SSL handshake failure

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

SSL handshake failure

isubhransu
I am using ***shibbolet*** for single user authentication and it needs a ssl configuration which facilitates the user authentication process. Before it was working fine but now I am facing a **SSL handshake failure** error and the secure connection is being ignored. Here is the detailed error message on browser(firefox) screen:

    Secure Connection Failed
           
    An error occurred during a connection to www.mydomain.com.
   
    SSL peer was unable to negotiate an acceptable set of security parameters.
   
    (Error code: ssl_error_handshake_failure_alert)


      The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
      Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

---------------------------------------------------------------------------------
       

       
       

Here is the updated Shibbolet error log:

    2012-09-20 15:14:59 DEBUG Shibboleth.Listener [17]: dispatching message (default/SAML/POST)
    2012-09-20 15:14:59 DEBUG OpenSAML.MessageDecoder.SAML1POST [17]: validating input
    2012-09-20 15:14:59 DEBUG OpenSAML.MessageDecoder.SAML1POST [17]: decoded SAML response:
    <Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2012-09-20T13:10:43.494Z" MajorVersion="1" MinorVersion="1" Recipient="https://inami-riziv.dokeosnet.com/Shibboleth.sso/SAML/POST" ResponseID="_faf482981786daacf938e158e87d75f8"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
    <ds:Reference URI="#_faf482981786daacf938e158e87d75f8">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"></ec:InclusiveNamespaces></ds:Transform>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
    <ds:DigestValue>qgvrV2yDB88HKXStzqT3sFrpLlo=</ds:DigestValue>
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
    ifKK73UUbsOxqpsnfGcloErG5Vsrklckv/xpbsMAWDzrTm8ZvWjaLru0d7smEYmKFXdkJ/JayAXW
    cM5aAKAwazWM7tj5YYvY3bTFlq4k/qI3GR46Kr5apGKkTEtDR9DkZDJ6N2+/vqOvdIxwefdFvaPs
    FzsrZeGkt+IAcKmgCFZ78/2tbfckYd4sFGko0Lw3nIl9/dac03OJUsUVuScsiEVd6f/DjzedHgkk
    3DD0xR2HFIY5MQzDdztz1f4PyuGFdXiyauUtm2bF+7XULQ8XwfGd+K0qIMOKBykTQuq0ijL+PpgZ
    jRr3G2ylqSsJ1/NIwT6pRG79gJlcw55RB25XzA==
    </ds:SignatureValue>
    <ds:KeyInfo>
    <ds:X509Data>
    <ds:X509Certificate>
    MIIE0DCCA7igAwIBAgILAQAAAAABMu4tWh8wDQYJKoZIhvcNAQEFBQAwNDELMAkGA1UEBhMCQkUx
    FjAUBgNVBAMTDUdvdmVybm1lbnQgQ0ExDTALBgNVBAUTBDIwMTAwHhcNMTExMDEwMTUwMTMyWhcN
    MTMwMTEwMTUwMTMyWjCBrTEcMBoGA1UEAxMTQ0JFPTA4MDkzOTQ0MjcsIElBTTELMAkGA1UEBhMC
    QkUxDDAKBgNVBAsTA0lBTTEXMBUGA1UECxMOQ0JFPTA4MDkzOTQ0MjcxGTAXBgNVBAsTEEVIRUFM
    VEgtUExBVEZPUk0xITAfBgNVBAsTGGVIZWFsdGgtcGxhdGZvcm0gQmVsZ2l1bTEbMBkGA1UEChMS
    RmVkZXJhbCBHb3Zlcm5tZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwgdTZNoR
    CU7urB0+tdDDlVfrplxwcEwp+QoMJpiznNjMHZLxzwzl6PSMc8V7Gd2OGSGSHZJqrDz0643Djo6o
    t59Tai2itHy9ZIQle3wmREi9ek86ousZuP6sZDw019xzztFLCaqO1Jfs28sBAeZovZZou7dDuD7w
    86lkxvPssdJWZ0MO9FTwsseRoUowfWUfxp8E+3PpYdEy6BxGo5hh13lm2RphbcW0v0ouvR9yqVRh
    cYhonol4Yj7nEm6tTc6NmCf2zEaX+F3e2hbj7bzgWJ1wKuhiMuQItLgN/XKhb6/jy44wjLj6IWIS
    DH8LVPYITm+ImidDKI7WcGzJhu0IowIDAQABo4IBZzCCAWMwHwYDVR0jBBgwFoAUQZbOhaflXugW
    WT0K8YTd8/K7TokwbgYIKwYBBQUHAQEEYjBgMDYGCCsGAQUFBzAChipodHRwOi8vY2VydHMucGtp
    LmJlbGdpdW0uYmUvYmVsZ2l1bXJzMi5jcnQwJgYIKwYBBQUHMAGGGmh0dHA6Ly9vY3NwLnBraS5i
    ZWxnaXVtLmJlMAkGA1UdEwQCMAAwRAYDVR0gBD0wOzA5BgdgOAkBAQMDMC4wLAYIKwYBBQUHAgEW
    IGh0dHA6Ly9yZXBvc2l0b3J5LnBraS5iZWxnaXVtLmJlMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6
    Ly9jcmwucGtpLmJlbGdpdW0uYmUvZ292ZXJubWVudDIwMTAuY3JsMA4GA1UdDwEB/wQEAwIE8DAR
    BglghkgBhvhCAQEEBAMCBLAwHQYDVR0OBBYEFGtvDxQis8EQNHkujqvXW0CGhSbnMA0GCSqGSIb3
    DQEBBQUAA4IBAQCDfqrhNJeB+tiesyXiAfuIwz2rJiVANb71VptyPGh96qMHBfU/w9fKdN87cF2J
    IHg23ll0MEUo7I8oA2F5Dv0Jw/sB7GovOsosC6QcYzEo/D24vSYKI7Clw3SkKPUcqv3u68IPs8wF
    L/Nowmxy6HGAvDlt1fQBpwePVKifGOygUcz0KWHMqNV7IJzyXrF2nbvg3TUJKaDR0zV4CjzLpaCI
    IY1wY6e2/08mxf/Q5D7YO3sTxmjixkjRqCKXBCJa0CjXxT3/8Pfg5lHGNr7onIL84SMCZREur5I0
    3u64HiqHBtSZaDWrw7d4CcjY/NoPfHO8hmAXEBMTm4zEhG4Nw0+2
    </ds:X509Certificate>
    </ds:X509Data>
    </ds:KeyInfo></ds:Signature><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_56927407beba7fd1762d43bb15f71303" IssueInstant="2012-09-20T13:10:43.494Z" Issuer="http://idp.smals-mvm.be/shibboleth" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2012-09-20T13:10:43.494Z" NotOnOrAfter="2012-09-20T13:15:43.494Z"><AudienceRestrictionCondition><Audience>https://inami-riziv.dokeosnet.com/shibboleth</Audience><Audience>urn:be:fgov:ehealth:trust:partners</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement AuthenticationInstant="2012-09-20T13:10:43.494Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="http://idp.smals-mvm.be/shibboleth">_99e6f544a77e9b878ff54a1091c2c603</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><SubjectLocality IPAddress="193.191.246.82"></SubjectLocality></AuthenticationStatement></Assertion></Response>
   
    2012-09-20 15:14:59 DEBUG OpenSAML.MessageDecoder.SAML1 [17]: extracting issuer from SAML 1.x Response
    2012-09-20 15:14:59 DEBUG OpenSAML.MessageDecoder.SAML1 [17]: response from (http://idp.smals-mvm.be/shibboleth)
    2012-09-20 15:14:59 DEBUG OpenSAML.MessageDecoder.SAML1 [17]: searching metadata for response issuer...
    2012-09-20 15:14:59 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [17]: evaluating message flow policy (replay checking on, expiration 60)
    2012-09-20 15:14:59 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [17]: rejected expired message, timestamp (1348146643), oldest allowed (1348146659)
    2012-09-20 15:19:53 INFO XMLTooling.StorageService : purged 1 expired record(s) from storage
    2012-09-20 15:34:53 INFO XMLTooling.StorageService : purged 1 expired record(s) from storage
    2012-09-20 15:42:06 DEBUG Shibboleth.Listener [18]: dispatching message (default::getHeaders::Application)
    2012-09-20 15:42:06 DEBUG Shibboleth.Listener [18]: dispatching message (default/Login::run::Shib1SI)
    2012-09-20 15:42:06 DEBUG XMLTooling.StorageService [18]: inserted record (9699add17fc90926f21c8fa06efec1e1) in context (RelayState) with expiration (1348149126)
    2012-09-20 16:04:53 INFO XMLTooling.StorageService : purged 1 expired record(s) from storage
    2012-09-20 16:19:53 INFO XMLTooling.StorageService : purged 2 expired record(s) from storage
    2012-09-20 16:20:21 DEBUG Shibboleth.Listener [21]: dispatching message (default::getHeaders::Application)
    2012-09-20 16:20:21 DEBUG Shibboleth.Listener [21]: dispatching message (default/Login::run::Shib1SI)
    2012-09-20 16:20:21 DEBUG XMLTooling.StorageService [21]: inserted record (5bfae2fab27dfd8026a14e253696bc3a) in context (RelayState) with expiration (1348151421)
    2012-09-20 16:34:53 INFO XMLTooling.StorageService : purged 1 expired record(s) from storage
    2012-09-20 16:39:19 DEBUG Shibboleth.Listener [22]: dispatching message (default::getHeaders::Application)
    2012-09-20 16:39:19 DEBUG Shibboleth.Listener [22]: dispatching message (default/Login::run::Shib1SI)
    2012-09-20 16:39:19 DEBUG XMLTooling.StorageService [22]: inserted record (fbf6b65fc660ed134500345faef56f0a) in context (RelayState) with expiration (1348152559)
    2012-09-20 16:43:29 INFO Shibboleth.Listener [15]: detected socket closure, shutting down worker thread
    2012-09-20 16:49:53 INFO XMLTooling.StorageService : purged 1 expired record(s) from storage
    2012-09-20 17:20:55 INFO Shibboleth.Listener [19]: detected socket closure, shutting down worker thread
    2012-09-20 17:31:10 INFO Shibboleth.Listener [21]: detected socket closure, shutting down worker thread
    2012-09-20 18:21:09 INFO Shibboleth.Listener [18]: detected socket closure, shutting down worker thread
    2012-09-20 18:28:29 INFO Shibboleth.Listener [17]: detected socket closure, shutting down worker thread
    2012-09-20 18:28:31 INFO Shibboleth.Listener [20]: detected socket closure, shutting down worker thread
    2012-09-20 18:48:23 DEBUG Shibboleth.Listener [23]: dispatching message (default::getHeaders::Application)
    2012-09-20 18:48:23 DEBUG Shibboleth.Listener [23]: dispatching message (default/Login::run::Shib1SI)
    2012-09-20 18:48:23 DEBUG XMLTooling.StorageService [23]: inserted record (0b316ef6e5acf1da562899feb0b84ec1) in context (RelayState) with expiration (1348160303)
    2012-09-20 18:52:26 DEBUG Shibboleth.Listener [24]: dispatching message (default::getHeaders::Application)
    2012-09-20 18:52:26 DEBUG Shibboleth.Listener [24]: dispatching message (default/Login::run::Shib1SI)
    2012-09-20 18:52:26 DEBUG XMLTooling.StorageService [24]: inserted record (b89fbe4deecae876148bd470e7aa6f85) in context (RelayState) with expiration (1348160546)
    2012-09-20 18:52:38 DEBUG Shibboleth.Listener [25]: dispatching message (default::getHeaders::Application)
    2012-09-20 18:52:38 DEBUG Shibboleth.Listener [25]: dispatching message (default/Login::run::Shib1SI)
    2012-09-20 18:52:38 DEBUG XMLTooling.StorageService [25]: inserted record (b76b99286d06dd0ce84da39c9947e344) in context (RelayState) with expiration (1348160558)
    2012-09-20 18:53:03 INFO Shibboleth.Listener [16]: detected socket closure, shutting down worker thread
    2012-09-20 18:53:27 DEBUG Shibboleth.Listener [26]: dispatching message (default::getHeaders::Application)
    2012-09-20 18:53:27 DEBUG Shibboleth.Listener [26]: dispatching message (default/Login::run::Shib1SI)
    2012-09-20 18:53:27 DEBUG XMLTooling.StorageService [26]: inserted record (59fc5fa8d1589ffc94077f4e0e079f38) in context (RelayState) with expiration (1348160607)
    2012-09-20 19:00:41 DEBUG Shibboleth.Listener [27]: dispatching message (default::getHeaders::Application)
    2012-09-20 19:00:41 DEBUG Shibboleth.Listener [27]: dispatching message (default/Login::run::Shib1SI)
                                                                                                                                  3865,1        99%


**Steps to see the error live :** : Goto  this page> click on **Login** > then click on "Identification par carte d'identité électronique." > **error message** (the login is secured by shibbolet)

*Note: I have done all the browser setting , even installed latest browser.There is problem with ssl config I believe and I have synced the clock but its not helpful.*