8 Replies Latest reply on Sep 12, 2008 4:46 PM by 652458

    SSL Handshake failure

    652458
      Hey folks,

      So following on from my previous thread, I decided to leave aside the updateconfig of dcmctl and see what happens.

      To summarise, I can't seem to get the server to recognise our certificate so here are the steps we took.

      1) We ordered an SSL certificate from our ISP (Namesco, for those of you in the UK), which put on the server 2 files server1.domain.co.uk.crt and server1.domain.co.uk.key.

      2) I created a new wallet with Oracle Wallet Manager. Now all the instructions I saw state that you should start with a certificate request. I tried with and without and it made no difference so I just left it without and imported server1.domain.co.uk.crt into the list of trusted certificates. However because I didn't use the wallet manager to initiate a certificate request, I can't import a user certificate, I'm not sure whether this matters or not so this may be where the problem is, I simply don't know.

      3) I followed the steps detailed on http://docs.huihoo.com/oracle/docs/B14099_19/web.1012/b14007/ssl.htm and under section 11.2 Configuring SSL, ignored point 4 after speaking to the guys who installed Oracle on our server.

      Now even after reloading and restarting opmn, I only get grief if I try to run https://server1.domain.co.uk:4443

      Under Firefox I get a "Firefox and server1.domain.co.uk cannot communicate securely because they have no common encryption algorithms"

      With wget I get:
      wget -S -v https://server1.domain.co.uk:4443
      --12:35:10-- https://server1.domain.co.uk:4443/
      => `index.html'
      Resolving server1.domain.co.uk... 127.0.0.1
      Connecting to server1.domain.co.uk|127.0.0.1|:4443... connected.
      OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
      Unable to establish SSL connection.

      With cURL I get:
      curl -v -i "https://server1.domain.co.uk:4443"
      * About to connect() to server1.domain.co.uk port 4443
      * Trying 127.0.0.1... * connected
      * Connected to server1.domain.co.uk (127.0.0.1) port 4443
      * successfully set certificate verify locations:
      * CAfile: /usr/share/ssl/certs/ca-bundle.crt
      CApath: none
      * error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
      * Closing connection #0
      curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

      I'm not sure where it gets the above CAfile path but it does not correspond to any of the config files I'm supposed to work with

      Checking ssl_engine_log (I set the SSLLogLevel to debug to have some clue as what's going on) I see:

      [09/Sep/2008 12:34:44 23476] [info] Server: Oracle-HTTP-Server/1.3.31, Interface: mod_ossl/10.1.2.0.0, Library:
      [09/Sep/2008 12:34:44 23476] [info] Init: 1st startup round (still not detached)
      [09/Sep/2008 12:34:44 23476] [debug] Init: Server server1.domain.co.uk:4443: SSO Wallet found! 0
      [09/Sep/2008 12:34:45 23476] [trace] Init: (server1.domain.co.uk:8080) Configuring permitted proxy SSL ciphers [DEFAULT]
      [09/Sep/2008 12:34:45 23476] [trace] Init: (server1.domain.co.uk:4443) Configuring permitted proxy SSL ciphers [DEFAULT]
      [09/Sep/2008 12:34:45 23476] [trace] Init: (127.0.0.1:7200) Configuring permitted proxy SSL ciphers [DEFAULT]
      [09/Sep/2008 12:34:45 23476] [info] Init: 2nd startup round (already detached)
      [09/Sep/2008 12:34:45 23476] [trace] Inter-Process Session Cache (DBM) Expiry: old: 0, new: 0, removed: 0
      [09/Sep/2008 12:34:45 23476] [info] Init: Initializing (virtual) servers for SSL
      [09/Sep/2008 12:34:45 23476] [info] Init: Configuring server server1.domain.co.uk:4443 for SSL protocol
      [09/Sep/2008 12:34:45 23476] [trace] Init: (server1.domain.co.uk:4443) Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP]
      [09/Sep/2008 12:34:46 23476] [trace] Init: (server1.domain.co.uk:8080) Configuring permitted proxy SSL ciphers [DEFAULT]
      [09/Sep/2008 12:34:46 23476] [trace] Init: (server1.domain.co.uk:4443) Configuring permitted proxy SSL ciphers [DEFAULT]
      [09/Sep/2008 12:34:46 23476] [trace] Init: (127.0.0.1:7200) Configuring permitted proxy SSL ciphers [DEFAULT]
      [09/Sep/2008 12:34:51 23486] [info] Connection to child 0 established (server server1.domain.co.uk:4443, client 127.0.0.1)
      [09/Sep/2008 12:34:51 23486] [trace] Inter-Process Session Cache: request=REM status=OK id= (session dead)
      [09/Sep/2008 12:34:51 23486] [error] SSL call to NZ function nzos_Handshake failed with error 29040 (server server1.domain.co.uk:4443, client 127.0.0.1)
      [09/Sep/2008 12:34:51 23486] [error] Unknown error
      [09/Sep/2008 12:35:10 23495] [info] Connection to child 3 established (server server1.domain.co.uk:4443, client 127.0.0.1)
      [09/Sep/2008 12:35:10 23495] [trace] Inter-Process Session Cache: request=REM status=OK id= (session dead)
      [09/Sep/2008 12:35:10 23495] [error] SSL call to NZ function nzos_Handshake failed with error 29040 (server server1.domain.co.uk:4443, client 127.0.0.1)
      [09/Sep/2008 12:35:10 23495] [error] Unknown error
      [09/Sep/2008 12:46:11 23492] [info] Connection to child 2 established (server server1.bedlam.co.uk:4443, client 127.0.0.1)
      [09/Sep/2008 12:46:11 23492] [trace] Inter-Process Session Cache: request=REM status=OK id= (session dead)
      [09/Sep/2008 12:46:11 23492] [error] SSL call to NZ function nzos_Handshake failed with error 29040 (server server1.bedlam.co.uk:4443, client 127.0.0.1)
      [09/Sep/2008 12:46:11 23492] [error] Unknown error
      [09/Sep/2008 12:48:21 23595] [info] Connection to child 6 established (server server1.domain.co.uk:4443, client 127.0.0.1)
      [09/Sep/2008 12:48:21 23595] [trace] Inter-Process Session Cache: request=REM status=OK id= (session dead)
      [09/Sep/2008 12:48:21 23595] [error] SSL call to NZ function nzos_Handshake failed with error 29040 (server server1.domain.co.uk:4443, client 127.0.0.1)
      [09/Sep/2008 12:48:21 23595] [error] Unknown error

      This shows a whole lot of dead sessions, which probably correspond to the failed handshakes mentioned above, though at this stage I'm not entirely sure.

      So this is all I've managed to gather and still can't get SSL to run. Note that since we have Oracle Apache running alongside "normal" Apache on the same server I have Apex running on port 8080 to avoid conflict, though I doubt this would cause a problem.

      It just seems like it's something to do with the certificate itself which is somehow not quite right. Do I need to store my .crt and .key files in a specific location? or is the wallet enough?

      If anyone has ideas I would be quite keen to hear them as I've now pretty much ran out of options.

      Thanks a lot for your help :)

      Edit: So how do you bypass those formatting gyzmos anyway?

      Edited by: loupblanc on Sep 9, 2008 2:05 PM
        • 1. Re: SSL Handshake failure
          Shail Goel-Oracle
          Check Note:473047.1 on MetaLink to see if that solves the problem.

          Thanks
          Shail
          • 2. Re: SSL Handshake failure
            652458
            ermm, sorry to be thick but how do I do that?
            • 3. Re: SSL Handshake failure
              Shail Goel-Oracle
              You will need to login to http://metalink.oracle.com and search for this note.
              • 4. Re: SSL Handshake failure
                652458
                I don't have login credentials for that. I tried using my login details for this forum but it didn't work (and yes I tried both my email and my username). Since there is no "register" page that I can see,it'll be a little hard to access this quote.

                I'll have to ask the guys who installed Oracle for us if they have login credentials for that tomorrow.

                Thanks anyway
                • 5. Re: SSL Handshake failure
                  Shail Goel-Oracle
                  Hum! Don't you see this on the first page?

                  First Time Users
                       Register For MetaLink

                  If not here is the direct link:
                  https://metalink.oracle.com/metalink/plsql/f?p=200:34

                  Note that you will need your support identifier number (CSI number) in order to register at MetaLink.
                  • 6. Re: SSL Handshake failure
                    Shail Goel-Oracle
                    Oh well you can figure out the login details for future reference but here is the text of this note:

                    Applies to:
                    Oracle HTTP Server - Version: 10.1.2 to 10.1.4
                    This problem can occur on any platform.

                    Symptoms
                    After configuring SSL, any https requests fail with the following error in the ssl_engine_log:

                    [03/Jan/2008 14:39:38 1405048] [error] SSL call to NZ function nzos_Handshake failed with error 29040

                    Changes
                    1. The default wallet with the default certificate tested successfully .
                    2. Using OWM, a new wallet was created and a CSR was submitted to to the certificate authority.
                    3. When the certificate was returned, it was successfully imported into the wallet with all necessary root certificates.
                    4. The default wallet was backed up and replaced with the new wallet.

                    Cause
                    The website certificate, ie. www.abc.com, was imported into the Trusted Certificates folder. When doing this, it imports fine but the CSR is reported as [Requested]. As this is the only certificate in the wallet, the SSL libraries have no cipher suites to use (see note).

                    NZE-29040: There are no supported cipher suites.

                    Cause: This end of the handshake cannot support any cipher suites. This connection and the peer have some matching cipher suites, howvever, these cipher suites cannot be negotiated because they cannot be supported by the connection.

                    Action: Check to ensure that both sides of the handshake select cipher suites that are supported by the connection. Refer to Oracle documentation for supported cipher suites.

                    Solution
                    1. Remove the certificate from the Trusted Certificates folder
                    2. Right click on "Certificate: [Requested]" and choose to import the certificate
                    3. Import certificate
                    • 7. Re: SSL Handshake failure
                      652458
                      sigh still no joy.

                      The system won't let me import the certificate. I've tried to create a request that matches the Subject name line of the certificate when I had it imported in the trusted certificates but if I try to import the certificate as a user certificate I get a

                      "User certificate install failed, possible errors:
                      - input was not a valid certificate
                      - No matching certificate request was found
                      - CA certificate needed for certificate chain not found.
                      Please install it first"

                      So I'm guessing I need to fiddle with the certificate request until owm finds it matches the actual certificate. Unfortunately, as I said I wasn't the one who ordered the certificate, our ISP did that for us...

                      PS (unrelated): Is there a day when the Oracle forum does not go down?
                      • 8. Re: SSL Handshake failure
                        652458
                        okay so part of the issue above was due to the certificate not being properly installed in the Wallet manager. After much research and figuring out that "no you can't just recreate a certificate request and import the certificate you were given", I recreated a request from owm and got a new certificate from our ISP, which, as far as the owm understands, installed fine (User certificate is now "ready")

                        Of course it doesn't mean I can run my SSL connection. Now in my logs I get errors I'm having an even harder time to find references for on here or Google. Namely this:
                        [12/Sep/2008 09:17:54 18518] [error] SSL call to NZ function nzos_Handshake failed with error 29024 (server server1.domain.co.uk:4443, client 127.0.0.1)
                        [12/Sep/2008 09:17:54 18518] [error] Invalid X509 certificate chain [Hint: the client probably doesn't provide a valid client certificate]

                        So something's weird with the certificate. but if that's the case, why isn't owm complaining? For information I've added a bunch of trusted certificates from the GeoTrust website, though I'm not sure those were required.

                        If I connect via cURL or wget I get this:

                        error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
                        Closing connection #0
                        curl: (35) error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate

                        Connecting to server1.domain.co.uk|127.0.0.1|:8080... connected.
                        OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
                        Unable to establish SSL connection.

                        So now what? Unfortunately, we don't seem to have a proper licence yet (I'm just the developer by the way) so I can't access metalink yet and figure out what error 29024 refers to...

                        Thanks folks...
                        -----

                        Okay so the problem above got sorted by changing the SSLVerifyClient directive in ssl.conf to none (it was set as require).

                        However, it still doesn't fully sort my problem (is anyone still reading? ;)). Essentially, we're having to run Apex on port 8080 as Oracle Apache is running alongside the default Apache conf as we use the latter to run a whole bunch of websites. so http://localhost:8080 works, https://localhost:4443 works but http://localhost:8080 doesn't and I can't really figure out why.

                        Should I create a second virtual directory in ssl.conf to run on a port which is already defined in httpd.conf?

                        Any ideas?

                        Edited by: loupblanc on Sep 12, 2008 5:41 PM