[openssl-users] What does this error mean? sslv3 alert certificate unknown:state 23

Viktor Dukhovni openssl-users at dukhovni.org
Mon Apr 24 22:55:52 UTC 2017


> On Apr 24, 2017, at 6:11 PM, Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu> wrote:
> 
> I went through the capture between the app (local end) and the proxy. It appears that the sequence is:
> 
> ClientHello -> (from app to proxy, with a ton of cipher suites, including 0xc02f)
>       <-  ServerHello (with TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 – present in ClientHello)
>       <- CertificateServer Key Exchange, Server Hello Done (includes proxy’s cert rather than the remote end’s cert)
> 
> Alert (Level: Fatal, Description: Certificate Unknown) ->
> 
> So it appears that the app expects the remote end’s cert, and is not happy getting the proxy’s cert instead?

Please report tshark output, not an approximate rendition.  In what direction
is the alert sent?

It is indeed possible that the application is not configured for and correctly
rejects the forged certificate of the MiTM proxy.  It would need the Root CA
of the proxy as a trusted issuer, but that may not be configurable.  In which
case you'd need to let the app connect directly to the remote server without
an MiTM-proxy.

-- 
	Viktor.



More information about the openssl-users mailing list