Archived Forum Post

Index of archived forum posts

Question:

Failed SSL Handshake Error

Jan 18 '16 at 13:14

I'm connecting to a host that requires a client certificate. Is the below failure rejecting my client certificate or does it mean chilkat is rejecting the remote servers certificate?

Thanks!

ChilkatLog:
  GetServerSslCert:
    DllDate: Dec 30 2015
    ChilkatVersion: 9.5.0.55
    UnlockPrefix: NTHttp
    Architecture: Little Endian; 64-bit
    Language: Linux Perl
    VerboseLogging: 0
    domain: mysite.com
    port: 443
    socket2Connect:
      connect2:
        connectImplicitSsl:
          clientHandshake:
            clientHandshake2:
              readHandshakeMessages:
                processAlert:
                  TlsAlert:
                    level: fatal
                    descrip: unknown certificate authority
                  --TlsAlert
                --processAlert
                Aborting handshake because of fatal alert.
              --readHandshakeMessages
            --clientHandshake2
          --clientHandshake
          Client handshake failed. (3)
        --connectImplicitSsl
        ConnectFailReason: 109
      --connect2
    --socket2Connect
    Failed.
  --GetServerSslCert
--ChilkatLog

Answer

descrip: unknown certificate authority

The signer of the certificate can not be validated on your system. Either the server has a self signed certificate or your system doesn't have the latest server authorities available to it.


Answer

The GetServerSslCert method is for retrieving the server's SSL/TLS certificate. There shouldn't be a need to use a client-certificate for this purpose.

What GetServerSslCert does is to simply make a connection to the domain/port specified, and to complete the TLS handshake. Part of the TLS handshake involves the server sending its certificate to the client. If you set a client-side certificate, then Chilkat will include the client-side certificate in the TLS handshake. (But there's really no need for that in this case.) Chilkat does it, and the server examines the client certificate and doesn't like it because it doesn't know about the certificate authority, and this causes the server (or this particular server) to issue a TLS Abort message to abort the TLS handshake.

The solution for GetServerSslCert is to omit setting the client-side certificate for that call. If your app then needs to send a POST, GET, or whatever where the client cert is needed for authentication (i.e. two-way SSL/TLS), then you'll have to first sort out the problem with the fact that your cert's root is not recognized by the server. If your cert was a self-signed certificate, then the only solution is to get a cert from a cert authority.


Answer

The remote server is rejecting your client certificate.