Hello, [EMAIL PROTECTED] wrote on 06/06/2008 06:25:38 PM:
> > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > <snipped> > > > With the following error, what are the things that I need to check? > > Thanks Mike > > > > > > openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect > > xxx:636 > > > CONNECTED(00000003) > > > 24664:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert > > handshake > > > failure:s23_clnt.c:562: > > Try to add "-debug -msg -state" flags to this command to get more > verbose > > output. > > Mark, > That does help. Thanks. It should have been obvious from the error > message above but I been thrashing so much on this that I am not > thinking clearly. I did speak with the OID admin and he tells me that we > are using the default config set, which is encryption only - no server > auth. I am not sure if this is the source of the ssl handshake failure. > I'm checking with the OID admin now. Thanks again for your suggestion. I > hope this isn't too much off topic for this group. > Mike > > +++++++++SUCCESSFUL SSL CONNECTION ON PORT 443+++++++++ > # openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect > xxx:443 -state > CONNECTED(00000003) > SSL_connect:before/connect initialization > SSL_connect:SSLv2/v3 write client hello A > SSL_connect:SSLv3 read server hello A > <response snipped> > SSL_connect:SSLv3 read server certificate A > SSL_connect:SSLv3 read server done A > SSL_connect:SSLv3 write client key exchange A > SSL_connect:SSLv3 write change cipher spec A > SSL_connect:SSLv3 write finished A > SSL_connect:SSLv3 flush data > SSL_connect:SSLv3 read finished A > --- > > +++++++++SSL HANDSHAKE FAILURE ON PORT 636+++++++++ > # openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect > xxx:636 -state > CONNECTED(00000003) > SSL_connect:before/connect initialization > SSL_connect:SSLv2/v3 write client hello A > SSL3 alert read:fatal:handshake failure > SSL_connect:error in SSLv2/v3 read server hello A > 1460:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert > handshake failure:s23_clnt.c:562: Because you get handshake alert after sending client_hello, server do not accept some data in this packet. With SSLv2/v3 client in reality sends SSL2 client_hello and this may not be acceptable by server. You may add "-ssl3" or "-tls1" flags to use exactly one of this protocol (without SSL2 client_hello) Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
