[openssl-users] Help with ssl error

Joseph Southwell jsouthwell at serengeti.com
Tue Apr 18 15:17:48 UTC 2017 

It doesn’t look like it requested a client certificate to me.

openssl110e>openssl s_client -state -msg -connect ftp.echannel.banksys.be:16370 -starttls ftp
CONNECTED(00000104)
SSL_connect:before SSL initialization
>>> ??? [length 0005]
    16 03 01 00 ab
>>> TLS 1.2Handshake [length 00ab], ClientHello
    01 00 00 a7 03 03 b1 9d 3b a7 9d c4 3f de 8a 20
    59 07 1f d7 50 3e 20 cf 92 cb a6 7d 94 1d 2f b2
    81 c0 d9 12 1c f9 00 00 38 c0 2c c0 30 00 9f cc
    a9 cc a8 cc aa c0 2b c0 2f 00 9e c0 24 c0 28 00
    6b c0 23 c0 27 00 67 c0 0a c0 14 00 39 c0 09 c0
    13 00 33 00 9d 00 9c 00 3d 00 3c 00 35 00 2f 00
    ff 01 00 00 46 00 0b 00 04 03 00 01 02 00 0a 00
    0a 00 08 00 1d 00 17 00 19 00 18 00 23 00 00 00
    0d 00 20 00 1e 06 01 06 02 06 03 05 01 05 02 05
    03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02
    02 02 03 00 16 00 00 00 17 00 00
SSL_connect:SSLv3/TLS write client hello
<<< ??? [length 0005]
    15 03 02 00 02
<<< TLS 1.2Alert [length 0002], fatal insufficient_security
    02 47
SSL3 alert read:fatal:insufficient security
SSL_connect:error in SSLv3/TLS write client hello
3252:error:1409442F:SSL routines:ssl3_read_bytes:tlsv1 alert insufficient security:ssl\record\rec_layer_s3.c:1385:SSL alert number 71
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 88 bytes and written 186 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1492518024
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
 
> On Apr 14, 2017, at 2:49 PM, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
> 
> 
>> On Apr 14, 2017, at 9:48 AM, Joseph Southwell <jsouthwell at serengeti.com> wrote:
>> 
>> Version 1.1 openssl
>> 
>> openssl.exe s_client -connect hostname:16370 -starttls ftp
>> 877788:error:1409442F:SSL routines:ssl3_read_bytes:tlsv1 alert insufficient security:ssl\record\rec_layer_s3.c:1385:SSL alert number 71
> 
> The remote host sent an "insufficient security" TLS alert.
> 
>> The host I am connecting to apparently only supports the following 2 ciphers:
>> RSA_With_AES_128_CBC_SHA and RSA_With_3DES_EDE_CBC_SHA
>> 
>> What should I do to make this work?
> 
> Perhaps it is expecting a client certificate?  Retry with:
> 
> $ openssl s_client -state -msg -connect hostname:16370 -starttls ftp
> 
> and see whether it solicited a client certificate.
> 
> -- 
> 	Viktor.
> 
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170418/da75f914/attachment-0001.html>

More information about the openssl-users mailing list