How to debug OpenSSL SSL_read: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0

Question

We have a nginx setup with client certificate authentication running on docker, we are only using these ssl settings:

ssl_protocols  TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;

when we run the curl statement we have the following output:

$ curl -v --cacert ./cacert.pem https://staging-a.b.com/path
*   Trying xx.xx.xx.xx...
* TCP_NODELAY set
* Connected to staging-a.b.com (xx.xx.xx.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: ./cacert.pem
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=*.b.com
*  start date: Mar 23 07:17:12 2022 GMT
*  expire date: Mar 28 23:10:15 2023 GMT
*  subjectAltName: host "staging-a.b.com" matched cert's "*.b.com"
*  issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
*  SSL certificate verify ok.
> GET /path HTTP/1.1
> Host: staging-a.b.com
> User-Agent: curl/7.58.0
> Accept: */*
>
* TLSv1.2 (IN), TLS handshake, Hello request (0):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* OpenSSL SSL_read: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
* stopped the pause stream!
* Closing connection 0
curl: (56) OpenSSL SSL_read: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0

We are already running the nginx in debug mode; however, the curl command does not trigger any logs. What could be wrong? Can someone please help? TIA!

Update Per suggestion by @yield (in the comment below), I've run the command inside the container and it worked. I've done it by updating the etc host file inside the container and added 127.0.0.1 staging-a.b.com, and run the command. Here below is the output:

root@a4cb891fed8a:/# curl -k -v --cacert ./cacert.pem https://staging-a.b.com:2443/obinet/services/itsp/signup/sslc/reqcode?sid=1234billNEWCERT
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to staging-a.b.com (127.0.0.1) port 2443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: ./cacert.pem
  CApath: /etc/ssl/certs
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=*.b.com
*  start date: Mar 23 07:17:12 2022 GMT
*  expire date: Mar 28 23:10:15 2023 GMT
*  issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /obinet/services/itsp/signup/sslc/reqcode?sid=1234billNEWCERT HTTP/1.1
> Host: staging-a.b.com:2443
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.13.6
< Date: Wed, 10 Aug 2022 14:48:44 GMT
< Content-Type: application/octet-stream
< Content-Length: 0
< Connection: keep-alive
< Content-Type: text/plain
< X-DEBUG-SSLCLIENTVERIFY: NONE
< X-DEBUG-docroot: /usr/local/openresty/nginx/html
<
* Connection #0 to host staging-a.b.com left intact

Can you run the same command within the container and give us the output — yield, Aug 10 '22 at 13:08
I don't have the answer, but it is not reproducible anymore after rebuilding the container with different versions (nginx version 1.13.11 and openssl version 1.1.1). — skwokie, Aug 11 '22 at 04:26

score 0 · Answer 1 · answered Aug 10 '22 at 15:15

0

I would:

1- Name your container. 2- Add more verbosity to OpenSSL with more -v 3- On which Linux distro is your container based. (This can change the next steps as OpenSSL does not play the same depending on the distro)

answered Aug 10 '22 at 15:15

yield

731
1
8
24

How to debug OpenSSL SSL_read: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0

1 Answers1