Results 1 to 4 of 4
  1. #1

    OpenSSL handshake error

    Hello all,

    I developed a web site in CGI/Perl on a SuSE Linux box on our internal network. It's purpose is to gather/edit information for an employee's possession company assets (laptops, cell phones, etc).

    Background: I used OpenSSL/Apache to use SSL server/client certificates to automatically determine who is viewing the site. Every employee is required to run the Secude PSE tool on their workstation; we call it SSO: Single sign-on because it's used for other applications, too. When logged into the PSE tool, it automatically puts a client certificate into the browser. My server has a matching server certificate from the same CA. When the certs match, I can get the employee's ID out of the client cert key. I have a database that converts employee ID to real name, email address, etc.

    The problem I'm having is that only some people experience a "Page cannot be displayed" error, which is traced back to my error_log with many entries like:

    [Tue Apr 20 13:25:19 2004] [error] mod_ssl: SSL handshake failed (server csphl009.phl.sap.corp:443, client 147.204.44.125) (OpenSSL library error follows)
    [Tue Apr 20 13:25:19 2004] [error] OpenSSL: error:140890C7:lib(20):func(137):reason(199)

    My guess is that the client cert somehow doesn't match the server cert, but how can I tell this for sure? This error message doesn't tell me much.

    Any ideas would be appreciated. Thanks.

  2. #2
    Join Date
    Jan 2003
    Posts
    79
    I believe that error is due to no client cert on those users' machines. You may want to double-check.

    Hopefully, someone else can give you a more definitive answer.

  3. #3
    Actually, you're right on the money. I just figured out that this PSE Management tool has an option to put client certs in the Microsoft cert store. A lot of people were forced upon login to change their PSE password and for some reason this option gets disabled, thereby having no certs for SSL.

    Thanks for the hint.

  4. #4
    Join Date
    Jan 2003
    Posts
    79
    Glad to help.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •