On Tue, Nov 01, 2022 at 05:55:08AM -0500, Ray Crumrine wrote:
> SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151573> <SSL
> routines-ssl3_read_bytes-sslv3 alert certificate expired>
Is this logged by the TLS client or server? In other words are you
running a client application making outgoing connections or a server
application receiving incoming connections?
> but not all of the time. Only when I try to access
> us-east-va.sip.flowroute using tlsv1.2.
This sounds like "client". TLS alerts are sent by the other end of the
connection, so if you're getting "certificate expired" alerts from a
server, that means that your client is *sending* an expired certificate
to the server (which must have solicited, possibly optional, client
certificates). The server in question does send certificate requests:
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Certificate Request (fragment)
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 16384
Handshake Protocol: Certificate Request (fragment)
...
> I have tried two other sites using the same configuration and they work
> fine. Is there a simple configuration change or do I need Openssl v3.0?
The other sites presumably don't solicit client certificates. The
simplest choice is to not configure a client certificate unless you're
sure you're going to need one.
> Checking with
> https://decoder.link/sslchecker/us-east-va.sip.flowroute.com/5061
> everything checks fine???
The probe does not send expired client certs.
--
Viktor.
