Home / server / Questions / 950239
Accepted
jouell
Asked: 2019-01-23 08:39:41 +0800 CST

Openssl 1.0.2q - error at finished message: error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

  • 772

Connecting to a VIP/loadbalancer w/Tomcat behind it.

(tcpdump appears clean so far..no RSTs)

Using openssl version 1.2.q 

$openssl s_client -connect "blah:443" -msg

    CONNECTED(00000003)

    >>> TLS 1.2  [length 0005]

        16 03 01 01 2c

    >>> TLS 1.2 Handshake [length 012c], ClientHello

        01 00 01 28 03 03 a8 3c de fd fd 63 19 ea 64 01

        <snip>

    <<< ??? [length 0005]

        16 03 03 00 51

    <<< TLS 1.2 Handshake [length 0051], ServerHello

        02 00 00 4d 03 03 dc dd fa a6 70 ab 42 29 26 5c

       <snip>

    <<< ??? [length 0005]

        16 03 03 11 9b

    <<< TLS 1.2 Handshake [length 119b], Certificate

        0b 00 11 97 00 11 94 00 06 01 30 82 05 fd 30 82

        <snip>

    verify error:num=20:unable to get local issuer certificate

    <<< ??? [length 0005]

        16 03 03 00 2e

    <<< TLS 1.2 Handshake [length 002a], CertificateRequest

        0d 00 00 26 03 01 02 40 00 1e 06 01 06 02 06 03

        05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02

        03 03 02 01 02 02 02 03 00 00

    <<< TLS 1.2 Handshake [length 0004], ServerHelloDone

        0e 00 00 00

    >>> ??? [length 0005]

        16 03 03 00 07

    >>> TLS 1.2 Handshake [length 0007], Certificate

        0b 00 00 03 00 00 00

    >>> ??? [length 0005]

        16 03 03 01 06

    >>> TLS 1.2 Handshake [length 0106], ClientKeyExchange

        10 00 01 02 01 00 93 7b b5 46 e4 a0 33 ef 9d 25

        <snip>

    >>> ??? [length 0005]

        14 03 03 00 01

    >>> TLS 1.2 ChangeCipherSpec [length 0001]

        01

    >>> ??? [length 0005]

        16 03 03 00 50

    >>> TLS 1.2 Handshake [length 0010], Finished

        14 00 00 0c f6 30 0b ca 0d 1c e9 b1 2d ec 91 90

    140048048748200:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:



No client certificate CA names sent

Client Certificate Types: RSA sign, DSA sign, ECDSA sign

Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1

Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1

---

SSL handshake has read 4649 bytes and written 370 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-SHA256

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : AES256-SHA256

    Session-ID: <snip>    
    Session-ID-ctx:

    Master-Key: <snip>    
    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1548174269

    Timeout   : 300 (sec)

    Verify return code: 20 (unable to get local issuer certificate)

everthing seems to proceed nicely except I see "140048048748200:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:" after the finished message.

(FWIW, my goal is to connect with python3 using ssl to collect the certificate but currently cannot)

Any pointers here? I don't have the ability to try 1.1.0 or 1.1.1 at my location.

openssl

1 Answers

  1. Best Answer

    I spoke to the admin of the server. Turns out a client cert is needed.

    • 0