SSL handshake failure
Hi, openssl experts! It's required to transfer data to Apple Push service that is located at gateway.sandbox.push.apple.com:2195. I'm given the certificate and private key both included in Certificate_and_key.pem. Trying to connect: $ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -CAfile > EntrustCA.pem -cert Certificate_and_key.pem Server's certificate is passed successfully (with CA included in EntrustCA.pem) but the error is following: 140735074831484:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert > certificate unknown:s3_pkt.c:1193:SSL alert number 46 140735074831484:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:184: I tried to google about alert 46, but found only that "something wrong with client's certificate". Is it possible to get more details about failure? Below is some info that might probably be helpful. I read about X509v3 extensions just tonight, and it's not clear for me by far if extensions could relate to my problem: $ openssl verify -CAfile AppleCA.pem Certificate_and_key.pem . . . error 34 at 0 depth lookup:unhandled critical extension OK $ openssl x509 -in Certificate_and_key.pem -text -noout -purpose here are all extensions marked as "critical": X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: critical Code Signing X509v3 Key Usage: critical Digital Signature . . . Certificate purposes: SSL client : No SSL client CA : No SSL server : No SSL server CA : No Netscape SSL server : No Netscape SSL server CA : No S/MIME signing : No S/MIME signing CA : No S/MIME encryption : No S/MIME encryption CA : No CRL signing : No CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No Time Stamp signing : No Time Stamp signing CA : No maybe, the "SSL client : No" line is related to connection failure? Much thanks in advance! -- WBR, Timur
s_server crashes in version 1.0.0a
Windows XP Service Pack 3
OpenSSL version 1.0.0a 1 Jun 2010
C:\openssl-1.0.0a\out32dll>openssl s_server
Loading 'screen' into random state - done
Using default temp DH parameters
Using default temp ECDH parameters After this message I get a pop a window
saying openssl has encountered a problem and needs to close.
static void nist_cp_bn(BN_ULONG *buf, BN_ULONG *a, int top)
{
int i;
BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
for (i = (top); i != 0; i--)
*_tmp1++ = *_tmp2++;
}
The debugger has the following information
*_tmp1 = 0
i = 8
top = 8
Unhandled exception at 0x0049f836 (libeay32.dll) in openssl.exe: 0xC005:
Access violation reading location 0x0001.
Here is the call stack
> libeay32.dll!nist_cp_bn(unsigned int * buf=0x00abcf98, unsigned int *
> a=0x0001, int top=8) Line 308 + 0x6 C
libeay32.dll!BN_nist_mod_256(bignum_st * r=0x00aba9e8, const bignum_st *
a=0x00aba9e8, const bignum_st * field=0x00569614, bignum_ctx * ctx=0x003cb468)
Line 641 + 0xf C
libeay32.dll!ec_GFp_nist_field_mul(const ec_group_st * group=0x00abd308,
bignum_st * r=0x00aba9e8, const bignum_st * a=0x00abdc88, const bignum_st *
b=0x00abd5e4, bignum_ctx * ctx=0x003cb468) Line 176 + 0x1c C
libeay32.dll!ec_GFp_simple_points_make_affine(const ec_group_st *
group=0x00abd308, unsigned int num=4, ec_point_st * * points=0x00aba770,
bignum_ctx * ctx=0x003cb468) Line 1649 + 0x2e C
libeay32.dll!EC_POINTs_make_affine(const ec_group_st * group=0x00abd308,
unsigned int num=4, ec_point_st * * points=0x00aba770, bignum_ctx *
ctx=0x003cb468) Line 1108 + 0x18 C
libeay32.dll!ec_wNAF_mul(const ec_group_st * group=0x00abd308, ec_point_st *
r=0x00abd410, const bignum_st * scalar=0x00aba750, unsigned int num=0, const
ec_point_st * * points=0x0012f958, const bignum_st * * scalars=0x0012f95c,
bignum_ctx * ctx=0x003cb468) Line 647 + 0x15 C
libeay32.dll!EC_POINTs_mul(const ec_group_st * group=0x00abd308, ec_point_st
* r=0x00abd410, const bignum_st * scalar=0x00aba750, unsigned int num=0, const
ec_point_st * * points=0x0012f958, const bignum_st * * scalars=0x0012f95c,
bignum_ctx * ctx=0x003cb468) Line 1123 + 0x21 C
libeay32.dll!EC_POINT_mul(const ec_group_st * group=0x00abd308, ec_point_st *
r=0x00abd410, const bignum_st * g_scalar=0x00aba750, const ec_point_st *
point=0x, const bignum_st * p_scalar=0x, bignum_ctx *
ctx=0x003cb468) Line 1139 + 0x3d C
libeay32.dll!EC_KEY_generate_key(ec_key_st * eckey=0x00abd008) Line 275 +
0x1c C
ssleay32.dll!ssl3_ctx_ctrl(ssl_ctx_st * ctx=0x00abc508, int cmd=4, long
larg=0, void * parg=0x00abad20) Line 2648 + 0x9 C
ssleay32.dll!SSL_CTX_ctrl(ssl_ctx_st * ctx=0x00abc508, int cmd=4, long
larg=0, void * parg=0x00abad20) Line 1171 + 0x18 C
openssl.exe!s_server_main(int argc=0, char * * argv=0x003c2598) Line 1565 +
0x17 C
openssl.exe!do_cmd(lhash_st_FUNCTION * prog=0x00ab6210, int argc=1, char * *
argv=0x003c2594) Line 413 + 0xe C
openssl.exe!main(int Argc=1, char * * Argv=0x003c2594) Line 312 + 0x14 C
openssl.exe!mainCRTStartup() Line 398 + 0xe C
kernel32.dll!7c817077()
Re: s_server crashes in version 1.0.0a
On Sun, Nov 14, 2010, Marcus Carey wrote: > Windows XP Service Pack 3 > OpenSSL version 1.0.0a 1 Jun 2010 > > C:\openssl-1.0.0a\out32dll>openssl s_server > Loading 'screen' into random state - done > Using default temp DH parameters > Using default temp ECDH parameters After this message I get a pop a window > saying openssl has encountered a problem and needs to close. > Please try a recent snapshot, this should be fixed now. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL handshake failure
On Sun, Nov 14, 2010, Timur Elzhov wrote: > Hi, openssl experts! > > It's required to transfer data to Apple Push service that is located at > gateway.sandbox.push.apple.com:2195. I'm given the certificate and private > key both included in Certificate_and_key.pem. Trying to connect: > > $ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -CAfile > > EntrustCA.pem -cert Certificate_and_key.pem > > > Server's certificate is passed successfully (with CA included in > EntrustCA.pem) but the error is following: > > 140735074831484:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert > > certificate unknown:s3_pkt.c:1193:SSL alert number 46 > > 140735074831484:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > > failure:s23_lib.c:184: > > > I tried to google about alert 46, but found only that "something wrong with > client's certificate". Is it possible to get more details about failure? > That's all the server sends back. Is that the correct certificate for that server? > >X509v3 Extended Key Usage: critical > >Code Signing > Well the above extension would mean that certificate can only be used for code signing, not SSL client authentication. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: s_server crashes in version 1.0.0a
I tried the latest snap shot before I sent the first email. OpenSSL 1.0.1-dev xx XXX . Also, when I ran the test, they all passed. However, the ectest.exe application crashed. - Original Message - From: "Dr. Stephen Henson" To: Sent: Sunday, November 14, 2010 8:32 AM Subject: Re: s_server crashes in version 1.0.0a On Sun, Nov 14, 2010, Marcus Carey wrote: Windows XP Service Pack 3 OpenSSL version 1.0.0a 1 Jun 2010 C:\openssl-1.0.0a\out32dll>openssl s_server Loading 'screen' into random state - done Using default temp DH parameters Using default temp ECDH parameters After this message I get a pop a window saying openssl has encountered a problem and needs to close. Please try a recent snapshot, this should be fixed now. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: s_server crashes in version 1.0.0a
Hi, I have no crash here, both with official release and snapshot. Moreover, it is surprising that the command "openssl s_server" executes on your machine without specifying a key, which means that you have a server.pem file on your out32dll directory. In a clean build, there is no such file. Maybe you have some malformed key. Can you please check that? Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 11/14/2010 8:57 PM, Marcus Carey wrote: I tried the latest snap shot before I sent the first email. OpenSSL 1.0.1-dev xx XXX . Also, when I ran the test, they all passed. However, the ectest.exe application crashed. - Original Message - From: "Dr. Stephen Henson" To: Sent: Sunday, November 14, 2010 8:32 AM Subject: Re: s_server crashes in version 1.0.0a On Sun, Nov 14, 2010, Marcus Carey wrote: Windows XP Service Pack 3 OpenSSL version 1.0.0a 1 Jun 2010 C:\openssl-1.0.0a\out32dll>openssl s_server Loading 'screen' into random state - done Using default temp DH parameters Using default temp ECDH parameters After this message I get a pop a window saying openssl has encountered a problem and needs to close. Please try a recent snapshot, this should be fixed now. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: s_server crashes in version 1.0.0a
I created a key. I just downgraded to previous distrubution which works. Thanks. - Original Message - From: "Mounir IDRASSI" To: Sent: Sunday, November 14, 2010 3:54 PM Subject: Re: s_server crashes in version 1.0.0a Hi, I have no crash here, both with official release and snapshot. Moreover, it is surprising that the command "openssl s_server" executes on your machine without specifying a key, which means that you have a server.pem file on your out32dll directory. In a clean build, there is no such file. Maybe you have some malformed key. Can you please check that? Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 11/14/2010 8:57 PM, Marcus Carey wrote: I tried the latest snap shot before I sent the first email. OpenSSL 1.0.1-dev xx XXX . Also, when I ran the test, they all passed. However, the ectest.exe application crashed. - Original Message - From: "Dr. Stephen Henson" To: Sent: Sunday, November 14, 2010 8:32 AM Subject: Re: s_server crashes in version 1.0.0a On Sun, Nov 14, 2010, Marcus Carey wrote: Windows XP Service Pack 3 OpenSSL version 1.0.0a 1 Jun 2010 C:\openssl-1.0.0a\out32dll>openssl s_server Loading 'screen' into random state - done Using default temp DH parameters Using default temp ECDH parameters After this message I get a pop a window saying openssl has encountered a problem and needs to close. Please try a recent snapshot, this should be fixed now. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
