Re: What does this error mean? sslv3 alert certificate unknown:state 23

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> On Apr 24, 2017, at 5:18 PM, Blumenthal, Uri - 0553 - MITLL <uri@xxxxxxxxxx> wrote:
> 
> I use a 3rd-party application that is trying to update itself (so it’s trying to “call home”). Naturally, I’m behind a corporate firewall and Web proxy. The app has been configured to use that proxy. It fails to connect. Packet capture reveals the following:

You're noticeably at this point in the problem report.  Is this a packet capture
between the application and the proxy, or between the proxy and the outside host?
At what stage of the handshake is the alert seen?

Have you tried using "curl" to complete a proxied connection to the remote server?

> Handshake failed
> 
> The SSL handshake could not be performed.
> 
> Host: <remote host name>
> Reason: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:state 23:Application response 500 handshakefailed

The alert is always generated remotely and reported locally.  It could
in theory come from the proxy, but more likely from the real remote
server.


> I must be dense today (and please, no comment about how this state might be more permanent than that (), but I can’t figure even which peer is complaining. Is it the local end (aka the application) that doesn’t like the proxy’s certificate? Is it the Web proxy that doesn’t like the remote host certificate? Or is it the remote end that doesn’t like the proxy’s certificate?
> 
> I can connect to the remote host via browser just fine

The server may not like the client's ciphers or protocol version.

See my recent post: https://www.spinics.net/lists/openssl-users/msg05623.html
for instructions on how to extract SSL info from PCAP files in a way that
mostly trims away endpoint details... (of course SNI names and cert names
would still be there, so you'd need to trim those if you want to anonymize
the guilty parties).

Capture the traffic between the proxy and the remote server if at all
possible, and compare with the trace between client and proxy.

-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux