How to Resolve error during SSL Handshake with Remote Server?

13 November 2018 / 7 min read

How to Resolve error during SSL Handshake with Remote Server?

Item: How to Resolve error during SSL Handshake with Remote Server?
Rating: 7
Author: Rachael Chapman

By Rachael Chapman

In error during ssl handshake with remote server, SSL, SSL Handshake with Remote Server,

5 years ago

7 min read

Add comment

With advanced technology, a lot of things have developed when it comes to networks as well as coding, In this article, we will be discussing issues faced when you try to perform an SSL handshake with remote or local server. But before we proceed to know the reasons, the solutions or how these issues can be handled in real life scenarios, Let us now understand the basics included in the process.

Apache Server

Apache is a free and open source server software that runs with Apache License 2.0, It is developed and maintained under Apache Software Foundation, Most of the Apache services runs on Linux, However, they have developed so that it can be used on Windows and OS2 and on Unix as well for sites such as https://4boys.net/.

How an SSL handshake is carried out? Types?

SSL handshake is initiated when the browser on your device forwards a secure connection request to a Web server. The server sends a public key to your computer, and the remote computer checks the certificate with a known list of certificates. Once the certificate is accepted, the computer generates a key and then encrypts it using the server’s public key.

SSL handshakes are basically two types:

Basic SSL handshake
Client Authenticated SSL handshake

The basic model here lets the client verify the server, and a number of sessions secured by TLS only require this. However, some cipher suites will require the client to also send a certificate and public key for mutual authentication of both parties which as above is the client authenticated SSL handshake. This two-way authentication will, of course, add to the handshake effectively as the security increases when both the parties provide valid authentication steps to confirm the handshake, However, in some cases, the cipher suite will be needed to recommended to complete the process which in turn adds extra security to the session.

A SSL handshake includes multiple stages, each managed according to different set of rules. but the issue here is that rather than a series of separate back and forth connections as to what keys to use, how to encrypt the handshake, how to authenticate the handshake and vice versa, the origin and target parties can agree on a “cipher suite which is an existing kit of agreed-upon components. TLS specifications, however, allows quite a number of cipher suites, and the client and server will almost always have access to one set of agreed upon components.

Let us check some scenarios where the error occur and how it was resolved.

Upgrading servers without understanding the pros and cons are dangerous and can lead to huge confusions, A lot of Linux admins working on Apache version 2.2 encountered the same “ Error SSL handshake failed with server “ due to an upgrade in the server versions. Now it might be meaningless for you to hear that a simple server upgrade is causing this issue.

Replicating the error :

Consider an Apache running on port 443 and a web app working on Tomcat running on port 8443 on Ubuntu.

You can set up Apache as reverse proxy so that you can access the web app running on Tomcat using port 443 instead of 8443. With having SSL connection between both the Browser and Apache and also Apache and Tomcat, SSL is set up on both Apache and Tomcat. The web app works fine while accessed through Tomcat, But if you try accessing the web app running on Tomcat through Apache which is set up as Reverse proxy you will be getting an error as below:

=======================================================================

Proxy Error The proxy server could not handle the request GET /web_app.

Reason: Error during SSL Handshake with remote server

=====================================================================

This usually happens when either mod_ssl module or the directives are not specified correctly.

Based on the set up, there are 2 suggestions to fix the issue to have the server running fine without errors depending on the nature of the error:

Modifying/Adding directives under the mod_ssl module as below:

=======================================================================

SSLProxyEngine on

SSLProxyVerify none

SSLProxyCheckPeerCN off

SSLProxyCheckPeerName off

SSLProxyCheckPeerExpire off

=======================================================================

Checking if there is an additional ssl.conf file which has replaced or added while copying the *.conf file during the transition of 2.2 to 2.4, This can cause conflicts as both the files will have the same directives and none of them will respond, Removing one of them and restarting httpd will fix the issue.

When the NAM is upgraded to version 4.3 without changing any other features, there will be a compatibility issue with the additional files supporting the server set up, The below mentioned error appears when NAM is upgraded without testing the additional files.

The server encountered an internal error.

The proxy server could not handle the request

Reason: Error during SSL Handshake with remote server.

While checking the device manager error log files under – /opt/novell/devman/jcc/logs/ the following set of error is replicated.

==================================================================

/opt/novell/devman/jcc/logs/jcc-0.log.0:INFO: Executing /opt/novell/ssllib/bin/c_rehash /opt/novell/apache2/cacerts

/opt/novell/devman/jcc/logs/jcc-0.log.0:Cannot run program “/opt/novell/ssllib/bin/c_rehash” (in directory “/”): error=2, No such file or directory

/opt/novell/devman/jcc/logs/jcc-0.log.0:java.io.IOException: Cannot run program “/opt/novell/ssllib/bin/c_rehash” (in directory “/”): error=2, No such file or directory

==================================================================

However, this issue can be resolved by making the changes as below:

create the “/opt/novell/ssllib/bin/” directory

create the following module “c_rehash” and copy it into the “/opt/novell/ssllib/bin/” directory

=================================================================

#!/bin/sh

# print out the hash values

# based on /etc/pki/tls/misc/c_hash part of the openssl-1.0.0

export OPENSSL_CONF=/opt/novell/openssl/ssl/openssl.cnf

export LD_LIBRARY_PATH=/opt/novell/openssl/lib

w=”WellKnownThirdPartyTrustedRoots_auto.pem”

die () {

** echo >&2 “$@”**

** exit 1**

}

#[ “$#” -eq 1 ] || die “One directory argument required, $# provided”

#[ -d “$1” ] || die “Directory $1 does not exist”

cd /opt/novell/apache2/cacerts

printf “removing all old hash files \n”

*rm .0 -v

printf “creating new hash files \n”

*for i in $(ls .pem);

** ** printf “$i \n”

** ** h=`/opt/novell/openssl/bin/openssl x509 -hash -noout -in $i`

** ** if [ “$i” != “$w” ]; then

** ** ln -svf $i $h.0;

** ** #echo “$h.0 => $i

** ** fi

done

================================================================

flag the script executable: chmod 755 c_reshash

execute the script

restart the Access Gateway

The above changes in commands will help you fix the issue, However, you should be sure that any aspect is not given a wrong value which will, in turn, throw the same error.

In the previous article, we have seen how small changes in the commands have fixed the issues with SSL handshake to a remote or a local server, But it is quite surprising that a change in date or time will also affect the functionality or the connections causing SSL errors. The best way to check it is by following the below steps.

Go your Windows Start screen, and then choose the current date and time.

Choose “Settings > Change the time and date > Change the Internet Time > Save Settings.

Move the date 2-3 years ahead of the present time by clicking on the right arrow under the “Date” heading. Click “OK” to save the changes. You must select a date much ahead of the actual time to cause a date discrepancy between the computer and the SSL certificate used on the Web server. The large difference in date and time will cause the SSL handshake to fail.

Restart your computer.

Once you have made the changes as suggested above, Follow the steps:

Open a Web browser and visit a website that you know is secure or has https on all its internal links as well, for example, your bank or an online store.

Try to log in to your bank account or add items to your shopping cart in order to initiate an SSL session which can be done as payment gateways on every bank or online stores are secured with https.

Within few seconds an error message will appear on your browser, warning you that the server’s SSL certificate is not yet valid or expired, and due to which the SSL handshake has failed.

This is a rare issue but very important while your target is an SSL handshake with web server be it remote or local server. Normally when the error is triggered you get an Error 525: SSL handshake failed, Error 525 indicates that the SSL handshake between Cloudflare and the origin server failed. This normally occurs when the domain is using a Cloudflare Full SSL mode.

The most common issues that cause Error 525 are:

The origin server does not have a valid SSL certificate.

The server is not working on port 443 or possibly configured on custom ports.

The web server does not support SNI or Server name indication.

The cipher that Cloudflare uses and the cipher suites that the origin server uses are different.

Although there are no definite steps to resolve the issue, Here we have few steps that can be used to troubleshoot the cause:

Apache must be configured to work as per log mod_ssl errors.

Increasing the log level and adding these error logs in Nginx.

Conclusion

Discussed above are some cases where small changes have led to failed handshake attempts, It is always recommended to contact or take advice from a server administrator while you imply any changes on the server, With Date and time causing an error to an invalid SSL certificates, the possibilities are numerous, It is how you go about it or take measures to avoid these issue which matters. Ever faced any issue with SSL handshakes other than the ones listed above, Let us know in comments below.