With advanced technology, a lot of things have developed when it comes to networks as well as coding, In this article, we will be discussing issues faced when you try to perform an SSL handshake with remote or local server. But before we proceed to know the reasons, the solutions or how these issues can be handled in real life scenarios, Let us now understand the basics included in the process.
Apache Server
Apache is a free and open source server software that runs with Apache License 2.0, It is developed and maintained under Apache Software Foundation, Most of the Apache services runs on Linux, However, they have developed so that it can be used on Windows and OS2 and on Unix as well for sites such as https://4boys.net/.
How an SSL handshake is carried out? Types?
SSL handshake is initiated when the browser on your device forwards a secure connection request to a Web server. The server sends a public key to your computer, and the remote computer checks the certificate with a known list of certificates. Once the certificate is accepted, the computer generates a key and then encrypts it using the server’s public key.
SSL handshakes are basically two types:
- Basic SSL handshake
- Client Authenticated SSL handshake
The basic model here lets the client verify the server, and a number of sessions secured by TLS only require this. However, some cipher suites will require the client to also send a certificate and public key for mutual authentication of both parties which as above is the client authenticated SSL handshake. This two-way authentication will, of course, add to the handshake effectively as the security increases when both the parties provide valid authentication steps to confirm the handshake, However, in some cases, the cipher suite will be needed to recommended to complete the process which in turn adds extra security to the session.
A SSL handshake includes multiple stages, each managed according to different set of rules. but the issue here is that rather than a series of separate back and forth connections as to what keys to use, how to encrypt the handshake, how to authenticate the handshake and vice versa, the origin and target parties can agree on a “cipher suite which is an existing kit of agreed-upon components. TLS specifications, however, allows quite a number of cipher suites, and the client and server will almost always have access to one set of agreed upon components.
Let us check some scenarios where the error occur and how it was resolved.
Upgrading servers without understanding the pros and cons are dangerous and can lead to huge confusions, A lot of Linux admins working on Apache version 2.2 encountered the same “ Error SSL handshake failed with server “ due to an upgrade in the server versions. Now it might be meaningless for you to hear that a simple server upgrade is causing this issue.
Replicating the error :
Consider an Apache running on port 443 and a web app working on Tomcat running on port 8443 on Ubuntu.
You can set up Apache as reverse proxy so that you can access the web app running on Tomcat using port 443 instead of 8443. With having SSL connection between both the Browser and Apache and also Apache and Tomcat, SSL is set up on both Apache and Tomcat. The web app works fine while accessed through Tomcat, But if you try accessing the web app running on Tomcat through Apache which is set up as Reverse proxy you will be getting an error as below:
=======================================================================
Proxy Error The proxy server could not handle the request GET /web_app.
Reason: Error during SSL Handshake with remote server
=====================================================================
This usually happens when either mod_ssl module or the directives are not specified correctly.
Based on the set up, there are 2 suggestions to fix the issue to have the server running fine without errors depending on the nature of the error:
=======================================================================
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
=======================================================================
When the NAM is upgraded to version 4.3 without changing any other features, there will be a compatibility issue with the additional files supporting the server set up, The below mentioned error appears when NAM is upgraded without testing the additional files.
The server encountered an internal error.
The proxy server could not handle the request
Reason: Error during SSL Handshake with remote server.
While checking the device manager error log files under – /opt/novell/devman/jcc/logs/ the following set of error is replicated.
==================================================================
/opt/novell/devman/jcc/logs/jcc-0.log.0:INFO: Executing /opt/novell/ssllib/bin/c_rehash /opt/novell/apache2/cacerts
/opt/novell/devman/jcc/logs/jcc-0.log.0:Cannot run program “/opt/novell/ssllib/bin/c_rehash” (in directory “/”): error=2, No such file or directory
/opt/novell/devman/jcc/logs/jcc-0.log.0:java.io.IOException: Cannot run program “/opt/novell/ssllib/bin/c_rehash” (in directory “/”): error=2, No such file or directory
/opt/novell/devman/jcc/logs/jcc-0.log.0:java.io.IOException: Cannot run program “/opt/novell/ssllib/bin/c_rehash” (in directory “/”): error=2, No such file or directory
/opt/novell/devman/jcc/logs/jcc-0.log.0:java.io.IOException: Cannot run program “/opt/novell/ssllib/bin/c_rehash” (in directory “/”): error=2, No such file or directory
==================================================================
However, this issue can be resolved by making the changes as below:
=================================================================
#!/bin/sh
# print out the hash values
#
# based on /etc/pki/tls/misc/c_hash part of the openssl-1.0.0
#
export OPENSSL_CONF=/opt/novell/openssl/ssl/openssl.cnf
export LD_LIBRARY_PATH=/opt/novell/openssl/lib
w=”WellKnownThirdPartyTrustedRoots_auto.pem”
die () {
** echo >&2 “$@”**
** exit 1**
}
#[ “$#” -eq 1 ] || die “One directory argument required, $# provided”
#[ -d “$1” ] || die “Directory $1 does not exist”
cd /opt/novell/apache2/cacerts
printf “removing all old hash files \n”
*rm .0 -v
printf “creating new hash files \n”
*for i in $(ls .pem);
do
** ** printf “$i \n”
** ** h=`/opt/novell/openssl/bin/openssl x509 -hash -noout -in $i`
** ** if [ “$i” != “$w” ]; then
** ** ln -svf $i $h.0;
** ** #echo “$h.0 => $i
** ** fi
done
================================================================
The above changes in commands will help you fix the issue, However, you should be sure that any aspect is not given a wrong value which will, in turn, throw the same error.
In the previous article, we have seen how small changes in the commands have fixed the issues with SSL handshake to a remote or a local server, But it is quite surprising that a change in date or time will also affect the functionality or the connections causing SSL errors. The best way to check it is by following the below steps.
Once you have made the changes as suggested above, Follow the steps:
This is a rare issue but very important while your target is an SSL handshake with web server be it remote or local server. Normally when the error is triggered you get an Error 525: SSL handshake failed, Error 525 indicates that the SSL handshake between Cloudflare and the origin server failed. This normally occurs when the domain is using a Cloudflare Full SSL mode.
The most common issues that cause Error 525 are:
Although there are no definite steps to resolve the issue, Here we have few steps that can be used to troubleshoot the cause:
Conclusion
Discussed above are some cases where small changes have led to failed handshake attempts, It is always recommended to contact or take advice from a server administrator while you imply any changes on the server, With Date and time causing an error to an invalid SSL certificates, the possibilities are numerous, It is how you go about it or take measures to avoid these issue which matters. Ever faced any issue with SSL handshakes other than the ones listed above, Let us know in comments below.
Related Blogs
How to Fix Proxy Timeout Errors?
How To Overcome Common Mistakes And Errors In Data Analysis?
Post Quick Links
Jump straight to the section of the post you want to read:
About the author
Rachael Chapman
A Complete Gamer and a Tech Geek. Brings out all her thoughts and Love in Writing Techie Blogs.
Related Articles
How Web Scraping Can Help You Get Ahead in Your Market?
As we’ve examined some time recently, the measure of information made every day at the advanced age is amazing (around 2.5 trillion GB). Each association gathers information in some shape, however assembling it doesn’t add up to much unless it can be used as a portion of ways that prompt achievement.Web scraping might be the most insidious, and the most hurtful for many websites. But the knowledge on the subject is still limited.
How To Get Unblocked From Zoosk Using Proxies
It’s common to find your account blocked on Zoosk, and it’s also common to want to create more than one account to further better your chances of getting a date. In this article, we would be discussing how to go about it.