Archived Forum Post

Index of archived forum posts

Question:

Final handshake failed while attempting SSL connection

Aug 22 '12 at 11:02

I´m using your socket/ssl API to connect to server over SSL. I think, that everything is set correctly.

Here is chilkat log:

Language: ActiveX
objectId: 1
hcCurDate: Thu, 12 Jul 2012 14:26:56 +0200
hcExpire: 7/2012
hostname: https://server.cz
port: 443
ssl: 1
maxWaitMs: 20000
ConnectTimeoutMs_1: 20000
calling ConnectSocket2
IPV6 enabled connect with NO heartbeat.
connectingTo: server.cz
dnsCacheLookup: server.cz
Resolving domain name (IPV4)
GetHostByNameHB_ipv4: Elapsed time: 156 millisec
myIP_1: 10.139.10.34
myPort_1: 3774
connect successful (1)
clientHelloMajorMinorVersion: 3.1
buildClientHello:
  majorVersion: 3
  minorVersion: 1
  numRandomBytes: 32
  sessionIdSize: 0
  numCipherSuites: 10
  numCompressionMethods: 1
--buildClientHello
handshakeMessageType: ServerHello
handshakeMessageLen: 0x46
processHandshakeMessage:
  MessageType: ServerHello
  Processing ServerHello...
  ServerHello:
    MajorVersion: 3
    MinorVersion: 1
    SessionIdLen: 32
    CipherSuite: RSA_WITH_RC4_128_SHA
    CipherSuite: 00,05
    CompressionMethod: 0
    Queueing ServerHello message.
    ServerHello is OK.
  --ServerHello
--processHandshakeMessage
HandshakeQueue:
  MessageType: ServerHello
--HandshakeQueue
Dequeued ServerHello message.
handshakeMessageType: Certificate
handshakeMessageLen: 0x1027
processHandshakeMessage:
  MessageType: Certificate
  ProcessCertificates:
    Certificate:
      derSize: 1473
      certSubjectCN: server.cz
      certSerial: 31B8AA9D000000000031
      certIssuerCN: ISZR AIS CA
    --Certificate
    Certificate:
      derSize: 1200
      certSubjectCN: ISZR AIS CA
      certSerial: 13F82CCC000000000003
      certIssuerCN: ROOT CA SZR
    --Certificate
    Certificate:
      derSize: 1450
      certSubjectCN: ROOT CA SZR
      certSerial: 686433AB95C15B854A2E06D1E7563B0F
      certIssuerCN: ROOT CA SZR
    --Certificate
    NumCertificates: 3
    Queueing Certificates message...
  --ProcessCertificates
--processHandshakeMessage
Dequeued Certificate message.
handshakeMessageType: CertificateRequest
handshakeMessageLen: 0x137
processHandshakeMessage:
  MessageType: CertificateRequest
  CertificateRequest:
    NumCertificateTypes: 1
    Certificate Type: RSA Sign
    totalLen: 307
    DistinguishedName: C=CZ, ST=SZR, L="Obec=Obec,Ulice=Ulice,PSC=12345", O=123456, OU=123-E/OVER, CN=CN
    DistinguishedName: C=CZ, L=Praha, O=SZR CR, CN=ROOT CA SZR
    DistinguishedName: C=CZ, L=Praha, O=SZR CR, CN=ISZR AIS CA
    NumDistinguishedNames: 3
    CertificateRequest message is OK.
    Queueing CertificateRequest message.
  --CertificateRequest
--processHandshakeMessage
Dequeued CertificateRequest message.
handshakeMessageType: ServerHelloDone
handshakeMessageLen: 0x0
processHandshakeMessage:
  MessageType: ServerHelloDone
  Queueing HelloDone message.
--processHandshakeMessage
DequeuedMessageType: ServerHelloDone
OK to ServerHelloDone!
Sending client-side certificate(s)...
CertificatesMessage:
  numCerts: 1
  certificate:
    SubjectCN: ISZERO.server.cz
    SerialNumber: 5BF15BD7000000000165
  --certificate
  CertificateSize: 0x517
--CertificatesMessage
Encrypted pre-master secret with server certificate RSA public key is OK.
Sending ClientKeyExchange...
Sent ClientKeyExchange message.
Sending CertificateVerify...
Calculating cert verify MAC for TLS 1.*
signatureSize: 256
Sending ChangeCipherSpec...
Sent ChangeCipherSpec message.
Derived keys.
Installed new outgoing security params.
Sending FINISHED message..
algorithm: arc4
keyLength: 128
Sent FINISHED message..
TlsAlert:
  level: fatal
  descrip: handshake failure
--TlsAlert
Closing connection in response to fatal error.
Failed to read incoming handshake messages. (3)
Client handshake failed.
Failed.

--Connect_Socket --ChilkatLog


Answer

Try connecting without using a client-side certificate. I just tested the same by connecting to port 443 of server.cz, and everything worked fine.

Here's my LastErrorText:

ChilkatLog:
  Connect_Socket:
    DllDate: Aug 10 2012
    UnlockPrefix: UNTTSTSocket
    Username: CK2007:Chilkat
    Architecture: Little Endian; 32-bit
    Language: Visual C++ 6.0
    VerboseLogging: 1
    objectId: 2
    hostname: server.cz
    port: 443
    ssl: 1
    maxWaitMs: 10000
    ConnectTimeoutMs_1: 10000
    calling ConnectSocket2
    IPV6 enabled connect with NO heartbeat.
    connectingTo: server.cz
    GetHostByNameHB_ipv4: Elapsed time: 219 millisec
    myIP_1: 192.168.1.126
    myPort_1: 3448
    connect successful (1)
    clientHelloMajorMinorVersion: 3.1
    buildClientHello:
      majorVersion: 3
      minorVersion: 1
      numRandomBytes: 32
      sessionIdSize: 0
      numCipherSuites: 10
      numCompressionMethods: 1
    --buildClientHello
    Received SSL 3.0 or TLS record...
    m_contentType: 22
    m_majorVersion: 3
    m_minorVersion: 1
    msgLen: 74
    TlsRecord:
      ContentType: Handshake
      Protocol: TLS 1.0
      PacketLen: 74
      LengthMsb: 0x0
      LengthLsb: 0x4a
    --TlsRecord
    processTlsRecord:
      ProcessTlsRecord:
        ContentType: Handshake
        handshakeMessageType: ServerHello
        handshakeMessageLen: 0x46
        handshakeMessageLen: 70
        nBytesLeft: 70
        processHandshakeMessage:
          MessageType: ServerHello
          Processing ServerHello...
          ServerHello:
            MajorVersion: 3
            MinorVersion: 1
            SessionIdLen: 32
            CipherSuite: RSA_WITH_AES_256_CBC_SHA
            CipherSuite: 00,35
            CompressionMethod: 0
            Queueing ServerHello message.
            ServerHello is OK.
          --ServerHello
        --processHandshakeMessage
      --ProcessTlsRecord
    --processTlsRecord
    HandshakeQueue:
      MessageType: ServerHello
    --HandshakeQueue
    Dequeued ServerHello message.
    Received SSL 3.0 or TLS record...
    m_contentType: 22
    m_majorVersion: 3
    m_minorVersion: 1
    msgLen: 936
    TlsRecord:
      ContentType: Handshake
      Protocol: TLS 1.0
      PacketLen: 936
      LengthMsb: 0x3
      LengthLsb: 0xa8
    --TlsRecord
    processTlsRecord:
      ProcessTlsRecord:
        ContentType: Handshake
        handshakeMessageType: Certificate
        handshakeMessageLen: 0x3a4
        handshakeMessageLen: 932
        nBytesLeft: 932
        processHandshakeMessage:
          MessageType: Certificate
          ProcessCertificates:
            Certificate:
              derSize: 926
              certSubjectCN: *.server.cz
              certSerial: 06
              certIssuerCN: server.cz
            --Certificate
            NumCertificates: 1
            Queueing Certificates message...
          --ProcessCertificates
        --processHandshakeMessage
      --ProcessTlsRecord
    --processTlsRecord
    Dequeued Certificate message.
    Received SSL 3.0 or TLS record...
    m_contentType: 22
    m_majorVersion: 3
    m_minorVersion: 1
    msgLen: 4
    TlsRecord:
      ContentType: Handshake
      Protocol: TLS 1.0
      PacketLen: 4
      LengthMsb: 0x0
      LengthLsb: 0x4
    --TlsRecord
    processTlsRecord:
      ProcessTlsRecord:
        ContentType: Handshake
        handshakeMessageType: ServerHelloDone
        handshakeMessageLen: 0x0
        handshakeMessageLen: 0
        nBytesLeft: 0
        processHandshakeMessage:
          MessageType: ServerHelloDone
          Queueing HelloDone message.
        --processHandshakeMessage
      --ProcessTlsRecord
    --processTlsRecord
    DequeuedMessageType: ServerHelloDone
    OK to ServerHelloDone!
    No client certificate required by the server.
    Encrypted pre-master secret with server certificate RSA public key is OK.
    Sending ClientKeyExchange...
    Sent ClientKeyExchange message.
    Sending ChangeCipherSpec...
    Sent ChangeCipherSpec message.
    Derived keys.
    Installed new outgoing security params.
    Sending FINISHED message..
    algorithm: aes
    keyLength: 256
    Sent FINISHED message..
    Received SSL 3.0 or TLS record...
    m_contentType: 20
    m_majorVersion: 3
    m_minorVersion: 1
    msgLen: 1
    TlsRecord:
      ContentType: ChangeCipherSpec
      Protocol: TLS 1.0
      PacketLen: 1
      LengthMsb: 0x0
      LengthLsb: 0x1
    --TlsRecord
    processTlsRecord:
      ProcessTlsRecord:
        ContentType: ChangeCipherSpec
        ccsProtocolType: 1
      --ProcessTlsRecord
    --processTlsRecord
    Received SSL 3.0 or TLS record...
    m_contentType: 22
    m_majorVersion: 3
    m_minorVersion: 1
    msgLen: 48
    Decrypting incoming message...
    paddingLen: 11
    decryptedMsg: 1400 000C DE00 0430 5EA4 F078 3F29 4452
05A4 36C7 61DF 8FBB 1CDD 48FB F1DE CD74
    macLen: 20
    TlsRecord:
      ContentType: Handshake
      Protocol: TLS 1.0
      PacketLen: 48
      LengthMsb: 0x0
      LengthLsb: 0x30
    --TlsRecord
    processTlsRecord:
      ProcessTlsRecord:
        ContentType: Handshake
        handshakeMessageType: HandshakeFinished
        handshakeMessageLen: 0xc
        handshakeMessageLen: 12
        nBytesLeft: 12
        processHandshakeMessage:
          MessageType: HandshakeFinished
          FinishedMsgLen: 12
          Queueing Finished message.
        --processHandshakeMessage
      --ProcessTlsRecord
    --processTlsRecord
    Dequeue the FINISHED message...
    Dequeued Finished message.
    Handshake completed successfully.
    Secure Channel Established.
    Success.
  --Connect_Socket
--ChilkatLog


Answer

In your LastErrorText, I cannot see the "DllDate" line at the beginning, so I don't know if you're using an old version. If you are using an old version, download and test with the latest...