SiriServerCore icon indicating copy to clipboard operation
SiriServerCore copied to clipboard

Published 20 hours ago verified publisher icon janrueth

SSL related error "unknown protocol"

Open h333397 opened this issue 12 years ago • 3 comments

Hi

I've got a problem connecting to my Siri-server. Every time I try to connect with my IDevice, i get the following Error/Warning in the server log:

INFO New connection from 192.168.2.123 on port 53399
INFO Currently 1 clients connected
WARNING SSL related error
WARNING [('SSL routines', 'SSL23_GET_CLIENT_HELLO', 'unknown protocol')]
INFO Currently 0 clients connected

If i try to verify the correctnes of my certificate with the " echo | openssl s_client -connect..." method i get the following error:

unable to load certificate 58982:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFICATE

And with the last SSL test (the mini-server one) i only got

SSL_accept:error in SSLv2/v3 read client hello A
ERROR
58992:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s23_srvr.c:578: shutting down SSL
CONNECTION CLOSED

Does anybody has a clue why this is happening?

Thanks

h333397 avatar Apr 14 '12 16:04 h333397

Are you using https in your spire configuration? Have you installed the correct ca.pem? Is there more than one CA certificated installed for the same domain?

janrueth avatar Apr 14 '12 17:04 janrueth

Okay first of all thanks for the https, the s was missing. My second fault was that i did not replaced the whole [DOMAIN] in the testing line but only the DOMAIN. So the certificate seems right (stdin: OK) But therefore i now got the handshake failure, like this one here https://github.com/Eichhoernchen/SiriServerCore/issues/41 ... could someone explain what

It detected the hostname automatically but I didn't change it to the FQDN

means?

Thanks

h333397 avatar Apr 14 '12 18:04 h333397

When you create the certificates upon first start, or when you delete the server.crt file from the keys folder, it generates a certificate, it will try to detect your domain, but this often fails as a public domain, if not configured properly in the system cannot be detected. It will show you which domain it uses and asks you to confirm this, or allow you to change it. This domain must match the domain you enter in spire, otherwise you will get an handshake failure because the domains don't match and this would be considered a error as this could be an impersonation attack therefore SSL checks that.

janrueth avatar Apr 14 '12 19:04 janrueth