SSL Handshake Failing With 'Certificate Unknown'

ssl https tcp x509certificate handshake
Pavan Dittakavi picture Pavan Dittakavi · Aug 4, 2017 · Viewed 25.6k times · Source

We have an application that is currently running via HTTP protocol. We are aiming to migrate it to HTTPS. We have made the necessary changes, but then during login to the application I am getting a "peer not authenticated" error message.

I am completely new to the SSL world, and so I Google up and have captured the Wireshark trace and the communication looks as below:

  1. Client sends [SYN] to server.
  2. Server sends [SYN,ACK] to client.
  3. Client sends [ACK] to server.
  4. Client sends the message ClientHello to the server.
  5. Server sends ServerHello and then its certificate with the messages “ServerHello, Certificate, ServerHelloDone
  6. Alert 61, Level Fatal, Description: Certificate Unknown // Failing here.

Please share your inputs on what could be going wrong. We are stuck here and not able to proceed further.

Answer

Kaushal Kumar Panday picture Kaushal Kumar Panday · Aug 4, 2017

UPDATED

This is a strange error. The Certificate Unknown should usually be accompanied by a Alert code of 46 and not 61.

If you see, SSL Alert 61 is not mentioned in the Alert Protocol (RFC 5246) 

  enum {
      close_notify(0),
      unexpected_message(10),
      bad_record_mac(20),
      decryption_failed_RESERVED(21),
      record_overflow(22),
      decompression_failure(30),
      handshake_failure(40),
      no_certificate_RESERVED(41),
      bad_certificate(42),
      unsupported_certificate(43),
      certificate_revoked(44),
      certificate_expired(45),
      certificate_unknown(46),
      illegal_parameter(47),
      unknown_ca(48),
      access_denied(49),
      decode_error(50),
      decrypt_error(51),
      export_restriction_RESERVED(60),
      protocol_version(70),
      insufficient_security(71),
      internal_error(80),
      user_canceled(90),
      no_renegotiation(100),
      unsupported_extension(110),
      (255)
  } AlertDescription;

Without looking at the trace, it is difficult to investigate further.

It Looks like the Server certificate provided in the Server Hello wasn't trusted by the client.

I would recommend to test this using cURL.exe with the -v option.

Related questions

Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?

Edit :- Tried to format the question and accepted answer in more presentable way at mine Blog Here is the original issue. I am getting this error: detailed message sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.…

Read More
https connection using CURL from command line

I am new to Curl and Cacerts world and facing a problem while connecting to a server. Basically, I need to test connectivity over https from one machine to another machine. I have a URL to which I need to …

Read More
Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I have a class that will download a file from a https server. When I run it, it returns a lot of errors. It seems that I have a problem with my certificate. Is it possible to ignore the client-server …

Read More