[openssl-users] What does this error mean? sslv3 alert certificate unknown:state 23

Matt Caswell matt at openssl.org
Mon Apr 24 22:16:45 UTC 2017

On 24/04/17 22:18, Blumenthal, Uri - 0553 - MITLL wrote:
> I use a 3rd-party application that is trying to update itself (so
> it’s trying to “call home”). Naturally, I’m behind a corporate
> firewall and Web proxy. The app has been configured to use that
> proxy. It fails to connect. Packet capture reveals the following:
> Handshake failed
> The SSL handshake could not be performed.
> Host: <remote host name> Reason: error:14094416:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate unknown:state
> 23:Application response 500 handshakefailed
> <Our Service Desk ext. number> generated 2017-04-24 15:28:13 by
> webwasher4 Java/1.8.0_112

Webwasher is your proxy right? So it is clearly webwasher that is
generating this error message (it says so in the text above!). The
OpenSSL error contained in this text occurs when the remote peer sends a
fatal alert to the local endpoint. So it looks to me like your proxy has
initiated a TLS connection to the remote host but the remote host has
rejected the handshake and sent back a "certificate unknown" fatal alert.

A certificate unknown alert has the following description in the RFCs:

      Some other (unspecified) issue arose in processing the
      certificate, rendering it unacceptable.

So, my guess is that the remote host has requested a client certificate
(i.e. client auth) and your proxy has been unable to provide it.


> I must be dense today (and please, no comment about how this state
> might be more permanent than that (), but I can’t figure even which
> peer is complaining. Is it the local end (aka the application) that
> doesn’t like the proxy’s certificate? Is it the Web proxy that
> doesn’t like the remote host certificate? Or is it the remote end
> that doesn’t like the proxy’s certificate?
> I can connect to the remote host via browser just fine…
> Thanks! — Regards, Uri Blumenthal

More information about the openssl-users mailing list