Can't handshake when doing post requests

Hello, I am trying to make simple post request to my nodejs server, which is using the certificate provided by letsencrypt. However, when I post request from php to my nodejs server I get:

Error: write EPROTO 2798134296:error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE:../../third_party/boringssl/src/ssl/tls_record.cc:587:SSL alert number 40

View in Console

Learn more about troubleshooting API requests

can be verified using postman by posting to my node socket: https://www.mathtutortime.com:3001. It looks like it has to do with an improper handshake with letsencrypt? Thanks for any ideas.

2 Likes

I think it might have something to do with your server requesting a client certificate. Which apparently isn't offered.

2 Likes

nodeJS allows you to pull in your private and public certificates. It completely allows SSL.
In fact, if you don't pull it in it will give you an error when trying to run the server.

1 Like

I don't understand any of that. The only thing I can see from remote is that OpenSSL notices on connecting:

No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512

The only difference with a regular TLS connection without client certificates is that it only mentions the first row.. The other three rows seem to be specific for your NodeJS server.

While I've never encountered this error before myself and I've never used and probably will never use NodeJS directly personally (unfortunately Firefox requires it to be build properly............), I'm thinking the lack of client certificate is the issue here.

Now, if you think that's not the case, perhaps you'd like to share a little bit more about the setup you have, the configuration et cetera. Because as I said, I didn't understand a thing about your post just now. "pull in your private and public certificates"? What does that mean? "It completely allows SSL"? What do you mean by that? "In fact, if you don't pull it in it will give you an error when trying to run the server" -> do you mean to say NodeJS won't run if you don't require a client certificate?

2 Likes

Thank you for the detail. I didn't mean to say that it won't run if you don't have ssl. I meant to say that if you have your ssl settings setup in Node, and the private and public certificates don't match, or it can't fetch either file, the server will not run. By "pull in the private and public certificates" I mean that you have to get these certificate files if you want an ssl server, which I gave the directory address to on my server. By completely allows SSL I mean that you can run your server securely or not securely. I choose securely.

2 Likes

Verification error: unable to verify the first certificate

It looks like the intermediate certificate is missing. Does the certificate file contain two certificates?

2 Likes

My private and public key files only have 1 key each. Where are you getting that it is unable to verify? I thought the website wouldn't open up on https if the first certificate wasn't verifiable?

1 Like

Here's the intermediate certificate:

Cross-signed by IdenTrust
https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem

1 Like

Hmm, that's different than my public certificate file. Should I try that one?

1 Like

I'm using this command:

openssl s_client --connect www.mathtutortime.com:3001

Just append the missing intermediate certificate to your existing public certificate file.

2 Likes

Hi @rickster26ter

checked via OpenSsl the output looks curious / unknown.

But your port 443 has a working configuration.

16340:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl\record\rec_layer_s3.c:1528:SSL alert number 40

Later:

Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

The missing intermediate certificate isn't the main problem.

May be you have a limited list of cipher suites or an untypical configuration.

PS: Alert 40:

Error creating a TLS-Connection: IANA TLS Alert No. 40, handshake_failure. Receipt of a "handshake_failure" alert message indicates that the sender was unable to negotiate an acceptable set of security parameters given the options available. SSL_ERROR_NO_CYPHER_OVERLAP (Mozilla) / ERR_SSL_VERSION_OR_CIPHER_MISMATCH (Chrome)

So your configuration is wrong / unknown. But I have no idea how nodejs manages that.

3 Likes

Hold up. Use the cross-signed.

Here's the intermediate certificate:

Signed by ISRG Root X1
https://letsencrypt.org/certs/letsencryptauthorityx3.pem

Cross-signed by IdenTrust
https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem

1 Like

That, on its own, wouldn't cause a handshake failure.

3 Likes

Ok. I'm not familiar with what an intermediate certificate is. I only have the option to put in a private and public key file on my server. Do I need to try to find an option to add another type?

1 Like

I searched Google pretty extensively regarding this. Everything I found generally led toward what @JuergenAuer was mentioning about non-standard cipher suites and such. I didn't find anything conclusive though.

Sorry, a little new to what a cipher suite is. I don't remember pulling anything like that. Is there a linux config that can pull more cipher suite lists?

1 Like

Could you post the configuration of your server app?

1 Like

I don't know.

Your certificate is a RSA. I don't know if that works with ECDSA+SHA256 etc.

1 Like

config of server:

"var fs = require('fs');
var express = require('express');
var bodyParser = require('body-parser');
const fetch = require('node-fetch');
const cors = require('cors');
var options = {
key: fs.readFileSync('/var/www/html/privkey.pem'),
cert: fs.readFileSync('/var/www/html/cert.pem'),
requestCert: true,
rejectUnauthorized: true
};

const chat_port = process.env.port || 3001;

var app = express();
app.use(cors());
app.options('*', cors());
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: true }));
app.use(express.static(__dirname));
app.use(function(req, res, next) {
res.header("Access-Control-Allow-Origin", "mathtutortime.com/account/get_tutoring"); // update to match the domain you will make the request from
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
next();
});
var server = require('https').createServer(options, app);
var io = require('socket.io').listen(server);

...more stuff dealing with implementation of server...

var host = '192.168.0.15';
server.listen(chat_port, host, function(){
console.log('listening on *' + chat_port);
});

1 Like

This might be related: