1

Hi im trying to config a HTTPS loadbalancer in GCP but when i made it show me that:

Error: write EPROTO 140392502987240:error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE:../../third_party/boringssl/src/ssl/tls_record.cc:594:SSL alert number 40 140392502987240:error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO:../../third_party/boringssl/src/ssl/handshake.cc:604:

I use GCP default as default politic ssl And the certificate is valid:

enter image description here

My frontends

enter image description here

But is still not working, i dont know what other thing do.

Daniel ORTIZ
  • 2,488
  • 3
  • 21
  • 41
  • Edit your question and include how the **frontend** and **backends** are configured. You have a mismatch in protocols HTTP -> HTTPS or HTTPS -> HTTP. Since you are using a Google managed certificate, typically you set up the backend to use HTTP. The details will indicate the problem. There are other possibilities for configurations and problems. – John Hanley Feb 04 '22 at 04:05
  • Can you follow this [link](https://cloud.google.com/iap/docs/load-balancer-howto) for setting up an external HTTPS load balancer in GCP and check this [link](https://github.com/postmanlabs/postman-app-support/issues/8612) for handshake failure. – Srividya Feb 04 '22 at 14:15
  • You must use the same IP address for both frontends. – John Hanley Feb 04 '22 at 18:36
  • Did you solve this problem? – John Hanley Feb 09 '22 at 17:10
  • @Daniel ORTIZ Did you solve your issue? If yes, can you please post your resolution procedure here. – Srividya Feb 15 '22 at 05:58

1 Answers1

0

SSL proxy load balancers and global external HTTP(S) load balancers do not support SSL versions 3.0(SSLV3) or earlier. So, try to use a newer and more secure version to call the HTTPS Load balancer. Check whether the certificate is valid and linked properly with the page.

EDIT:

SSL fatal error, handshake failure 40 indicates the secure connection failed to establish because the client and the server couldn't agree on connection settings. Usually because the client or the server is way too old, only supporting removed protocols/ciphers. Try adding the domain name of the server to connect and a TLS connection will be established.

Example:

$ openssl s_client -connect 104.26.3.5:443 -servername external.example.com
Srividya
  • 1,678
  • 3
  • 10
  • The error is not an SSLv3 problem. SSL alert number 40 means no certificate as in connecting to an HTTP listener. – John Hanley Feb 09 '22 at 17:12
  • Not really as i see, is a problem form my hostdomain provider, i talk with they and i founded a lot of similar problems with other customers – Daniel ORTIZ Feb 09 '22 at 20:17
  • The solution is add a Certificate and link with de page. access direct to GCP – Daniel ORTIZ Feb 18 '22 at 00:22
  • @DanielORTIZ If the answer was useful, please mark the answer as accepted for greater visibility for community or upvote if the answer has some useful information. – Srividya Feb 21 '22 at 13:27