Debugging a SSL handshake failure using OpenSSL


Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet. It is the standard security technology for establishing an encrypted link between a web server and a client, such as a client browser or other type of client app. An encrypted link ensures that all data passed between the web server and client remains private.

When a client makes a secure request to the web server using SSL, the client specifies the protocol of the request ashttps://, instead of the unsecured http:// protocol.

A SSL session always begins with an exchange of messages called the SSL handshake. The handshake allows the server to authenticate itself to the client by using public-key techniques, and then allows the client and the server to cooperate in the creation of symmetric keys used for rapid encryption, decryption, and tamper detection during the session that follows. Optionally, the handshake also allows the client to authenticate itself to the server.

What to do when a SSL handshake fails

SSL security is outside of Verivo software, however when a SSL problem occurs, it can disrupt communication between our client and server, causing our app to not work properly. That said, if you receive a "SSL handshake failure" error, there are steps you can take to debug it. OpenSSL is a good place to start.

What does OpenSSL do?

OpenSSL commands allow you to perform hundreds of different functions, including viewing the details of a CSR (Certificate Signing Request) or certificate, comparing an MD5 hash of the certificate and private key (to make sure they match), verifying that a certificate is installed properly on any website, and converting the certificate to a different format. The methods above can be useful for debugging purposes and are explained in more detail in this link:

If used properly, OpenSSL is a powerful tool that can isolate the cause of a SSL handshake failure. If used improperly, it can actually cause a SSL handshake failure. An example of this would be running a openssl pkcs12 command incorrectly to convert a certificate or key to a different format.

Further reading

Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk