Re: [openssl-users] What does this error mean? sslv3 alert certificate unknown:state 23

2017-04-25 Thread Blumenthal, Uri - 0553 - MITLL
> Thank you! So it is the *client* that breaks the connection, > and it is unhappy either about MiTM, or the encoding. I will > check for both (though not much I can do about either). Presumably you've added that cert to some trust store on the system in question.

Re: [openssl-users] What does this error mean? sslv3 alert certificate unknown:state 23

2017-04-25 Thread Viktor Dukhovni
> On Apr 25, 2017, at 4:41 PM, Blumenthal, Uri - 0553 - MITLL > wrote: > >Client objects to the server chain. Either does not trust the MiTM root > CA, or >is unhappy about its encoding (assuming tshark is not generating an FP > warning). > > Thank you! So it is

Re: [openssl-users] What does this error mean? sslv3 alert certificate unknown:state 23

2017-04-25 Thread Blumenthal, Uri - 0553 - MITLL
> extensions: 4 items > Extension (ns_cert_exts.comment) > Extension Id: 2.16.840.1.113730.1.13 (ns_cert_exts.comment) > BER Error: String with tag=22 expected but

Re: [openssl-users] What does this error mean? sslv3 alert certificate unknown:state 23

2017-04-25 Thread Viktor Dukhovni
> On Apr 25, 2017, at 3:17 PM, Blumenthal, Uri - 0553 - MITLL > wrote: > Secure Sockets Layer > SSL Record Layer: Handshake Protocol: Client Hello > Content Type: Handshake (22) > Version: TLS 1.2 (0x0303) > Length: 228 > Handshake Protocol:

Re: [openssl-users] What does this error mean? sslv3 alert certificate unknown:state 23

2017-04-25 Thread Blumenthal, Uri - 0553 - MITLL
On 4/24/17, 7:26 PM, "openssl-users on behalf of Viktor Dukhovni" wrote: I get slightly annoyed when I take the time to help, but my response is skimmed over and not read carefully. Upthread I said:

Re: [openssl-users] What does this error mean? sslv3 alert certificate unknown:state 23

2017-04-24 Thread Viktor Dukhovni
> On Apr 24, 2017, at 7:11 PM, Blumenthal, Uri - 0553 - MITLL > wrote: > >Please report tshark output, not an approximate rendition. In what > direction >is the alert sent? > > I’m using WireShark. The IP addresses on the Alert packet show local host as > the

Re: [openssl-users] What does this error mean? sslv3 alert certificate unknown:state 23

2017-04-24 Thread Blumenthal, Uri - 0553 - MITLL
> I went through the capture between the app (local end) and the proxy. It appears that the sequence is: > > ClientHello -> (from app to proxy, with a ton of cipher suites, including 0xc02f) > <- ServerHello (with TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 – present in

Re: [openssl-users] What does this error mean? sslv3 alert certificate unknown:state 23

2017-04-24 Thread Viktor Dukhovni
> On Apr 24, 2017, at 6:11 PM, Blumenthal, Uri - 0553 - MITLL > wrote: > > I went through the capture between the app (local end) and the proxy. It > appears that the sequence is: > > ClientHello -> (from app to proxy, with a ton of cipher suites, including > 0xc02f) >

Re: [openssl-users] What does this error mean? sslv3 alert certificate unknown:state 23

2017-04-24 Thread Blumenthal, Uri - 0553 - MITLL
> Handshake failed > > The SSL handshake could not be performed. > > Host: Reason: error:14094416:SSL > routines:ssl3_read_bytes:sslv3 alert certificate unknown:state > 23:Application response 500 handshakefailed > > > generated 2017-04-24 15:28:13 by

Re: [openssl-users] What does this error mean? sslv3 alert certificate unknown:state 23

2017-04-24 Thread Matt Caswell
On 24/04/17 22:18, Blumenthal, Uri - 0553 - MITLL wrote: > I use a 3rd-party application that is trying to update itself (so > it’s trying to “call home”). Naturally, I’m behind a corporate > firewall and Web proxy. The app has been configured to use that > proxy. It fails to connect. Packet

Re: [openssl-users] What does this error mean? sslv3 alert certificate unknown:state 23

2017-04-24 Thread Blumenthal, Uri - 0553 - MITLL
> I use a 3rd-party application that is trying to update itself (so it’s trying to “call home”). > Naturally, I’m behind a corporate firewall and Web proxy. The app has been configured to use > that proxy. It fails to connect. Packet capture reveals the following: You're

Re: [openssl-users] What does this error mean? sslv3 alert certificate unknown:state 23

2017-04-24 Thread Viktor Dukhovni
> On Apr 24, 2017, at 5:18 PM, Blumenthal, Uri - 0553 - MITLL > wrote: > > I use a 3rd-party application that is trying to update itself (so it’s trying > to “call home”). Naturally, I’m behind a corporate firewall and Web proxy. > The app has been configured to use that

[openssl-users] What does this error mean? sslv3 alert certificate unknown:state 23

2017-04-24 Thread Blumenthal, Uri - 0553 - MITLL
I use a 3rd-party application that is trying to update itself (so it’s trying to “call home”). Naturally, I’m behind a corporate firewall and Web proxy. The app has been configured to use that proxy. It fails to connect. Packet capture reveals the following: Handshake failed The SSL handshake