httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <>
Subject [Httpd Wiki] Update of "ScratchPad" by TomasPospisek
Date Thu, 13 Oct 2011 12:29:57 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The "ScratchPad" page has been changed by TomasPospisek:

working on the "debugging SSL" article

  Unfortunately IE is not helpful at all in its failure mode. When something's wrong, it will
not finalize the setup of the SSL connection and not display any useful error. FF instead
will at least display a semi useful error.
+ == Finding out what caused a handshake to fail ==
+ If client and server fail to setup an SSL communication channel between them, you'll see
something like the following in apache's ssl log (see the paragraph on "SSL Error Loggin"
on how to set it up):
+ {{{
+ [Thu Oct 06 16:39:06 2011] [debug] ssl_engine_kernel.c(1791): OpenSSL: Exit: error in SSLv3
read client certificate B
+ [Thu Oct 06 16:39:06 2011] [error] Re-negotiation handshake failed: Not accepted by client!?
+ }}}
+ That is only half-way useful, since first it doesn't say what exactly was the reason that
the client didn't accept the certificate and second in this specific case it's missleading,
because in fact it was the server that told the client that id wouldn't accept the certificate
that the client was presenting to it.
+ A more specific reason for the communications breakdown can be found in the SSL protocol
trace (see the "Debugging tools" section on how to do a trace).
+ [[|This
document]] explains how to dissect the handshake and how to find the relevant message containing
the specific error code. Note that one doesn't need the Microsoft Network Monitor to do the
message dissecting: Wireshark works equally well.
+ The important thing to take away from the [[|the
document]] is that SSL contains an alert protocol, that can be seen and found in the transmitted
TCP packets of an SSL communication, that contains an error code specifying containing the
reason why a communication failed to be set up.
+ As you can see in the screenshot, the two bytes contained in the "Alert Message" contain
the error code "2f", which can be looked up in the respective [[|rfc]].
In this case it's the code 47 (0x2f), which means "illegal_parameter" - there was some property
of the certificate that the server (!) didn't like and refuses to accept. In our case the
server was expecting a different issuer CN.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message