Question about handshake error

Niki Dinsey Tue, 10 Mar 2020 10:06:10 -0700

Hi there, I have an issue I can't seem to work out the answer to.

Server: thankqcrm.accessacloud.com


root@willis:~# openssl version
OpenSSL 1.1.1d  10 Sep 2019
root@willis:~# openssl s_client -connect thankqcrm.accessacloud.com:443
CONNECTED(00000004)
140151269360768:error:14094410:SSL routines:ssl3_read_bytes:sslv3
alert handshake
failure:../ssl/record/rec_layer_s3.c:1544:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 318 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Works on OpenSSL 1.1.0:

root@host:~# openssl version
OpenSSL 1.1.0l  10 Sep 2019
root@host:~# openssl s_client -connect thankqcrm.accessacloud.com:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte RSA CA
2018
verify return:1
depth=0 CN = *.accessacloud.com
verify return:1
---
Certificate chain
 0 s:/CN=*.accessacloud.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
 3 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/CN=*.accessacloud.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018
---
No client certificate CA names sent
---
SSL handshake has read 4999 bytes and written 494 bytes
Verification: OK
---
New, TLSv1.2, Cipher is AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-GCM-SHA256
    Session-ID:
05326CD4A0D128684EA530A59504BA8D02E99746AC2E40D0DA8B9B0E18F20CF0
    Session-ID-ctx:
    Master-Key:
B423C27867FFB6A021458D860CC8A5A6D947628A8216B5F8DD8D1CF3058545398185B94F772B3A816A15D1442FFF1822
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 14400 (seconds)
    TLS session ticket:
    0000 - e5 7b cf ea bc 3d 6b 9a-59 ec 40 63 01 19 52 6c   .{...=k.Y.@c.
.Rl
    0010 - 72 c4 34 f0 a3 ff 37 f4-58 b1 9a bb 84 fc 94 36
r.4...7.X......6
    0020 - 16 8e 39 04 94 e2 fd ae-0f 05 e7 6c 12 94 58 4a
..9........l..XJ
    0030 - 09 56 e5 bd 67 d7 e7 17-d4 a8 03 ba 6e 05 be b6
.V..g.......n...
    0040 - ce 5d 9a ee 81 73 97 c8-ff 9c be 6b 8f 37 cb bf
.]...s.....k.7..
    0050 - 44 76 93 83 95 58 6d b8-63 f6 ba 4d 55 22 d2 14
Dv...Xm.c..MU"..
    0060 - 93 09 01 46 f0 fa f1 35-5a 80 0e ab a4 ca 9e c8
...F...5Z.......
    0070 - ed 8f c8 3c 89 e8 91 b3-0e 41 a9 e4 3f 79 f6 63
...<.....A..?y.c
    0080 - e2 62 91 c9 2f 8c 5a dd-b0 a1 55 b3 86 35 62 5a
.b../.Z...U..5bZ
    0090 - af c2 9a 8a 35 7a 46 3b-3c 2e 24 0d 45 69 96 fc
....5zF;<.$.Ei..

    Start Time: 1583859230
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---


Works using 1.1.1d if I pass in -tls1_1

root@willis:~# openssl version
OpenSSL 1.1.1d  10 Sep 2019
root@willis:~# openssl s_client -connect thankqcrm.accessacloud.com:443
-tls1_1
CONNECTED(00000004)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte RSA CA
2018
verify return:1
depth=0 CN = *.accessacloud.com
verify return:1
---
Certificate chain
 0 s:CN = *.accessacloud.com
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte RSA CA
2018
 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte RSA CA
2018
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global
Root CA
 2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global
Root CA
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global
Root CA
 3 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global
Root CA
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global
Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN = *.accessacloud.com

issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte RSA CA
2018

---
No client certificate CA names sent
---
SSL handshake has read 5059 bytes and written 481 bytes
Verification: OK
---
New, SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : AES128-SHA
    Session-ID:
9438801392B268A70F6B60C25E388481D69638ED8122A274BB0E15111BFF329B
    Session-ID-ctx:
    Master-Key:
EA86A4D07020F193BC66444A2D16EC67AD9524A6A78D068542B6CAF745D0B51FBE51EA0F9E9A6557561CFD5AE9E2D986
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 14400 (seconds)
    TLS session ticket:
    0000 - e5 7b cf ea bc 3d 6b 9a-59 ec 40 63 01 19 52 6c   .{...=k.Y.@c.
.Rl
    0010 - 3a c0 bc fb ff 57 a2 7f-38 a9 91 64 5e 87 b4 88
:....W..8..d^...
    0020 - f2 35 bc 04 b3 27 b3 fc-0f ac 3d 8a 03 a4 59 cb
.5...'....=...Y.
    0030 - a7 2c 8e 0f f3 a0 a2 13-50 fa 6f 2e 07 eb 1e 89
.,......P.o.....
    0040 - 73 0d d0 3e d5 01 68 3a-18 56 00 71 fa 38 1e e0
s..>..h:.V.q.8..
    0050 - 87 15 68 a4 d0 d7 13 67-c7 b1 e6 45 54 fd 22 e1
..h....g...ET.".
    0060 - 65 66 40 6c e3 7e 42 f1-1a 46 32 7b b9 a1 c0 80   ef@l.
~B..F2{....
    0070 - 12 ee f1 d9 92 5f b7 3b-7b 38 66 76 cc af b1 eb
....._.;{8fv....
    0080 - 97 4c 02 af 61 9d 1b 35-c8 64 f5 ce 19 34 42 92
.L..a..5.d...4B.
    0090 - a0 0e b9 51 ab de c0 cf-90 bd 65 2b 0b 08 19 3b
...Q......e+...;
    00a0 - 2e fe 1f 75 1f b5 b8 48-40 8c 56 d4 dc 82 31 b0   ...u...H@
.V...1.
    00b0 - 2f 52 b9 1f 11 f7 d2 63-01 c0 89 57 dd a6 53 56
/R.....c...W..SV

    Start Time: 1583859354
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---


---------------------------------
This error started our of the blue. The vendor confirmed a change in
certificate about the same time that curl/'python requests' stopped
working. So it looks to me like their cert change caused the issue.

Tested on Debian 10 and Ubuntu 20.04 Focal Fossa.

Why does this certificate work with tls1.2 on 1.1.0 but not on 1.1.1???

I can force tls1.1, but want to inform the vendor there are problems with
their new certificate but don't really understand much of this.

Any help appreciated.

Regards

Niki

-- 
Save the date: Abingdon's first 24hr *Giving Day - 18 March 2020*.Help 
support our ambition to double the number of bursaries across the 
Foundation.

 <http://www.150givingday.abingdon.org.uk>


-- 


Abingdon School: A company limited by guarantee Registered in England and 
Wales. Company No. 3625063 
 
Registered Office: 
Abingdon School 
Park 
Road
Abingdon 
OX14 1DE 
Registered Charity No. 1071298
 
All information 
in this message and attachments is confidential and may be legally 
privileged. Only intended recipients are authorised to use it. E-mail 
transmissions are not guaranteed to be secure or error free and the sender 
does not accept liability for such errors or omissions. The company will 
not accept any liability in respect of such communication that violates our 
ICT policies.

Question about handshake error

Reply via email to