Problems with establishing an SSL session.

[Oded Arbel]

Hi list.

I have a problem with a client trying to connect to a web server over
SSL. I have an in-house HTTP server with SSL support through OpenSSL
0.9.6c, and while doing SSL_accept I get the following error :
OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher

This is after enabling all ciphers using
SSL_set_cipher_list(ssl,"ALL:eNULL");

using any sort of browser or other HTTP client I trier I get a
successful connect everytime.
The client is a remote client not controlled by me and I cannot change
it, but I think its written in Java.

Now, after giving up on our own implementation, I decided to try Apache
(1.3.24) with mod_ssl (2.8.8) compiled against the same OpenSSL
(0.9.6c). But still not luck - this time I get a different error :
OpenSSL: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate unknown

after enabling debug logging of the SSL engine in httpd.conf I got the
following dump :

==> /usr/local/ssl/logs/error_log <==
[Tue May 21 17:18:28 2002] [error] mod_ssl: SSL handshake failed (server
64.69.184.69:443, client 62.189.29.172) (OpenSSL library error follows)
[Tue May 21 17:18:28 2002] [error] OpenSSL: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown

==> /usr/local/ssl/logs/ssl_engine_log <==
[21/May/2002 17:18:28 21237] [info]  Connection to child 0 established
(server 64.69.184.69:443, client 62.189.29.172)
[21/May/2002 17:18:28 21237] [info]  Seeding PRNG with 23177 bytes of
entropy
[21/May/2002 17:18:28 21237] [trace] OpenSSL: Handshake: start
[21/May/2002 17:18:28 21237] [trace] OpenSSL: Loop: before/accept
initialization
[21/May/2002 17:18:28 21237] [debug] OpenSSL: read 11/11 bytes from
BIO#08194220 [mem: 08199968] (BIO dump follows)
+-----------------------------------------------------------------------
--+
| 0000: 80 32 01 03 01 00 09                             .2.....
|
| 000b - <SPACES/NULS>
+-----------------------------------------------------------------------
--+
[21/May/2002 17:18:28 21237] [debug] OpenSSL: read 41/41 bytes from
BIO#08194220 [mem: 08199973] (BIO dump follows)
+-----------------------------------------------------------------------
--+
| 0000: 00 00 03 02 00 80 00 00-11 3c ea 72 ef eb 9b 2b
.........<.r...+ |
| 0010: 40 ea 8c f1 ee dd 9e b3-a6 9e 94 70 24 bf cd 99
@..........p$... |
| 0020: 41 48 20 6d 3d 6d 63 6f-b2                       AH m=mco.
|
+-----------------------------------------------------------------------
--+
[21/May/2002 17:18:28 21237] [trace] OpenSSL: Loop: SSLv3 read client
hello A
[21/May/2002 17:18:28 21237] [trace] OpenSSL: Loop: SSLv3 write server
hello A
[21/May/2002 17:18:28 21237] [trace] OpenSSL: Loop: SSLv3 write
certificate A
[21/May/2002 17:18:28 21237] [trace] OpenSSL: Loop: SSLv3 write key
exchange A
[21/May/2002 17:18:28 21237] [trace] OpenSSL: Loop: SSLv3 write server
done A
[21/May/2002 17:18:28 21237] [debug] OpenSSL: write 966/966 bytes to
BIO#08194220 [mem: 081A7A00] (BIO dump follows)
+-----------------------------------------------------------------------
--+
| 0000: 16 03 01 00 4a 02 00 00-46 03 01 3c ea 81 64 91
....J...F..<..d. |
| 0010: 49 d9 c4 97 10 af ef a9-59 92 cc 5f e8 14 e0 16
I.......Y.._.... |
| 0020: c0 93 9c fc 66 e5 9a c1-06 4b d1 20 12 41 3f 22  ....f....K.
.A?" |
| 0030: 1a dd aa e7 0b 2e c7 eb-2f c6 f2 b6 0a 69 3f d9
......../....i?. |
| 0040: 4c 2b 7e 97 cd b1 5a 55-95 8a 14 91 00 03 00 16
L+~...ZU........ |
| 0050: 03 01 02 97 0b 00 02 93-00 02 90 00 02 8d 30 82
..............0. |
| 0060: 02 89 30 82 01 f2 02 01-00 30 0d 06 09 2a 86 48
..0......0...*.H |
| 0070: 86 f7 0d 01 01 04 05 00-30 81 8c 31 0b 30 09 06
........0..1.0.. |
| 0080: 03 55 04 06 13 02 49 4c-31 0d 30 0b 06 03 55 04
.U....IL1.0...U. |
| 0090: 08 13 04 6e 6f 6e 65 31-11 30 0f 06 03 55 04 07
...none1.0...U.. |
| 00a0: 13 08 48 65 72 7a 65 6c-69 61 31 14 30 12 06 03
..Herzelia1.0... |
| 00b0: 55 04 0a 13 0b 6d 2d 57-69 73 65 20 69 6e 63 2e  U....m-Wise
inc. |
| 00c0: 31 10 30 0e 06 03 55 04-0b 13 07 73 65 72 76 65
1.0...U....serve |
| 00d0: 72 73 31 13 30 11 06 03-55 04 03 13 0a 4f 64 65
rs1.0...U....Ode |
| 00e0: 64 20 41 72 62 65 6c 31-1e 30 1c 06 09 2a 86 48  d
Arbel1.0...*.H |
| 00f0: 86 f7 0d 01 09 01 16 0f-6f 64 65 64 40 6d 2d 77
........oded@m-w |
| 0100: 69 73 65 2e 63 6f 6d 30-1e 17 0d 30 32 30 32 32
ise.com0...02022 |
| 0110: 36 31 35 30 36 34 35 5a-17 0d 30 34 30 32 32 36
6150645Z..040226 |
| 0120: 31 35 30 36 34 35 5a 30-81 8c 31 0b 30 09 06 03
150645Z0..1.0... |
| 0130: 55 04 06 13 02 49 4c 31-0d 30 0b 06 03 55 04 08
U....IL1.0...U.. |
| 0140: 13 04 6e 6f 6e 65 31 11-30 0f 06 03 55 04 07 13
..none1.0...U... |
| 0150: 08 48 65 72 7a 65 6c 69-61 31 14 30 12 06 03 55
.Herzelia1.0...U |
| 0160: 04 0a 13 0b 6d 2d 57 69-73 65 20 69 6e 63 2e 31  ....m-Wise
inc.1 |
| 0170: 10 30 0e 06 03 55 04 0b-13 07 73 65 72 76 65 72
.0...U....server |
| 0180: 73 31 13 30 11 06 03 55-04 03 13 0a 4f 64 65 64
s1.0...U....Oded |
| 0190: 20 41 72 62 65 6c 31 1e-30 1c 06 09 2a 86 48 86
Arbel1.0...*.H. |
| 01a0: f7 0d 01 09 01 16 0f 6f-64 65 64 40 6d 2d 77 69
.......oded@m-wi |
| 01b0: 73 65 2e 63 6f 6d 30 81-9f 30 0d 06 09 2a 86 48
se.com0..0...*.H |
| 01c0: 86 f7 0d 01 01 01 05 00-03 81 8d 00 30 81 89 02
............0... |
| 01d0: 81 81 00 f2 a7 69 fc a6-1e f9 50 f5 0a e7 39 05
.....i....P...9. |
| 01e0: 1f 95 71 be 36 76 91 d7-9d e8 15 1a 35 fc 99 f8
..q.6v......5... |
| 01f0: 34 91 c2 9e 13 36 04 68-7a 7f 86 c2 4b a2 e0 d1
4....6.hz...K... |
| 0200: df 04 fa e2 bf d3 60 e0-e4 55 dd ca a7 e2 25 c4
......`..U....%. |
| 0210: 19 57 95 4c 9f 76 2f 62-57 12 15 b7 3e 29 6a 53
.W.L.v/bW...>)jS |
| 0220: 04 af 14 14 3c d4 5a 49-fe e4 1b 2b 52 a5 bc 8f
....<.ZI...+R... |
| 0230: 7b bb 10 3f bd cc 26 1c-04 db 26 ea 58 cf ba 11
{..?..&...&.X... |
| 0240: 77 5d 4b 24 15 14 16 e8-6e 9a 43 c5 c4 3a 17 3c
w]K$....n.C..:.< |
| 0250: ba 96 4f 02 03 01 00 01-30 0d 06 09 2a 86 48 86
..O.....0...*.H. |
| 0260: f7 0d 01 01 04 05 00 03-81 81 00 a5 9b 5e e1 87
.............^.. |
| 0270: 1f 99 4b b7 83 cc cc 2e-08 c1 a6 4b 03 1f a2 05
..K........K.... |
| 0280: a7 f2 8e 4a 42 9b 76 d3-29 5a 9f f9 f6 ae 82 d3
...JB.v.)Z...... |
| 0290: 05 09 8a 67 49 7f fb a3-68 d2 3b 4f 50 d6 f4 7f
...gI...h.;OP... |
| 02a0: 72 db 7c c3 b6 62 32 e1-38 6c 43 3d 0b 28 a7 99
r.|..b2.8lC=.(.. |
| 02b0: bd e2 a1 97 21 46 a1 b4-63 43 ec fe 52 e4 b0 13
....!F..cC..R... |
| 02c0: 25 9f e7 12 8d ec 79 7f-5e 4d 2f f6 3f 09 da 4c
%.....y.^M/.?..L |
| 02d0: c9 57 cc 49 75 a3 8d d9-d3 25 78 d6 ea c0 5c 09
.W.Iu....%x...\. |
| 02e0: 3b 01 88 18 24 92 97 95-7d 40 95 16 03 01 00 cd
;...$...}@...... |
| 02f0: 0c 00 00 c9 00 40 a9 2f-f5 a7 92 fa 8a 5f f9 6c
.....@./....._.l |
| 0300: c7 cc d7 48 27 3e 61 e0-f8 e9 c9 57 16 27 e2 2a
...H'>a....W.'.* |
| 0310: 52 f4 49 30 39 89 cf 6c-eb 67 4b 74 12 b2 7b 89
R.I09..l.gKt..{. |
| 0320: 12 fd e6 b6 1a fe 84 87-99 bc af ff d3 7d 71 c6
.............}q. |
| 0330: 9b 2c 47 87 3b 6d 00 03-01 00 01 00 80 0e fe 09
.,G.;m.......... |
| 0340: cc e2 55 91 75 3b ac 87-a6 3e 18 15 d4 05 7b 76
..U.u;...>....{v |
| 0350: 0c e9 1c 37 da e8 eb c5-df b3 72 88 73 9c 2b 25
...7......r.s.+% |
| 0360: da 0d 77 91 6a 1a b2 b2-91 ba 53 08 04 3a 9b 78
..w.j.....S..:.x |
| 0370: 0d 08 fa 88 e5 52 97 d8-d0 41 0d 40 61 63 9a 70
[EMAIL PROTECTED] |
| 0380: 49 66 ec e4 e4 10 1c 69-25 7e 84 af d8 61 32 4f
If.....i%~...a2O |
| 0390: 74 e5 68 ac 6f d9 dc 09-ca 7b 10 da 7b 40 96 67
t.h.o....{..{@.g |
| 03a0: 14 5d d9 ff c3 ca 73 d5-33 ba da 92 a7 0d 85 c3
.]....s.3....... |
| 03b0: b0 60 8c 9d 88 b0 3c 46-e3 0f 5c 96 ae 16 03 01
.`....<F..\..... |
| 03c0: 00 04 0e                                         ...
|
| 03c6 - <SPACES/NULS>
+-----------------------------------------------------------------------
--+
[21/May/2002 17:18:28 21237] [trace] OpenSSL: Loop: SSLv3 flush data
[21/May/2002 17:18:28 21237] [debug] OpenSSL: read 5/5 bytes from
BIO#08194220 [mem: 08199968] (BIO dump follows)
+-----------------------------------------------------------------------
--+
| 0000: 15 03 01 00 02                                   .....
|
+-----------------------------------------------------------------------
--+
[21/May/2002 17:18:28 21237] [debug] OpenSSL: read 2/2 bytes from
BIO#08194220 [mem: 0819996D] (BIO dump follows)
+-----------------------------------------------------------------------
--+
| 0000: 02 2e                                            ..
|
+-----------------------------------------------------------------------
--+
[21/May/2002 17:18:28 21237] [trace] OpenSSL: Read: SSLv3 read client
certificate A
[21/May/2002 17:18:28 21237] [trace] OpenSSL: Exit: failed in SSLv3 read
client certificate A
[21/May/2002 17:18:28 21237] [error] SSL handshake failed (server
64.69.184.69:443, client 62.189.29.172) (OpenSSL library error follows)


I'm hoping that someone could tell me whats going on. the client is
operated by someone we are hoping to do buisness with, and while all our
local test are successful, said client never does connect successfuly,
but the person we're in touch with claims that they are working with
other 20 providers with no problems - to which I have nothing to say.

TIA

--
Oded Arbel
m-Wise Inc.
[EMAIL PROTECTED]
(972)-67-340014
(972)-9-9581711 (ext: 116)

::..
An optimist is someone who thinks the future is uncertain.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]