> I use a 3rd-party application that is trying to update itself (so it’s trying to “call home”). > Naturally, I’m behind a corporate firewall and Web proxy. The app has been configured to use > that proxy. It fails to connect. Packet capture reveals the following: You're noticeably at this point in the problem report. Is this a packet capture between the application and the proxy, or between the proxy and the outside host? It is between the app and the proxy. I have no access to the proxy <-> outside traffic. ( At what stage of the handshake is the alert seen? It looks like it’s after the initial handshake (I see HTTP 200 before this). Have you tried using "curl" to complete a proxied connection to the remote server? Nope. I don’t even know what to try to “curl” from there, and browser connects fine. > Handshake failed > > The SSL handshake could not be performed. > > Host: <remote host name> > Reason: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:state 23:Application response 500 handshakefailed The alert is always generated remotely and reported locally. It could in theory come from the proxy, but more likely from the real remote server. I see, thanks! The server may not like the client's ciphers or protocol version. See my recent post: https://www.spinics.net/lists/openssl-users/msg05623.html for instructions on how to extract SSL info from PCAP files in a way that mostly trims away endpoint details... (of course SNI names and cert names would still be there, so you'd need to trim those if you want to anonymize the guilty parties). I cannot do “openssl s_client …” because the proxy doesn’t let it through. Capture the traffic between the proxy and the remote server if at all possible, and compare with the trace between client and proxy. Alas, cannot. Though I can ask people in charge of the proxy to do that. I went through the capture between the app (local end) and the proxy. It appears that the sequence is: ClientHello -> (from app to proxy, with a ton of cipher suites, including 0xc02f) <- ServerHello (with TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 – present in ClientHello) <- CertificateServer Key Exchange, Server Hello Done (includes proxy’s cert rather than the remote end’s cert) Alert (Level: Fatal, Description: Certificate Unknown) -> So it appears that the app expects the remote end’s cert, and is not happy getting the proxy’s cert instead?
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users