> On Apr 24, 2017, at 5:18 PM, Blumenthal, Uri - 0553 - MITLL <u...@ll.mit.edu> > wrote: > > I use a 3rd-party application that is trying to update itself (so it’s trying > to “call home”). Naturally, I’m behind a corporate firewall and Web proxy. > The app has been configured to use that proxy. It fails to connect. Packet > capture reveals the following:
You're noticeably at this point in the problem report. Is this a packet capture between the application and the proxy, or between the proxy and the outside host? At what stage of the handshake is the alert seen? Have you tried using "curl" to complete a proxied connection to the remote server? > Handshake failed > > The SSL handshake could not be performed. > > Host: <remote host name> > Reason: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate > unknown:state 23:Application response 500 handshakefailed The alert is always generated remotely and reported locally. It could in theory come from the proxy, but more likely from the real remote server. > I must be dense today (and please, no comment about how this state might be > more permanent than that (), but I can’t figure even which peer is > complaining. Is it the local end (aka the application) that doesn’t like the > proxy’s certificate? Is it the Web proxy that doesn’t like the remote host > certificate? Or is it the remote end that doesn’t like the proxy’s > certificate? > > I can connect to the remote host via browser just fine The server may not like the client's ciphers or protocol version. See my recent post: https://www.spinics.net/lists/openssl-users/msg05623.html for instructions on how to extract SSL info from PCAP files in a way that mostly trims away endpoint details... (of course SNI names and cert names would still be there, so you'd need to trim those if you want to anonymize the guilty parties). Capture the traffic between the proxy and the remote server if at all possible, and compare with the trace between client and proxy. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
