How to Debugging mutual-authentication SSL handshake?


Hi Guys,

I am new to SSL. I have got a load balancer that is configured for mutual-authentication SSL. As far as I am aware, the load balancer has been configured with an Entrust certificate and has been installed with our own CA as a Trusted Root.

Client-side, I have got our CA installed as a trusted root and a signed certificate from the CA as a personal cert.

When I connect using Internet Explorer I get prompted to choose a certificate and the client certificate is there but once I select it the page fails.

Connecting with my Java app, with Entrust in my truststore and the client .p12 in my keystore I get SSL handshake failure.

Using OpenSSL I get the following:

openssl s_client -connect -state -nbio
Loading ‘screen’ into random state – done
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/O=Entrust, Inc./ is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority – L1C
verify error:num=20:unable to get local issuer certificate
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:error in SSLv3 read finished A
SSL_connect:error in SSLv3 read finished A
read R BLOCK
SSL3 alert read:fatal:handshake failure
SSL_connect:failed in SSLv3 read finished A
1688:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:.ssls3_pkt.c:1053:SSL alert number 40
1688:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:.ssls3_pkt.c:838:

Can anyone help with where the problem lies? Is it on the client or server and with which certificate?

Thanks & Regards


Share This Post

Leave a Reply