[openssl-users] What does this error mean? sslv3 alert certificate unknown:state 23

Viktor Dukhovni openssl-users at dukhovni.org
Mon Apr 24 21:47:59 UTC 2017

> On Apr 24, 2017, at 5:18 PM, Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu> wrote:
> I use a 3rd-party application that is trying to update itself (so it’s trying to “call home”). Naturally, I’m behind a corporate firewall and Web proxy. The app has been configured to use that proxy. It fails to connect. Packet capture reveals the following:

You're noticeably at this point in the problem report.  Is this a packet capture
between the application and the proxy, or between the proxy and the outside host?
At what stage of the handshake is the alert seen?

Have you tried using "curl" to complete a proxied connection to the remote server?

> Handshake failed
> The SSL handshake could not be performed.
> Host: <remote host name>
> Reason: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:state 23:Application response 500 handshakefailed

The alert is always generated remotely and reported locally.  It could
in theory come from the proxy, but more likely from the real remote

> I must be dense today (and please, no comment about how this state might be more permanent than that (), but I can’t figure even which peer is complaining. Is it the local end (aka the application) that doesn’t like the proxy’s certificate? Is it the Web proxy that doesn’t like the remote host certificate? Or is it the remote end that doesn’t like the proxy’s certificate?
> I can connect to the remote host via browser just fine

The server may not like the client's ciphers or protocol version.

See my recent post: https://www.spinics.net/lists/openssl-users/msg05623.html
for instructions on how to extract SSL info from PCAP files in a way that
mostly trims away endpoint details... (of course SNI names and cert names
would still be there, so you'd need to trim those if you want to anonymize
the guilty parties).

Capture the traffic between the proxy and the remote server if at all
possible, and compare with the trace between client and proxy.


More information about the openssl-users mailing list