Issue validating self signed certificate: handshake_failure received

0
votes

I am using quickfix to validate server's certificate and get fatal handshake_failure.

This is how it looks to me:

  • Initial handshake is initiated

  • The client connects.

  • The server accepts.

  • A TLS handshake occurs during which:

    o Cipher suites are successfully negotiated.

    o The client verifies the server certificate

    o The server arbitrarily closes the socket.( SEND TLSv1 ALERT: warning, description = close_notify <-- This however looks like a clean closure.)

    o The client is left hanging

Can someone take a look at it. Please.

Allow unsafe renegotiation: false 
Allow legacy hello messages: true 
Is initial handshake: true 
Is secure renegotiation: false 
Ignoring disabled protocol: SSLv3 
%% No cached client session 
..
..
*** ClientHello, TLSv1 
RandomCookie:  GMT: 1468991703 bytes = { 167, 140, 147, 81, 176, 169, 230, 45, 229, 147, 246, 106, 201, 127, 79, 194, 88, 63, 1, 91, 34, 184, 35, 49, 119, 31, 227, 157 } 
..
..
ISocketConnector-0, WRITE: TLSv1 Handshake, length = 149 
MINA session created for FIX.4.4:ZZZZZ->YYYY: local=/X.X.X.X:XXXXXX, class org.apache.mina.transport.socket.nio.SocketSessionImpl, remote=/XXX.XXX.XXX.XX:YYYYY [quickfix.mina.initiator.InitiatorIoHandler:50]
SocketConnectorIoProcessor-0.0, READ: TLSv1 Handshake, length = 81 
*** ServerHello, TLSv1 
..
..
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA 
Compression Method: 0 
Extension renegotiation_info, renegotiated_connection: <empty> 
%% Initialized:  [Session-1885, TLS_RSA_WITH_AES_128_CBC_SHA] 
** TLS_RSA_WITH_AES_128_CBC_SHA 
SocketConnectorIoProcessor-0.0, READ: TLSv1 Handshake, length = 3224 
*** Certificate chain 
chain [0] = [ 
Version: V3 
..
..
..
..

READ: TLSv1 Handshake, length = 14 
*** CertificateRequest 
Cert Types: RSA, DSS, ECDSA 
Cert Authorities: 
<Empty> 
*** ServerHelloDone 
*** Certificate chain 
*** 
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1 
WRITE: TLSv1 Handshake, length = 141 
SESSION KEYGEN: 
 PreMaster Secret: 
..
..
CONNECTION KEYGEN: 
Client Nonce: 
..
..
Server Nonce: 
..
..
Master Secret: 
..
..
Client MAC write Secret: 
..
..                                  
Server MAC write Secret: 
..
..
Client write key: 
...
Server write key: 
..
Client write IV: 
..
Server write IV: 
..
..
WRITE: TLSv1 Change Cipher Spec, length = 1 
*** Finished 
verify_data:  { 85, 227, 34, 74, 171, 223, 226, 95, 232, 234, 118, 50 } 

WRITE: TLSv1 Handshake, length = 48 
READ: TLSv1 Alert, length = 2 
RECV TLSv1 ALERT:  fatal, handshake_failure 
fatal: engine already closedRethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure 
called closeOutbound() 
closeOutboundInternal() 
SEND TLSv1 ALERT:  warning, description = close_notify 
WRITE: TLSv1 Alert, length = 32 
called closeInbound() 
fatal: engine already closedRethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? 
called closeOutbound() 
closeOutboundInternal()
1
sslquickfixj
server sees: SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificatefiddle

1 Answers

0
votes
*** CertificateRequest

The server wants a client certificate but the client does not send any. Therefore the server closes the connection with a a handshake_failure alert.