need help on handshake failure

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

need help on handshake failure

Mithun Kumar
Hello All,

I am getting some errors causing SSL handshake to fail. Is there any way by which i can enable logging in our OpenSSL libraries?

-mithun
Reply | Threaded
Open this post in threaded view
|

Re: need help on handshake failure

Mithun Kumar
Also when i use s_client tool it just hangs with following output. Any input on how to get full handshake dump?


vm-soniclx13(misingh): openssl s_client -connect NC-WIN2008X64:1433 -state  -debug -msg

CONNECTED(00000003)

SSL_connect:before/connect initialization

write to 09050898 [090508E0] (142 bytes => 142 (0x8E))

0000 - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00   ......c... ..9..

0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............

0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00   ..3..2../.....f.

0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00   .............c..

0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40   b..a...........@

0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00   ..e..d..`.......

0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 c4 aa   ................

0070 - 12 f9 31 f4 10 71 08 bf-7f 5a 81 7e ba 46 50 02   ..1..q...Z.~.FP.

0080 - 4b 69 5c c3 8d c3 0c af-e9 37 fa 80 3f e2         Ki\......7..?.

>>> SSL 2.0 [length 008c], CLIENT-HELLO

    01 03 01 00 63 00 00 00 20 00 00 39 00 00 38 00

    00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00

    33 00 00 32 00 00 2f 03 00 80 00 00 66 00 00 05

    00 00 04 01 00 80 08 00 80 00 00 63 00 00 62 00

    00 61 00 00 15 00 00 12 00 00 09 06 00 40 00 00

    65 00 00 64 00 00 60 00 00 14 00 00 11 00 00 08

    00 00 06 04 00 80 00 00 03 02 00 80 c4 aa 12 f9

    31 f4 10 71 08 bf 7f 5a 81 7e ba 46 50 02 4b 69

    5c c3 8d c3 0c af e9 37 fa 80 3f e2

SSL_connect:SSLv2/v3 write client hello A



Thanks in advance
mithun


On Thu, Aug 30, 2012 at 11:31 AM, Mithun Kumar <[hidden email]> wrote:
Hello All,

I am getting some errors causing SSL handshake to fail. Is there any way by which i can enable logging in our OpenSSL libraries?

-mithun

Reply | Threaded
Open this post in threaded view
|

Re: need help on handshake failure

Saurabh Pandya-2
use

   err = ERR_get_error();

to get error no
   and use ERR_string(ec)  to stringify

On 8/30/12, Mithun Kumar <[hidden email]> wrote:

> Also when i use s_client tool it just hangs with following output. Any
> input on how to get full handshake dump?
>
>
> *vm-soniclx13(misingh): openssl s_client -connect NC-WIN2008X64:1433
> **-state
> -debug -msg***
>
> *CONNECTED(00000003)*
>
> *SSL_connect:before/connect initialization*
>
> *write to 09050898 [090508E0] (142 bytes => 142 (0x8E))*
>
> *0000 - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00   ......c... ..9..*
>
> *0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............*
>
> *0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00   ..3..2../.....f.*
>
> *0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00   .............c..*
>
> *0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40   b..a...........@*
>
> *0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00   ..e..d..`.......*
>
> *0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 c4 aa   ................*
>
> *0070 - 12 f9 31 f4 10 71 08 bf-7f 5a 81 7e ba 46 50 02   ..1..q...Z.~.FP.*
>
> *0080 - 4b 69 5c c3 8d c3 0c af-e9 37 fa 80 3f e2         Ki\......7..?.*
>
> *>>> SSL 2.0 [length 008c], CLIENT-HELLO*
>
> *    01 03 01 00 63 00 00 00 20 00 00 39 00 00 38 00*
>
> *    00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00*
>
> *    33 00 00 32 00 00 2f 03 00 80 00 00 66 00 00 05*
>
> *    00 00 04 01 00 80 08 00 80 00 00 63 00 00 62 00*
>
> *    00 61 00 00 15 00 00 12 00 00 09 06 00 40 00 00*
>
> *    65 00 00 64 00 00 60 00 00 14 00 00 11 00 00 08*
>
> *    00 00 06 04 00 80 00 00 03 02 00 80 c4 aa 12 f9*
>
> *    31 f4 10 71 08 bf 7f 5a 81 7e ba 46 50 02 4b 69*
>
> *    5c c3 8d c3 0c af e9 37 fa 80 3f e2*
>
> *SSL_connect:SSLv2/v3 write client hello A*
>
>
> Thanks in advance
> mithun
>
>
> On Thu, Aug 30, 2012 at 11:31 AM, Mithun Kumar
> <[hidden email]>wrote:
>
>> Hello All,
>>
>> I am getting some errors causing SSL handshake to fail. Is there any way
>> by which i can enable logging in our OpenSSL libraries?
>>
>> -mithun
>>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: need help on handshake failure

Dave Thompson-5
In reply to this post by Mithun Kumar
>From: [hidden email] On Behalf Of Mithun Kumar
>Sent: Thursday, 30 August, 2012 02:04

>Also when i use s_client tool it just hangs with following output.
>Any input on how to get full handshake dump?

>... openssl s_client -connect ... -state  -debug -msg
>CONNECTED(00000003)
>SSL_connect:before/connect initialization
>write to 09050898 [090508E0] (142 bytes => 142 (0x8E))
<snip>
>>> SSL 2.0 [length 008c], CLIENT-HELLO
<snip>
>SSL_connect:SSLv2/v3 write client hello A>

-debug and -msg (you probably don't need both) *do* dump
all data resp. messages sent and received. The server
isn't responding to the hello, and that's why you're hanging.

Make sure the server is doing SSL on that port; many (other)
protocols if they receive garbage, which is what SSL looks like,
may just keep waiting.

Also make sure it's able and willing to do SSLv2; some recent
software doesn't. If server accepts only SSLv3/TLS, it may ignore
the SSLv2 ClientHello as invalid format and keep waiting for
a "valid" ClientHello, which OpenSSL here won't be sending.
Try s_client with -ssl3 or -tls1, or at least -no_ssl2 .
If that works, change or configure your client app accordingly.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: need help on handshake failure

Mithun Kumar
Thanks Dave,
i see the below output.

soniclx24(misingh):  openssl s_client -connect NC-WIN2008X64:1433 -state -debug -msg -ssl3
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 08A018A8 [08A0B660] (100 bytes => 100 (0x64))
0000 - 16 03 00 00 5f 01 00 00-5b 03 00 50 3f fb 58 60   ...._...[..P?.X`
0010 - 71 d6 9f 3c a6 fb 60 79-8a 31 fe 39 68 46 0e a0   q..<..`y.1.9hF..
0020 - 3f 0d c8 08 d9 62 da c6-17 fc 8d 00 00 34 00 39   ?....b.......4.9
0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f   .8.5.......3.2./
0040 - 00 66 00 05 00 04 00 63-00 62 00 61 00 15 00 12   .f.....c.b.a....
0050 - 00 09 00 65 00 64 00 60-00 14 00 11 00 08 00 06   ...e.d.`........
0060 - 00 03 01                                          ...
0064 - <SPACES/NULS>
>>> SSL 3.0 Handshake [length 005f], ClientHello
    01 00 00 5b 03 00 50 3f fb 58 60 71 d6 9f 3c a6
    fb 60 79 8a 31 fe 39 68 46 0e a0 3f 0d c8 08 d9
    62 da c6 17 fc 8d 00 00 34 00 39 00 38 00 35 00
    16 00 13 00 0a 00 33 00 32 00 2f 00 66 00 05 00
    04 00 63 00 62 00 61 00 15 00 12 00 09 00 65 00
    64 00 60 00 14 00 11 00 08 00 06 00 03 01 00
SSL_connect:SSLv3 write client hello A
read from 08A018A8 [08A06E50] (5 bytes => 0 (0x0))
SSL_connect:failed in SSLv3 read server hello A
12542:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:529:


Any idea why handshake is failing?

-mithun





On Fri, Aug 31, 2012 at 12:59 AM, Dave Thompson <[hidden email]> wrote:
>From: [hidden email] On Behalf Of Mithun Kumar
>Sent: Thursday, 30 August, 2012 02:04

>Also when i use s_client tool it just hangs with following output.
>Any input on how to get full handshake dump?

>... openssl s_client -connect ... -state  -debug -msg
>CONNECTED(00000003)
>SSL_connect:before/connect initialization
>write to 09050898 [090508E0] (142 bytes => 142 (0x8E))
<snip>>>> SSL 2.0 [length 008c], CLIENT-HELLO
<snip>
>SSL_connect:SSLv2/v3 write client hello A>

-debug and -msg (you probably don't need both) *do* dump
all data resp. messages sent and received. The server
isn't responding to the hello, and that's why you're hanging.

Make sure the server is doing SSL on that port; many (other)
protocols if they receive garbage, which is what SSL looks like,
may just keep waiting.

Also make sure it's able and willing to do SSLv2; some recent
software doesn't. If server accepts only SSLv3/TLS, it may ignore
the SSLv2 ClientHello as invalid format and keep waiting for
a "valid" ClientHello, which OpenSSL here won't be sending.
Try s_client with -ssl3 or -tls1, or at least -no_ssl2 .
If that works, change or configure your client app accordingly.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: need help on handshake failure

Dave Thompson-5
>From: [hidden email] On Behalf Of Mithun Kumar
>Sent: Thursday, 30 August, 2012 19:50

>openssl s_client -connect NC-WIN2008X64:1433 -state -debug -msg -ssl3
>CONNECTED(00000003)
>SSL_connect:before/connect initialization
>write to 08A018A8 [08A0B660] (100 bytes => 100 (0x64))
<snip>
>>>> SSL 3.0 Handshake [length 005f], ClientHello
<snip>
>SSL_connect:SSLv3 write client hello A
>read from 08A018A8 [08A06E50] (5 bytes => 0 (0x0))
>SSL_connect:failed in SSLv3 read server hello A
>12542:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:
>ssl handshake failure:s3_pkt.c:529:
       
>Any idea why handshake is failing?

Read count 0 nominally means the server closed the TCP connection,
neither continuing the handshake (with ServerHello) nor cleanly
aborting (with alert). A compliant server shouldn't do this,
but some do, especially if it judges you shouldn't be allowed to
connect e.g. blacklisted IPaddr, too many attempts too fast, etc.
Ask the server operator(s) why it didn't/doesn't like you.

Alternatively, there is a remote possibility some middlebox in
your network path such as a firewall is doing the close. However
middleboxes usually do this earlier: on the TCP connection (SYN)
not during SSL handshake, which is "just" data to the TCP/IP level.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]