SiriServerCore
SiriServerCore copied to clipboard
SSL related error "unknown protocol"
Hi
I've got a problem connecting to my Siri-server. Every time I try to connect with my IDevice, i get the following Error/Warning in the server log:
INFO New connection from 192.168.2.123 on port 53399
INFO Currently 1 clients connected
WARNING SSL related error
WARNING [('SSL routines', 'SSL23_GET_CLIENT_HELLO', 'unknown protocol')]
INFO Currently 0 clients connected
If i try to verify the correctnes of my certificate with the " echo | openssl s_client -connect..." method i get the following error:
unable to load certificate 58982:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFICATE
And with the last SSL test (the mini-server one) i only got
SSL_accept:error in SSLv2/v3 read client hello A
ERROR
58992:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s23_srvr.c:578: shutting down SSL
CONNECTION CLOSED
Does anybody has a clue why this is happening?
Thanks
Are you using https in your spire configuration? Have you installed the correct ca.pem? Is there more than one CA certificated installed for the same domain?
Okay first of all thanks for the https, the s was missing. My second fault was that i did not replaced the whole [DOMAIN] in the testing line but only the DOMAIN. So the certificate seems right (stdin: OK) But therefore i now got the handshake failure, like this one here https://github.com/Eichhoernchen/SiriServerCore/issues/41 ... could someone explain what
It detected the hostname automatically but I didn't change it to the FQDN
means?
Thanks
When you create the certificates upon first start, or when you delete the server.crt file from the keys folder, it generates a certificate, it will try to detect your domain, but this often fails as a public domain, if not configured properly in the system cannot be detected. It will show you which domain it uses and asks you to confirm this, or allow you to change it. This domain must match the domain you enter in spire, otherwise you will get an handshake failure because the domains don't match and this would be considered a error as this could be an impersonation attack therefore SSL checks that.