connection worked without issue. Now on CentOS-6, I get the following error when doing a simple bind:
TLS error -8179:Peer's Certificate issuer is not recognized.
My /etc/openldap/ldap.conf has a single line:
TLS_CACERTDIR /etc/openldap/certs
I tried commenting out that line and putting the following into the file but that didn't change the error message I received.
tls_reqcert allow
I also tried putting only the following line in ldap.conf but that didn't change the error. I tried this based on information found in this question.
LDAPTLS_CACERT /etc/ssl/certs/ca-bundle.crt
I copied files into the following directories:
/etc/pki/tls/certs/ca.crt
/etc/pki/tls/certs/server.crt
/etc/pki/tls/private/server.key
I have no choice but to use openldap-2.4.23. Any idea what is causing this error or what I can do to troubleshoot?
Thanks in advance.
SP
As per http://www.zytrax.com/books/ldap/ch6/ldap-conf.html TLS_CACERT should point to the file containing the CA cert that the client will use to verify the certificate. You need to make sure the your servers CA [The CA that signed your server certificate] is present in the file that TLS_CACERT points to[in your case /etc/ssl/certs/ca-bundle.crt.
I had the same error. In my case the reason was, that my client had the wrong certificate in /etc/ipa/ca.crt. To fix this, I just copied /etc/ipa/ca.crt from the KDC server to the client and the error disappeared.
Depending upon the environment, OpenLDAP may completely ignore the value set for TLS_CACERTDIR because evidently GnuTLS doesn't support that type of certificate store.
From the man page for ldap.conf(5)
TLS_CACERTDIR <path>
Specifies the path of a directory that contains Certifiā€
cate Authority certificates in separate individual files.
The TLS_CACERT is always used before TLS_CACERTDIR. This
parameter is ignored with GnuTLS.
In my case, I suspect that GnuTLS is in use, so TLS_CACERTDIR simply does nothing. Using TLS_CACERT pointed to a file containing the certificate of my server's signing CA seems to have done the trick.
I think https://serverfault.com/questions/437546/centos-openldap-cert-trust-issues is a much more complete answer.