Skip to Main Content

SSL Handshake failure

652458Sep 9 2008 — edited Sep 12 2008
Hey folks,

So following on from my previous thread, I decided to leave aside the updateconfig of dcmctl and see what happens.

To summarise, I can't seem to get the server to recognise our certificate so here are the steps we took.

1) We ordered an SSL certificate from our ISP (Namesco, for those of you in the UK), which put on the server 2 files server1.domain.co.uk.crt and server1.domain.co.uk.key.

2) I created a new wallet with Oracle Wallet Manager. Now all the instructions I saw state that you should start with a certificate request. I tried with and without and it made no difference so I just left it without and imported server1.domain.co.uk.crt into the list of trusted certificates. However because I didn't use the wallet manager to initiate a certificate request, I can't import a user certificate, I'm not sure whether this matters or not so this may be where the problem is, I simply don't know.

3) I followed the steps detailed on http://docs.huihoo.com/oracle/docs/B14099_19/web.1012/b14007/ssl.htm and under section 11.2 Configuring SSL, ignored point 4 after speaking to the guys who installed Oracle on our server.

Now even after reloading and restarting opmn, I only get grief if I try to run https://server1.domain.co.uk:4443

Under Firefox I get a "Firefox and server1.domain.co.uk cannot communicate securely because they have no common encryption algorithms"

With wget I get:
wget -S -v https://server1.domain.co.uk:4443
--12:35:10-- https://server1.domain.co.uk:4443/
=> `index.html'
Resolving server1.domain.co.uk... 127.0.0.1
Connecting to server1.domain.co.uk|127.0.0.1|:4443... connected.
OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Unable to establish SSL connection.

With cURL I get:
curl -v -i "https://server1.domain.co.uk:4443"
* About to connect() to server1.domain.co.uk port 4443
* Trying 127.0.0.1... * connected
* Connected to server1.domain.co.uk (127.0.0.1) port 4443
* successfully set certificate verify locations:
* CAfile: /usr/share/ssl/certs/ca-bundle.crt
CApath: none
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* Closing connection #0
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

I'm not sure where it gets the above CAfile path but it does not correspond to any of the config files I'm supposed to work with

Checking ssl_engine_log (I set the SSLLogLevel to debug to have some clue as what's going on) I see:

[09/Sep/2008 12:34:44 23476] [info] Server: Oracle-HTTP-Server/1.3.31, Interface: mod_ossl/10.1.2.0.0, Library:
[09/Sep/2008 12:34:44 23476] [info] Init: 1st startup round (still not detached)
[09/Sep/2008 12:34:44 23476] [debug] Init: Server server1.domain.co.uk:4443: SSO Wallet found! 0
[09/Sep/2008 12:34:45 23476] [trace] Init: (server1.domain.co.uk:8080) Configuring permitted proxy SSL ciphers [DEFAULT]
[09/Sep/2008 12:34:45 23476] [trace] Init: (server1.domain.co.uk:4443) Configuring permitted proxy SSL ciphers [DEFAULT]
[09/Sep/2008 12:34:45 23476] [trace] Init: (127.0.0.1:7200) Configuring permitted proxy SSL ciphers [DEFAULT]
[09/Sep/2008 12:34:45 23476] [info] Init: 2nd startup round (already detached)
[09/Sep/2008 12:34:45 23476] [trace] Inter-Process Session Cache (DBM) Expiry: old: 0, new: 0, removed: 0
[09/Sep/2008 12:34:45 23476] [info] Init: Initializing (virtual) servers for SSL
[09/Sep/2008 12:34:45 23476] [info] Init: Configuring server server1.domain.co.uk:4443 for SSL protocol
[09/Sep/2008 12:34:45 23476] [trace] Init: (server1.domain.co.uk:4443) Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP]
[09/Sep/2008 12:34:46 23476] [trace] Init: (server1.domain.co.uk:8080) Configuring permitted proxy SSL ciphers [DEFAULT]
[09/Sep/2008 12:34:46 23476] [trace] Init: (server1.domain.co.uk:4443) Configuring permitted proxy SSL ciphers [DEFAULT]
[09/Sep/2008 12:34:46 23476] [trace] Init: (127.0.0.1:7200) Configuring permitted proxy SSL ciphers [DEFAULT]
[09/Sep/2008 12:34:51 23486] [info] Connection to child 0 established (server server1.domain.co.uk:4443, client 127.0.0.1)
[09/Sep/2008 12:34:51 23486] [trace] Inter-Process Session Cache: request=REM status=OK id= (session dead)
[09/Sep/2008 12:34:51 23486] [error] SSL call to NZ function nzos_Handshake failed with error 29040 (server server1.domain.co.uk:4443, client 127.0.0.1)
[09/Sep/2008 12:34:51 23486] [error] Unknown error
[09/Sep/2008 12:35:10 23495] [info] Connection to child 3 established (server server1.domain.co.uk:4443, client 127.0.0.1)
[09/Sep/2008 12:35:10 23495] [trace] Inter-Process Session Cache: request=REM status=OK id= (session dead)
[09/Sep/2008 12:35:10 23495] [error] SSL call to NZ function nzos_Handshake failed with error 29040 (server server1.domain.co.uk:4443, client 127.0.0.1)
[09/Sep/2008 12:35:10 23495] [error] Unknown error
[09/Sep/2008 12:46:11 23492] [info] Connection to child 2 established (server server1.bedlam.co.uk:4443, client 127.0.0.1)
[09/Sep/2008 12:46:11 23492] [trace] Inter-Process Session Cache: request=REM status=OK id= (session dead)
[09/Sep/2008 12:46:11 23492] [error] SSL call to NZ function nzos_Handshake failed with error 29040 (server server1.bedlam.co.uk:4443, client 127.0.0.1)
[09/Sep/2008 12:46:11 23492] [error] Unknown error
[09/Sep/2008 12:48:21 23595] [info] Connection to child 6 established (server server1.domain.co.uk:4443, client 127.0.0.1)
[09/Sep/2008 12:48:21 23595] [trace] Inter-Process Session Cache: request=REM status=OK id= (session dead)
[09/Sep/2008 12:48:21 23595] [error] SSL call to NZ function nzos_Handshake failed with error 29040 (server server1.domain.co.uk:4443, client 127.0.0.1)
[09/Sep/2008 12:48:21 23595] [error] Unknown error

This shows a whole lot of dead sessions, which probably correspond to the failed handshakes mentioned above, though at this stage I'm not entirely sure.

So this is all I've managed to gather and still can't get SSL to run. Note that since we have Oracle Apache running alongside "normal" Apache on the same server I have Apex running on port 8080 to avoid conflict, though I doubt this would cause a problem.

It just seems like it's something to do with the certificate itself which is somehow not quite right. Do I need to store my .crt and .key files in a specific location? or is the wallet enough?

If anyone has ideas I would be quite keen to hear them as I've now pretty much ran out of options.

Thanks a lot for your help :)

Edit: So how do you bypass those formatting gyzmos anyway?

Edited by: loupblanc on Sep 9, 2008 2:05 PM
Comments
Post Details
Added on Sep 9 2008
8 comments
19,234 views