Project

General

Profile

SSL Handshake Problems

colin mor
Added almost 5 years ago

Hi,

I'm having a problem connecting via ssl. I have run openssl s_client -tls1 -connect XXXXXXXXXX:5222 to test the connection and a ssl handshake failure error comes up. For some reason i am able to connect with psi but not adium and i'm not sure why. I've also followed http://www.tigase.org/content/creating-and-loading-server-certificate-pem-files and i'm using a cert from godaddy. Any help to point me in the right direction to look is appreciated.

Thanks,

Details of error

Server:ubuntu 12.04

openssl: version 1.0.1

CONNECTED(00000003)

140257417410208:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:


no peer certificate available


No client certificate CA names sent


SSL handshake has read 0 bytes and written 0 bytes


New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol  : TLSv1

Cipher    : 0000

Session-ID: 

Session-ID-ctx: 

Master-Key: 

Key-Arg   : None

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1390952902

Timeout   : 7200 (sec)

Verify return code: 0 (ok)


Replies (7)

Added by Yevgen Voronetskyy almost 5 years ago

Hi,

Seems I concerned as well with this SSL pb.

I started asking you on Twitter.

So after switching to Oracle JDK 1.7 from Open JDK, I still have the same pb (impossible to connect with Adium or iMessage - SSL handshake error). For PSI client the connection is ok.

openssl s_client -tls1 -connect XYZ:5222 -debug -state -msg

I have the following output

CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x7fab8a41c480 [0x7fab8a818000] (100 bytes => 100 (0x64))
0000 - 16 03 01 00 5f 01 00 00-5b 03 01 52 ed 4d dc c8   ...._...[..R.M..
0010 - d3 13 1f e5 94 c1 1f 38-2d 3d f9 dd ac 67 73 f8   .......8-=...gs.
0020 - 79 30 7e e7 3d d8 32 28-1a 56 bb 00 00 2e 00 39   y0~.=.2(.V.....9
0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f   .8.5.......3.2./
0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09   ................
0050 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 04   ................
0060 - 00 23                                             .#
0064 - <SPACES/NULS>
>>> TLS 1.0 Handshake [length 005f], ClientHello
    01 00 00 5b 03 01 52 ed 4d dc c8 d3 13 1f e5 94
    c1 1f 38 2d 3d f9 dd ac 67 73 f8 79 30 7e e7 3d
    d8 32 28 1a 56 bb 00 00 2e 00 39 00 38 00 35 00
    16 00 13 00 0a 00 33 00 32 00 2f 00 9a 00 99 00
    96 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00
    08 00 06 00 03 00 ff 01 00 00 04 00 23 00 00
SSL_connect:SSLv3 write client hello A
read from 0x7fab8a41c480 [0x7fab8a813600] (5 bytes => 0 (0x0))
SSL_connect:failed in SSLv3 read server hello A
31232:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s3_pkt.c:543:
Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam almost 5 years ago

We are looking into it now. We do have installations working correctly with Adium and iMessage and we are trying to find out why it is not working for some people.

Please note, you cannot run tests with openssl on port 5222, this is a TLS port which require some XMPP handshaking before TLS activation. openssl does not understand XMPP so any attempt to connect on the port with openssl will be unsuccessful.

You can try connecting openssl on port 5223 instead.

What Mac OSX version do you use?

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam almost 5 years ago

And what exact Tigase server version do you use?

Added by Yevgen Voronetskyy almost 5 years ago

Mac OSX Maverics.

Tigase server version is 5.1 or some night build of the january 2014, does not matter, always the same pb.

We are using self-signed cerificate.

I can connect on port 5223 without any errors. Handshake phase is done without errors as well.

Handshake related outputs:

SL_connect:SSLv3 read server certificate request A
<<< TLS 1.0 Handshake [length 0004], ServerHelloDone
    0e 00 00 00
SSL_connect:SSLv3 read server done A
>>> TLS 1.0 Handshake [length 0007], Certificate
    0b 00 00 03 00 00 00
SSL_connect:SSLv3 write client certificate A
>>> TLS 1.0 Handshake [length 0066], ClientKeyExchange
    10 00 00 62 00 60 7c a3 73 df 84 4d da 50 8e 01
    bc 94 42 a7 69 71 24 ca bb 6a 85 7a 81 97 24 31
    22 33 2f 22 20 76 e4 6f f3 b5 fc eb 9f 4c 3e b6
    b9 75 06 ef 8d 27 4c a6 9f 2f 3e ae 16 8c cc d6
    c8 af 94 70 c6 6a ca 4b cf d2 1a 26 a8 ca 13 47
    f2 bb 60 89 b9 ec e5 42 4a 6b 1a 45 0c 6e df c2
    54 87 20 43 44 1c
SSL_connect:SSLv3 write client key exchange A
>>> TLS 1.0 ChangeCipherSpec [length 0001]
    01
SSL_connect:SSLv3 write change cipher spec A
>>> TLS 1.0 Handshake [length 0010], Finished
    14 00 00 0c 8e be 90 d1 b6 4a 07 b5 06 c7 c6 44
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
<<< TLS 1.0 ChangeCipherSpec [length 0001]
    01
<<< TLS 1.0 Handshake [length 0010], Finished
    14 00 00 0c 34 1a dd 20 6a 66 ee 92 31 a5 0d 8d
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/C=NL/ST=North Holland/O=HeliosCloud/OU=IT/CN=xmpp.helios.me/emailAddress=sys@helioscloud.com
   i:/C=NL/ST=North Holland/O=HeliosCloud/OU=IT/CN=xmpp.helios.me/emailAddress=sys@helioscloud.com
---
Server certificate
/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 1 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
/C=DE/ST=Hessen/L=Fulda/O=Debconf/CN=Debconf CA/emailAddress=joerg@debian.org
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
/C=US/O=AffirmTrust/CN=AffirmTrust Premium ECC
/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
/C=ES/O=Generalitat Valenciana/OU=PKIGVA/CN=Root CA Generalitat Valenciana
---
SSL handshake has read 39038 bytes and written 270 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : EDH-RSA-DES-CBC3-SHA
    Session-ID: 52ED5253B704D1192FB73C3DDAA94756634C6F8A46BAE6FF41C685918C4E0C95
    Session-ID-ctx:
    Master-Key: 48E886EB662B2FD6F7F1DEBC3CB7CD0F3AAF8223D5362ABE6B048463AB49432E71A37298A9DD819854B6A1D1CF31EBEF
    Key-Arg   : None
    Start Time: 1391284819
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---
Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam almost 5 years ago

We have done lots of code changes and fixes in SSL and certificate handling area in last weeks. We know for sure that Tigase XMPP Server 5.2.0 RC2 works with Both Adium and iMessage.

Could you please check RC2 with Oracle JDK? Do you use hardened mode on Tigase?

If you still have problems with RC2 than this must be a configuration thing and we will help you to find a solution.

Added by Yevgen Voronetskyy almost 5 years ago

Just tested locally with last night build and it works like a charm!

Thank you very much, Artur!

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam almost 5 years ago

super, thanks for update.

    (1-7/7)