6

Hi all I installed a trusted certificate in an IIS 6.0 server. I have the port 443 opened in the firewall and I verified the server is listening on that port. However when verifying using openssl I get the following error

$ openssl s_client -connect HOST:443 -debug -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x1001182b0 [0x10080a600] (130 bytes => 130 (0x82))
0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 39 00 00   ......W... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 9a 00 00 99 00   ..3..2../.......
0030 - 00 96 03 00 80 00 00 05-00 00 04 01 00 80 00 00   ................
0040 - 15 00 00 12 00 00 09 06-00 40 00 00 14 00 00 11   .........@......
0050 - 00 00 08 00 00 06 04 00-80 00 00 03 02 00 80 00   ................
0060 - 00 ff fc cd 35 31 42 09-11 be d0 ab 79 27 30 cb   ....51B.....y'0.
0070 - 83 ce 16 ea 39 ab 14 cd-3b 2e ca 9e c9 70 05 46   ....9...;....p.F
0080 - 50 5b                                             P[
SSL_connect:SSLv2/v3 write client hello A
read from 0x1001182b0 [0x10080fc00] (7 bytes => 0 (0x0))
19973:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s23_lib.c:182:

I googled the error but only had a clue that maybe SSL v3.0 was required but when tried with -ssl3 option had the same output

Any thoughts?

Thanks V

victor hugo
  • 588
  • 3
  • 8
  • 16
  • 1
    What kind of ssl cert is it? Which CA did it come from? – mahnsc Oct 09 '11 at 15:34
  • I have a very similar problem with an Thawte SSL123 cert at the moment. Interesstingly in my case the certificate works fine in Firefox on Windows XP but has equal problems on a OSX client. I do not think it has to do with the version of SSL / TLS. Could you try the command without -debug. What does https://ssl-tools.verisign.com/#certChecker tell you? – Roman Oct 11 '12 at 19:02
  • I posted a separate question on my issue: http://serverfault.com/questions/437561/ssl-connection-error-during-handshake-on-windows-server-2008-r2 – Roman Oct 11 '12 at 23:44
  • Could you try with openssl s_client -debug -msg -state -status -showcerts -connect :443 and verify that you have not disabled SSLv2 or SSLv3 (https://support.microsoft.com/en-gb/kb/187498) as these have been disabled recently on a lot of systems due to security problems. Are you using anything in between the client and the host that might be performing some inspection.. like a hardware firewall? – Matthew1471 Mar 06 '16 at 10:40

1 Answers1

0

I get that you already tried ssl3 and you asked the question a long time ago, but in case it helps someone else!

Try ssl2, ssl3 and tls1 using one of the static openssl binaries which come with testssl. These support more protocols and ciphers than the standard openssl.

If that doesn't work, (or even if it does!) you can also run testssl against the server with one of those binaries:

testssl --openssl=./path_to_openssl_static_binaries
bao7uo
  • 1,704
  • 12
  • 24