Ssl library error 45

ssl library error 45

Hi there, during release testing for 2.4.45 I also built and tested using 140326149928720] [client 127.0.0.1:56312] AH02008: SSL library error 1 in. Excessive undersized/giant packets. error on HP devices, 10, 138, 2022-08-10T05:09:00 by Client roams to a different AP and is offline for ~45 seconds. 1:2][0x13de06490] SSL library error 2022-08-12 10:45:52.429890+0900 SwiftWebSocketClient[3108:41786] [boringssl] boringssl_session_handshake_error_print(41) [C1.

Ssl library error 45 - are mistaken

The cryptographic security of the SSL connection has been compromised

Environment:
Web Interface 5.3.0.34 installed on Windows 2008 R2 in DMZ with selfmade certificates
Secure gateway 3.2.1 (Secure gateway diagnostics says 3.2.0) installed on Windows 2008 R2 in DMZ with selfmade certificates
Citrix farm XenApp 6.0 installed on Windows 2008 R2

Yesterday a user called me and said that there were some problem logging in from home. I tried and it worked for me, but not for the user. He got a message box saying:

"Unable to launch your application. Contact your helpdesk with the following information: Cannot connect to the Citrix XenApp server. Network issues are preventing your connection. Please try again. If the problem persists, please call your help desk."

I tried again and could launch the application, but the user could not.

I logged in to the Secure gateway server and there was some users logged on, but in the event viewer I found the events below for the user that called me.

After about 20 minutes I got the same message as the user, and could not launch any applications. I was still logged on to the Web Interface. I logged out from the Web interface and logged on again. Same problem. I restarted the client (Windows 7 x64) and logged on to the Web Interface, still the same problem. After about 30 minutes I suddenly was able to launch the applications again!!!! WHY???

I restarted the Secure gateway and then called the user and everything was working for him too. The Event log on the Secure gateway server are a lot cleaner now after the restart, and everything is ok, until next time that seems to be able to happen whenever it feels for.

Is there a solution for this?

/Larsa

_____________________________________________________________________________________________

Log Name: Citrix Secure Gateway
Source: Citrix Secure Gateway
Date: 2011-06-15 22:41:19
Event ID: 184
Task Category: (4)
Level: Information
Keywords: Classic
User: N/A
Computer: securegateway.company.com
Description:
Client IP 83.172.77.38:1332] with username [[email protected]] connected successfully to server [192.168.1.57:1494] resource [Remote Desktop], using protocol [iCA.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Citrix Secure Gateway" />
<EventID Qualifiers="0">184</EventID>
<Level>4</Level>
<Task>4</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-06-15T20:41:19.000000000Z" />
<EventRecordID>16883</EventRecordID>
<Channel>Citrix Secure Gateway</Channel>
<Computer>securegateway.company.com</Computer>
<Security />
</System>
<EventData>
<Data>Client IP 83.172.77.38:1332] with username [[email protected]] connected successfully to server [192.168.1.57:1494] resource [Remote Desktop], using protocol [iCA.</Data>
</EventData>
</Event>

_____________________________________________________________________________________________

Log Name: Citrix Secure Gateway
Source: Citrix Secure Gateway
Date: 2011-06-15 22:41:19
Event ID: 127
Task Category: (2)
Level: Error
Keywords: Classic
User: N/A
Computer: securegateway.company.com
Description:
SSL library error 45 on securegateway.company.com:443 with client 83.172.77.38:The cryptographic security of the SSL connection has been compromised..
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Citrix Secure Gateway" />
<EventID Qualifiers="0">127</EventID>
<Level>2</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-06-15T20:41:19.000000000Z" />
<EventRecordID>16884</EventRecordID>
<Channel>Citrix Secure Gateway</Channel>
<Computer>securegateway.company.com</Computer>
<Security />
</System>
<EventData>
<Data>SSL library error 45 on securegateway.company.com:443 with client 83.172.77.38:The cryptographic security of the SSL connection has been compromised..</Data>
</EventData>
</Event>
_____________________________________________________________________________________________

Log Name: Citrix Secure Gateway
Source: Citrix Secure Gateway
Date: 2011-06-15 22:41:19
Event ID: 185
Task Category: (4)
Level: Information
Keywords: Classic
User: N/A
Computer: securegateway.company.com
Description:
Client IP 83.172.77.38:1332] with username [[email protected]] successfully closed connection to server [192.168.1.57:1494] resource [Remote Desktop.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Citrix Secure Gateway" />
<EventID Qualifiers="0">185</EventID>
<Level>4</Level>
<Task>4</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-06-15T20:41:19.000000000Z" />
<EventRecordID>16885</EventRecordID>
<Channel>Citrix Secure Gateway</Channel>
<Computer>securegateway.company.com</Computer>
<Security />
</System>
<EventData>
<Data>Client IP 83.172.77.38:1332] with username [[email protected]] successfully closed connection to server [192.168.1.57:1494] resource [Remote Desktop.</Data>
</EventData>
</Event>

_____________________________________________________________________________________________

Let's Encrypt Community Support

Hi @Maturity,

You can use commands to see what’s in the files.

to view a file that you think contains a cerificate, and

to view the public key associated with a file that you think contains an RSA private key. (I didn’t suggest the commands that view the private key directly because I think this risks having people share the private key accidentally or having other people be in a position to see it, and there’s normally no reason that you have to look at the actual secrets in order to confirm that something is a private key.)

You could try using these on the various files in question to see what they contain. Another option for PEM-formatted files in general is

(the exact number of hyphens is important here!) in order to see what kinds of PEM objects are present in , without looking at their contents.

The one important limitation of the commands above is that is only willing to look at the first object in a file that contains multiple objects. So for example if you used the command I suggested on the Certbot-generated , it would only show the end-entity (leaf) certificate, not the intermediate (issuer) certificate, even though both are present one after another in the same file.

How to Fix the “SSL Handshake Failed” and “Cloudflare 525” Error (5 Methods)

Installing a Secure Sockets Layer (SSL) certificate on your WordPress site enables it to use HTTPS to ensure secure connections. Unfortunately, there are a variety of things that can go wrong in the process of confirming a valid SSL certificate and making a connection between your site’s server and a visitor’s browser.

If you’ve encountered an “SSL Handshake Failed” error message and are confused as to what it means, you’re not alone. It’s a common error that doesn’t tell you much on its own. While this can be a frustrating experience, the good news is that there are simple steps you can take to resolve the issue.

In this post, we’ll explain what the SSL Handshake Failed error is and what causes it. Then we’ll provide you with several methods you can use to fix it.

Let’s get started!

An Introduction to the SSL Handshake

Before we dig deeper into what causes a TLS or SSL handshake failure, it’s helpful to understand what the TLS/SSL handshake is. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are protocols used to authenticate data transfers between servers and external systems such as browsers.

SSL certificates are needed in order to secure your website using HTTPS. We won’t get too in-depth about the difference between TLS vs SSL since it’s a minor one. The terms are often used interchangeably, so for simplicity’s sake, we’ll use “SSL” to refer to both.

With that out of the way, an SSL handshake is the first step in the process of establishing an HTTPS connection. To authenticate and establish the connection, the user’s browser and the website’s server must go through a series of checks (the handshake), which establish the HTTPS connection parameters.

Let us explain: the client (typically the browser) sends a request for a secure connection to the server. After the request is sent, the server sends a public key to your computer and checks that key against a list of certificates. The computer then generates a key and encrypts it, using the public key sent from the server.

To make a long story short, without the SSL handshake, a secure connection won’t be made. This can pose a significant security risk. Plus, there are a lot of moving parts involved in the process.

That means there are many different opportunities for something to go wrong and cause a handshake failure, or even lead to the “your connection is not private” error, causing visitors to leave.

Click to Tweet

Understanding What Causes SSL Handshake Failures

An SSL Handshake Failure or Error 525 means that the server and browser were unable to establish a secure connection. This can happen for a variety of reasons.

Generally, an Error 525 means that the SSL handshake between a domain using Cloudflare and the origin web server failed:

ssl handshake failed error

However, it’s also important to understand that SSL errors can happen on the client-side or the server-side. Common causes of SSL errors on the client-side include:

  • The wrong date or time on the client device.
  • An error with the browser configuration.
  • A connection that is being intercepted by a third party.

Some server-side causes include:

  • A cipher suite mismatch.
  • A protocol used by the client that isn’t supported by the server.
  • A certificate that is incomplete, invalid, or expired.

Typically, if the SSL handshake fails, the issue can be attributed to something wrong with the website or server and their SSL configurations.

How to Fix the SSL Handshake Failed Error (5 Methods)

There are several potential causes behind the “SSL Handshake Failed” error. So there’s no simple answer when it comes to how you should fix it.

Fortunately, there are a handful of methods you can use to begin exploring potential issues and resolving them one by one. Let’s take a look at five strategies you can use to try and fix the SSL Handshake Failed error.

1. Update Your System Date and Time

Let’s start with one of the more unlikely causes, but one that is incredibly easy to correct if it is the problem: your computer’s clock.

If your system is using the wrong date and time, that may interrupt the SSL handshake. When the system clock is different than the actual time, for example, if it’s set too far into the future, it can interfere with the SSL certificate verification.

Your computer’s clock might have been set incorrectly due to human error or simply due to a glitch in your settings. Whatever the reason, it’s a good idea to check and make sure your system time is correct, and update it if it’s not.

Of course, if your clock is showing the correct information, it’s safe to assume that this isn’t the source of the “SSL Handshake Failed” issue.

2. Check to See If Your SSL Certificate Is Valid

Expiration dates are placed on SSL certificates, to help make sure their validation information remains accurate. Generally, the validity of these certificates lasts for anywhere between six months and two years.

If an SSL certificate is revoked or expired, the browser will detect this and be unable to complete the SSL handshake. If it’s been more than a year or so since you installed an SSL certificate on your website, it might be time to reissue it.

To view the status of your SSL certificate, you can use an SSL certificate checker tool such as the one offered by Qualys:

qualys labs

This tool is both reliable and free to use. All you need to do is input your domain name into the Hostname field, and then click on Submit. Once the checker is done analyzing your site’s SSL configuration, it will present you with some results:

ssl certificate status

On this page, you can find out if your certificate is still valid and see if it has been revoked for any reason.

In either case, updating your SSL certificate should resolve the handshake error (and is vital for keeping your site and your WooCommerce store secure).

3. Configure Your Browser for the Latest SSL/TLS Protocol Support

Sometimes the best way to determine the root cause of an issue is by process of elimination. As we mentioned earlier, the SSL handshake failure can often occur due to a browser misconfiguration.

The quickest way to determine whether a particular browser is the problem is to try switching to a different one. This can at least help narrow down the problem. You may also try disabling any plugins and resetting your browser back to its default settings.

Another potential browser-related issue is a protocol mismatch. For example, if the server only supports TLS 1.2, but the browser is only configured for TLS 1.0 or TLS 1.1, there’s no mutually-supported protocol available. This will inevitably lead to an SSL handshake failure.

How you can check to see if this problem is occurring varies based on the browser you’re using. As an example, we’ll look at how the process works in Chrome. First, open your browser and go to Settings > Advanced. This will expand a number of menu options.

Under the System section, click on Open your computer’s proxy settings:

proxy settings

This will open up a new window. Next, select the Advanced tab. Under the Security section, check to see if the box next to Use TLS 1.2 is selected. If not, check that option:

Fix

It’s also recommended that you uncheck the boxes for SSL 2.0 and SSL 3.0.

The same applies to TLS 1.0 and TLS 1.1 since they are being phased out. When you’re done, click on the OK button, and check to see if the handshake error has been resolved.

Note that if you’re using Apple Safari or Mac OS there isn’t an option to enable or disable SSL protocols. TLS 1.2 is automatically enabled by default. If you’re using Linux, you can refer to the Red Hat guide on TLS hardening.

4. Verify That Your Server Is Properly Configured to Support SNI

It’s also possible that the SSL handshake failure is being caused by improper Server Name Indication (SNI) configuration. The SNI is what enables a web server to securely host several TLS certificates for one IP address.

Each website on a server has its own certificate. However, if the server isn’t SNI-enabled, that can result in an SSL handshake failure, because the server may not know which certificate to present.

There are a few ways to check and see whether a site requires SNI. One option is to use Qualys’ SSL Server Test, which we discussed in the previous section. Input your site’s domain name, and then click on the Submit button.

On the results page, look for a message that reads “This site works only in browsers with SNI support”:

browser sni support

Another approach for detecting if a server is using SNI is to browse the server names in the ‘ClientHello’ message. This is a more technical process, but it can offer a lot of information.

It involves checking the extended hello header for a ‘server_name’ field, to see if the correct certifications are presented.

If you’re familiar with using tools such as the OpenSSL toolkit and Wireshark, you might find this method preferable. You can use with and without the option:

If you get two different certificates with the same name, it means that the SNI is supported and properly configured.

However, if the output in the returned certificates is different, or the call without SNI cannot establish an SSL connection, it indicates that SNI is required but not correctly configured. Resolving this issue may require switching to a dedicated IP address.

5. Make Sure the Cipher Suites Match

If you still haven’t been able to identify the cause of the SSL handshake failure, it might be due to a cipher suite mismatch. In case you’re unfamiliar with the term, ‘cipher suites’ refer to a set of algorithms, including ones for key exchange, bulk encryption, and message authentication code, that can be used for securing SSL and TLS network connections.

If the cipher suites that a server uses don’t support or match what’s used by Cloudflare, that can result in an “SSL Handshake Failed” error.

When it comes to figuring out whether there is a cipher suite mismatch, Qualys’ SSL Server Test proves yet again to be a useful tool.

When you input your domain and click on Submit, you’ll see a summary analysis page. You can find the cipher information under the Cipher Suites section:

qualys cipher suites

You can use this page to discover which ciphers and protocols the server supports. You’ll want to look out for any that display the ‘weak’ status. In addition, this section also details the specific algorithms for the cipher suites.

To correct this issue, you can compare the results against what your browser supports by using the Qualys SSL/TLS Capabilities of Your Browser tool. For more extensive information and guidance about cipher suites, we also recommend checking out the ComodoSSLStore guide.

Click to Tweet

Summary

One of the most perplexing yet common types of SSL-related problems is the “SSL Handshake Failed” error. Dealing with this error can be stressful since it has many potential causes, including both client- and server-side issues.

However, there are some reliable solutions you can use to identify the problem and resolve it. Here are five ways you can use to fix the SSL Handshake Failed error:

  1. Update your system date and time.
  2. Check to see if your SSL certificate is valid (and reissue it if necessary).
  3. Configure your browser to support the latest TLS/SSL versions.
  4. Verify that your server is properly configured to support SNI.
  5. Make sure the cipher suites match.

Save time, costs and maximize site performance with:

  • Instant help from WordPress hosting experts, 24/7.
  • Cloudflare Enterprise integration.
  • Global audience reach with 34 data centers worldwide.
  • Optimization with our built-in Application Performance Monitoring.

All of that and much more, in one plan with no long-term contracts, assisted migrations, and a 30-day-money-back-guarantee. Check out our plans or talk to sales to find the plan that’s right for you.

SSL Problem.

The default "timeout" is 60.. you can lower it if you want, I wouldn't want to linger below 20s.. but it's up to you.
If you do lower the global timeout setting, then there are other per-step timeouts, eg:

Code:

so just make sure those are below whatever your "timeout" is set to, and that will prevent those warnings.

As for "Can't connect to ssl!", this can happen if a client connect to http on the https:2222 port. DA does catch this and will redirect to https.
However, DA is only assuming that's what's happening, and the redirect is a guess. There could actually be some ssl error, in which case we'd want to know that, hence the log. If you cross reference your 2020-Jan-31.log, for the 12:47:02 timestamp, you might catch the IP that's doing it... thus be able to let them know to try an https URL instead. I could add a da.conf option, if there is any demand for it, to simply stop logging the SSL errors, assuming it's the http issue.

 

Replies

 

I created an example of the exact code you are looking for (WebSocket NWListener using TLS-PSK) in the sample project for Configuring a Wi-Fi Accessory to Join the User’s Network. Here is a small sample of this:

 

I am currently trying to resolve Error: 4939879480:error:100000b8:SSL routines:OPENSSL_internal:NO_SHARED_CIPHER error. Am I missing an option here? any help would be appreciated.

        return tlsOptions

    }

 

I am currently trying to resolve Error: 4939879480:error:100000b8:SSL routines:OPENSSL_internal:NO_SHARED_CIPHER error.

One thing you could try here is taking a packet trace to see what the server is trying to negotiate. There is an entire block of cipher suites supported from RFC 5487 so maybe those have to be shuffled around a bit. As a side note, you'll also want to make sure that your server you are connecting to is using TLS 1.2 and not TLS 1.3. PSK support for TLS 1.3 uses a different set of ciphers and takes an entirely different code path through the TLS library than TLS 1.2 does, specifically regarding context callbacks versus early data. That is a whole other discussion though :-)

 

hello,

so I set max tls to 1.2 and trying to use terminal for packet trace. However, I never really did packet tracing in the past as I rarely dealt server side. I only studied fundamental network course in uni and I mostly worked front-end, so doing server related set up is very new to me. Can you give me an advise on how to search the packet that I need to be looking for? is there easier program that I can use other than using "sudo tcpdump -I en0 -n"? Maybe I am doing the packet trace wrong if I am running both app on the same MacOS?

I appreciate your help!

The error I get for server side app

error I get from client app

 

is there easier program that I can use other than using "sudo tcpdump -I en0 -n"? 

Using and then a packet analysis tool of your choice is the way to go here. I use Wireshark, for viewing the packets, but you'll have to use the tool that works for you. Also, checkout this article.

Regarding:

Maybe I am doing the packet trace wrong if I am running both app on the same MacOS?

So it sounds like the client and server are on the same machine, correct? If so, that helps a lot in terms of what TLS backend the server is using.

Regarding the logs, typically what happens is that your client initiates the TLS handshake and presents a set of ciphers (along with a lot of other things) that it can negotiate. The server takes a look at this and tries to decide upon which set of parameters it will negotiate for the handshake and it notifies the client with a server hello. In the case of PSK-TLS a few other things happen here and then encrypted data is exchanged. Now, when you see this on the client and then this on the server this is a strong indication that the exchange of information for a cipher suite could not be agreed upon. This would be the first place to look. Try letting the TLS backend negotiate it's own cipher suite and do not pin a cipher to the context. Does that get you anywhere further?

 

Hello, Thanks for the replies

I been using Wireshark to check the packets.

I have a list of cipher suit that client is sending. Now the problem is, I am not certain how to do "TLS backend negotiate it's own cipher suite and do not pin a cipher to the context". I am not certain if my code is pinning a cipher to the context via sec_protocol_options_append_tls_ciphersuite. Would you elaborate this part further?

below is the client's cipher suit. this client is different from what I used on my macOS client. this was sent from Windows remotely from proper client that we have used.

 

I am not certain how to do "TLS backend negotiate it's own cipher suite and do not pin a cipher to the context". I am not certain if my code is pinning a cipher to the context via sec_protocol_options_append_tls_ciphersuite. Would you elaborate this part further?

Sure, just don't set a cipher suite on either side of the connection and let BoringSSL do this work for you.

Regarding the list of ciphers you added; this looks like the problem in that there is no PSK-TLS cipher suites the client is sending to negotiate. Now, you had mentioned:

this was sent from Windows remotely from proper client that we have used.

I thought this was running both the client and server on the same machine? Is that not the case?

 

Here is the cipher of the client that is ran on my local machine.

I also see that ask is not included, so from my code, I commented out sec_protocol_options_add_pre_shared_key, but same no shared cipher error occurs.

Installed self-signed SSL certificates, Apache won't start

I'm trying to build a website which requires the Stripe payment gateway, and therefore requires SSL. I'm using XAMPP on Windows 10. After generating SSL certificate and key pair and installing in Apache, Apache no longer starts.

I'm attaching a few error messages and configs. Please help.

This is message in Apache error log. It no longer reproduces these error messages. So something must've changed. I think I tried generating the certificate and key via a different method. But Apache still won't start.

This is the error I get when trying to start Apache from command line.

Here is the error that was posted in XAMPP Control Dialog.

This is what is in httpd-vhosts.conf. I'm trying to setup SSL for loc1.dev.

This is what I have in httpd-ssl.conf

This is what is in my hosts file (C:\Windows\System32\drivers\etc\hosts).

Am I missing anything?

asked Feb 20, 2017 at 22:14

user avatar

Roundcube STARTTLS error SSL alert number 45

I’m working with a Postfix/Dovecot/Roundcube setup, aiming for a virtual user mail system that can send mail through the internet.

Everything seems to work well; Dovecote shows no problems, I can telnet into all of my ports; however, whenever I try to send mail through Roundcube I get the error:

1

SMTP Error(220):Authentication failed.

In Roundcube logs:

1

[22-Jan-202205:27:31+0000]:SMTP Error:SMTP error:Authentication failure:STARTTLS failed(Code:)in/usr/share/webapps/roundcubemail/program/lib/Roundcube/rcube.php on line1505(POST/roundcube/?_task=mail&_unlock=loading1421472451594&_lang=en_US&_framed=1?_task=mail&_action=send)

As Postfix is responsible for SMTP I also checked /var/log/maillog :

Jan2221:14:35steelhorse postfix/smtpd[18426]:disconnect from localhost.localdomain[127.0.0.1]

Jan2221:14:35steelhorse postfix/smtpd[18426]:lost connection after STARTTLS from localhost.localdomain[127.0.0.1]

Jan2221:14:35steelhorse postfix/smtpd[18426]:warning:TLS library problem:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1293:SSL alert number45

Jan2221:14:35steelhorse postfix/smtpd[18426]:SSL_accept error from localhost.localdomain[127.0.0.1]:0

To fix this add the following lines in Roundcube’s config:

$config['smtp_conn_options']=array(

  'ssl'=>array(

    'verify_peer'=>false,

    'verify_peer_name'=>false,

  ),

);

After saving the file try to connect again.

Good luck!

Want me to do this for you? Drop me a line: itgalaxyzzz {at} gmail [point] com

SSL Problem.

The default "timeout" is 60. you can lower it if you want, I wouldn't want to linger below ssl library error 45. but it's up to you.
If you do lower the global timeout setting, then there are other per-step timeouts, eg:

Code:

so just make sure those are below whatever your "timeout" is set to, and that will prevent those warnings.

As for "Can't connect to ssl!", this can happen if a client connect to http on the https:2222 port. DA does catch this and will redirect to https.
However, DA is only assuming that's what's happening, and the redirect is a guess. There could actually be some ssl error, in which case we'd want to know that, hence the log. If you cross reference your 2020-Jan-31.log, for the 12:47:02 timestamp, you might catch the IP that's doing it. thus be able to let them know to try an https URL instead, ssl library error 45. I could add a da.conf option, if there is any demand for it, to simply stop logging the SSL errors, assuming it's the http issue.

 

Replies

 

I created an example of the exact code you are speedcore terror gabber download for (WebSocket NWListener using TLS-PSK) in the sample project for Configuring a Wi-Fi Accessory to Join the User’s Network. Here is a small sample of this:

 

I am currently trying to resolve Error: 4939879480:error:100000b8:SSL routines:OPENSSL_internal:NO_SHARED_CIPHER error. Am I missing an option here? any help would be appreciated.

        return tlsOptions

    }

 

I am currently trying to resolve Error: 4939879480:error:100000b8:SSL routines:OPENSSL_internal:NO_SHARED_CIPHER error.

One thing you could try here is taking a packet trace to see what the server is trying to negotiate. There is an entire block of cipher suites supported from RFC 5487 so maybe those have to be shuffled around a bit. As a side note, you'll also want to make sure that your server you are connecting to is using TLS 1.2 and not TLS 1.3. PSK support for TLS 1.3 uses a different set of ciphers and takes an entirely different code path through the TLS library than TLS 1.2 does, specifically regarding context callbacks versus early ssl library error 45. That is a whole other discussion though :-)

 

hello,

so I set max tls to 1.2 and trying to use terminal for packet trace. However, I never really did packet tracing in the past as I rarely dealt server side. I only studied fundamental network course in uni and I mostly worked front-end, so doing server related set up is very new to me. Can you give me an advise on how to search the packet that I need to be looking for? is there easier program that I can use other than using "sudo tcpdump -I en0 -n"? Maybe I am doing the packet trace wrong if I am running both app on the same MacOS?

I appreciate your help!

The error I get for server side app

error I get from client app

 

is there easier program that I can use other than using "sudo tcpdump -I en0 -n"? 

Using and then a packet analysis tool of your choice is the way to go here. I use Wireshark, for viewing the packets, but you'll have to use the tool that works for you, ssl library error 45. Also, checkout this article.

Regarding:

Maybe I am doing the packet trace wrong if I am running both app on the same MacOS?

So it sounds like the client and server are on the same machine, correct? If so, that helps a lot in terms of what TLS backend the server is using.

Regarding the logs, typically what happens is that your client initiates the TLS handshake and presents a set of ciphers (along with a lot of other things) that it can negotiate. The server takes a look at this and tries to decide upon which set of parameters it will negotiate for the handshake and it notifies the client with a server hello. In the case of PSK-TLS a few other things happen here and then encrypted data is exchanged. Now, when you see this on the client and then this on the server this is a strong indication that the exchange of information for a cipher suite could not be agreed upon. This would be the first place to look. Try letting the TLS backend negotiate it's own cipher suite and do not pin a cipher to the context. Does that get you anywhere further?

 

Hello, Thanks for the replies

I been using Wireshark to check the packets.

I have a list of cipher suit that client is sending. Now the problem is, I am not certain how to do "TLS backend negotiate it's own cipher suite and do not pin a cipher to the context". I am not certain if my code is pinning a cipher to the context via sec_protocol_options_append_tls_ciphersuite. Would you elaborate this part further?

below is the client's cipher suit, ssl library error 45. this client is different from what I used on my macOS client. this was sent from Windows remotely from proper client that we have used.

 

I am not certain how to do "TLS backend negotiate it's own cipher suite and do not pin a cipher to the context". I am not certain if my code is pinning a cipher to the context via sec_protocol_options_append_tls_ciphersuite. Would you elaborate this part further?

Sure, just don't set a cipher suite on either side of the connection and let BoringSSL do this work for you.

Regarding the list of ciphers you added; this looks like the problem in that there is no PSK-TLS cipher suites the client is sending to negotiate. Now, ssl library error 45, you had mentioned:

this was sent from Windows remotely from proper client that we have used.

I thought this was running both the client and server on the same machine? Is that not the case?

 

Here is the cipher of the client that is ran on my local machine.

I also see that ask is not included, so from my code, I commented out sec_protocol_options_add_pre_shared_key, but same no shared cipher error occurs.

DLm Console certificate install fails, unable to restart apache

DLm Console Certificate update

Note: This KB has been reviewed and is now Obsolete. 
Please Do NOT use this resolution on any of the Disk Library Products mentioned.   The resolution removes needed Security checking for the DLm .
We are marking this copy OBSOLETE, because older hardcopies may be available, or CE's may remember this incorrect resolution.


During the upgrade of a DLm Console site certificate, How to update DLm site certificates the installation of the certificate fails attempting to restart the apache web server: 

This condition renders the DLm Console inaccessible, ssl library error 45, even from the VTE desktop.

vte2:/tmp/csr # rcapache2 restart
httpd2-prefork: Could not reliably determine the server's fully qualified domain name, using 192.168.100.20 for ServerName
Syntax OK
Shutting down httpd2 (waiting for all children to terminate) done
Starting httpd2 (prefork) httpd2-prefork: Could not reliably determine the server's fully qualified domain name, using 192.168.100.20 for ServerName
startproc: exit status of parent of /usr/sbin/httpd2-prefork: 1 ssl library error 45

From the /var/log/apache2/error_log  

[Wed Sep 13 14:39:45 2017] [error] Unable to verify certificate 'DLmServerCert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.

[Wed Sep 13 14:39:45 2017] [error] Unable to verify certificate 'DLmServerCert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.

[Wed Sep 13 14:39:45 2017] [error] SSL Library Error: -8179 Certificate is signed by an unknown issuer

[Wed Sep 13 14:39:45 2017] [error] Unable to verify certificate 'DLmServerCert', ssl library error 45. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.

[Wed Sep 13 14:39:45 2017] [error] SSL Library Error: -8179 Certificate is signed by an unknown issuer

[Wed Sep 13 14:39:45 2017] [error] Unable to verify certificate 'DLmServerCert', ssl library error 45. Add packet error - [00][4c3507 off" to nss.conf so the server can start until the problem can be resolved.

[Wed Sep 13 14:39:46 2017] [error] SSL Library Error: -8179 Certificate is signed by an unknown issuer

[Wed Sep 13 14:39:46 2017] [error] SSL Library Error: -8179 Certificate is signed by an unknown issuer

[Wed Sep 13 14:39:46 2017] [error] SSL Library Error: -8179 Certificate is signed by an unknown issuer

[Wed Sep 13 14:39:46 2017] [error] Unable to verify certificate 'DLmServerCert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.

[Wed Sep 13 14:39:46 2017] [error] Unable to verify certificate 'DLmServerCert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.

[Wed Sep 13 14:39:46 2017] [error] Unable to verify certificate 'DLmServerCert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.

Cause

A self signed certificate was installed on the DLm, exposing a problem with the DLm Certificate install process.

Resolution

THIS ARTICLE IS OBSOLETE!
Please Do NOT use this resolution on any of the Ssl library error 45 Library Products mentioned.   The resolution removes needed Security checking for the DLm .
We are marking this copy OBSOLETE, because older hardcopies may be available, or CE's may remember this incorrect resolution.





Installed self-signed SSL certificates, Apache won't start

I'm trying to build a website which requires the Stripe payment gateway, and therefore requires SSL. I'm using XAMPP on Windows 10. After generating SSL certificate and key pair and installing in Apache, Apache no longer starts.

I'm attaching a few error messages and configs. Please help.

This is message in Apache error log. It no longer reproduces these error messages. So something must've changed. I think I tried generating the certificate and key via a different method. Ssl library error 45 Apache still won't start.

This is the error I get when trying to start Apache from command line.

Here is the error that was posted in XAMPP Control Dialog.

This is what is in httpd-vhosts.conf. I'm trying to setup SSL for loc1.dev.

This is what I have in httpd-ssl.conf

This is ssl library error 45 is in my hosts file (C:\Windows\System32\drivers\etc\hosts).

Am I missing anything?

ssl library error 45 asked Feb 20, 2017 at 22:14

user avatar

Let's Encrypt Community Support

Hi @Maturity,

You can use commands to see what’s in the files.

to view a file that you think contains a cerificate, and

to view the public key associated with a file that you think contains an RSA private key. (I didn’t suggest the commands smbfs mount error file exists view the private key directly because I think this risks having people share the private key ssl library error 45 or having other people be in a position to see it, and there’s normally no reason that you have to look at the actual secrets in order to confirm that something is a private key.)

You could try using these on the various files in question to see what they contain. Another option for PEM-formatted files in general is

(the exact number of hyphens is important here!) in order to see what kinds of PEM objects ssl library error 45 present inwithout looking at their contents.

The one important limitation of the commands above is that is only willing to look at the first object in a file that contains multiple objects. So for example if you used the command I suggested on the Certbot-generatedit would only show the end-entity (leaf) certificate, ssl library error 45, not the intermediate (issuer) certificate, even though both are present one after another in the same file.

Error: "SSL Library Error 45" on Secure Gateway

Symptoms or Error

Users intermittently get disconnected and the SSL Library Fatal error lnk1168 .exe for writing 45 appears in the event log.

In the event logs of Citrix Secure Gateway, the following error is displayed prior to Secure Gateway 3.3.1:
"SSL library error 45 on <Secure Gateway  FQDN>:443 with peer <Client IP>: The cryptographic security of the SSL connection has been compromised".

After the installation of Secure Gateway 3.3.1, ssl library error 45, the following error might appear:
"SSL Library error 45 on <Secure Gateway  FQDN>:443 with peer <Client IP>: An unclassified SSL protocol error occurred. (error code: error:140943FC:lib(20):func(148):reason(1020))"


Solution

If you are on Secure Gateway 3.3.1 then upgrade to Secure Gateway 3.3.2. Also ensure that you are using the latest version of Receiver, XenApp and XenDesktop. If the Secure Gateway still continues to report SSL Library Error 45 on the event log and on its error.log files, complete the following steps to troubleshoot the issue:

Enable Logging

  1. Ensure All events including informational is selected in the Secure Gateway Configuration wizard to increase the level of Secure Gateway logging.

    User-added image

  2. Select Enable session reliability on the Web Interface site and Services site to handle any type of network related issues, affecting these users, ssl library error 45. The session is halted momentarily instead of getting closed.

    User-added image

  3. Enable extra display columns in Secure Gateway management console to see that user sessions are using the session reliability port (default 2598) in the Server column.

    User-added image

  4. Close the Secure Gateway management console, ssl library error 45 the following registry changes, and open the Secure Gateway management console to view the extra display columns.
    Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

    64-bit machines

    32-bit machines

    To show the server and resource columns in the session information
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\CitrixSecureGateway\3.3
    Name: ShowServerAndAppForSession
    Type: DWORD
    Data: 1

    To show the server and resource columns ssl library error 45 the session information
    HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CitrixSecureGateway\3.3
    Name: Acer 501 unrecoverable bootloader error Type: DWORD
    Data: 1

    To show the time idle column in the session information
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\CitrixSecureGateway\3.3
    Name: ShowTimeIdleForSession
    Type: DWORD
    Data: 1

    To show the time idle column in the session information
    HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CitrixSecureGateway\3.3
    Name: ShowTimeIdleForSession
    Type: DWORD
    Data: 1

Implementing the preceding changes helps in gathering data for quick review of the users impacted by the SSL Library Error 45.

Collecting Logs

Open the Error<todays date>.log from \program files*\citrix\secure gateway\logs and search for the SSL Library Error 45 message.

  1. Note the time when it occurred and also examine the other logs that are generated around the same time. The following is a sample log for your reference.

    [Wed May 16 16:57:29 2012] [error] SSL Library Error 45 on <SG Fqdn>:443 with peer <Client IP>: An unclassified SSL protocol error occurred, ssl library error 45. (error code: error:140943FC:lib(20):func(148):reason(1020)) [Wed May 16 16:57:29 2012] [info] CGP forwarding session stopped: client IP [x.x.x.x:<random port>], username [[email protected]], destination server [x.x.x.x:2598], resource [<published app>].
  2. The preceding lines are important because they show you the time of occurrence (Wed May 16 16:57:29 2012) in addition to the user IP address (client IP address [x.x.x.x:<random port>]) and name (username [[email protected]]).

  3. Note the User account and IP address of the alleged workstation, ssl library error 45, then contact the user to note if any event was written into the Application event log and whether the user recalls their last actions for the session. Verify to see if the workstation time of the user matches that of the Secure Gateway, if in the time zone; otherwise, match the minutes:seconds to get the correct reading of the Application log.

  4. Upon Citrix technical support request, ssl library error 45, furnish this example table that should be used to keep track of these users and any patterns observed for the issue. 

    User information

    Workstation OS release and patches

    Citrix Receiver Client version

    XenApp / XenDesktop Versions and hotfixes

    Client workstation and Secure Gateway Time Matched

    [Wed May 16 16:57:29 2012] [info] CGP forwarding session stopped: client IP [x.x.x.x:<random port>], username [[email protected]], destination server [x.x.x.x:2598], resource [<published app>].

     

     

     

     

  5. Gather CDF tracing from the latest Receiver installation on the users workstation using the article CTX124934 - How to Enable Additional Client Ssl library error 45 and Collect Client-Side CDF Traces for Citrix Receiver.
    This information helps Citrix in any additional discovery against ongoing SSL Library Error 45 continuing in your environment.


Additional Resources

Citrix Documentation - XenApp and Secure Gateway


Disclaimer

Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

The cryptographic security of the SSL connection has been compromised

Environment:
Web Interface 5.3.0.34 installed on Windows 2008 R2 in DMZ with selfmade certificates
Secure gateway 3.2.1 (Secure gateway diagnostics says 3.2.0) installed on Windows 2008 R2 in DMZ with selfmade certificates
Citrix farm XenApp 6.0 installed on Windows 2008 R2

Yesterday a user called me and said that there were some problem logging in from home. I tried and it worked for me, but not for the user. He got a message box saying:

"Unable to launch your application. Contact your helpdesk with the following information: Cannot connect to the Citrix XenApp server. Network issues are preventing your connection, ssl library error 45. Please try again. If the problem persists, please call your help desk."

I tried again and could launch the application, but the user could not.

I logged in to the Secure gateway server and there was some users logged on, but in the event viewer I found the events below for the user that called me.

After about 20 minutes I got the same message as the user, and could not launch any applications. I was still logged on to the Web Interface. I logged out from the Web interface and logged on again, ssl library error 45. Same problem, ssl library error 45. I restarted the client (Windows 7 x64) and logged on to the Web Interface, still the same problem. After about 30 minutes I suddenly was able to launch the applications again!!!! WHY???

I restarted the Secure gateway and then called the user and everything was working for him too. The Event log on the Secure gateway server are a lot cleaner now after the restart, and everything is ok, until next time that seems to be able to happen whenever it feels for.

Is there a solution for this?

/Larsa

_____________________________________________________________________________________________

Log Name: Citrix Secure Gateway
Source: Citrix Secure Gateway
Date: 2011-06-15 22:41:19
Event ID: 184
Task Category: (4)
Level: Information
Keywords: Classic
User: N/A
Computer: securegateway.company.com
Description:
Client IP 83.172.77.38:1332] with username [[email protected]] connected successfully to server [192.168.1.57:1494] resource [Remote Desktop], using protocol [iCA.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Citrix Secure Gateway" />
<EventID Qualifiers="0">184</EventID>
<Level>4</Level>
<Task>4</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-06-15T20:41:19.000000000Z" />
<EventRecordID>16883</EventRecordID>
<Channel>Citrix Secure Gateway</Channel>
<Computer>securegateway.company.com</Computer>
<Security />
</System>
<EventData>
<Data>Client IP 83.172.77.38:1332] with username [[email protected]] connected successfully to server [192.168.1.57:1494] resource [Remote Desktop], using protocol [iCA.</Data>
</EventData>
</Event>

_____________________________________________________________________________________________

Log Name: Citrix Secure Gateway
Source: Citrix Secure Gateway
Date: 2011-06-15 22:41:19
Event ID: 127
Task Category: (2)
Level: Error
Keywords: Mount error12 cannot allocate memory ubuntu server User: msi 990fxa-gd80 ff error N/A
Computer: securegateway.company.com
Description:
SSL library error 45 on securegateway.company.com:443 with client 83.172.77.38:The cryptographic security of the SSL connection has been compromised.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Citrix Secure Gateway" />
<EventID Qualifiers="0">127</EventID>
<Level>2</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-06-15T20:41:19.000000000Z" />
<EventRecordID>16884</EventRecordID>
<Channel>Citrix Secure Gateway</Channel>
<Computer>securegateway.company.com</Computer>
<Security />
</System>
<EventData>
<Data>SSL library error 45 on securegateway.company.com:443 with client 83.172.77.38:The cryptographic security of the SSL connection has been compromised.</Data>
</EventData>
</Event>
_____________________________________________________________________________________________

Log Name: Citrix Secure Gateway
Source: Citrix Secure Gateway
Date: 2011-06-15 22:41:19
Event ID: 185
Task Category: (4)
Level: Information
Keywords: Classic
User: N/A
Computer: securegateway.company.com
Description:
Client IP 83.172.77.38:1332] with username [[email protected]] successfully closed connection to server [192.168.1.57:1494] resource [Remote Desktop.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Citrix Secure Gateway" />
<EventID Qualifiers="0">185</EventID>
<Level>4</Level>
<Task>4</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-06-15T20:41:19.000000000Z" />
<EventRecordID>16885</EventRecordID>
<Channel>Citrix Secure Gateway</Channel>
<Computer>securegateway.company.com</Computer>
<Security />
</System>
<EventData>
<Data>Client IP 83.172.77.38:1332] with username [[email protected]] successfully closed connection to server [192.168.1.57:1494] resource [Remote Desktop.</Data>
</EventData>
</Event>

_____________________________________________________________________________________________

ssl library error 45

youtube video

SSL Certificate Error Fix [Tutorial]

0 Comments

Leave a Comment