[openssl-users] What does this error mean? sslv3 alert certificate unknown:state 23

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Tue Apr 25 20:41:22 UTC 2017

    >                         extensions: 4 items
    >                             Extension (ns_cert_exts.comment)
    >                                 Extension Id: 2.16.840.1.113730.1.13 (ns_cert_exts.comment)
    >                                 BER Error: String with tag=22 expected but class:UNIVERSAL(0)
    >                                                               primitive tag:12 was unexpected
    >                                     [Expert Info (Warn/Malformed): BER Error: String expected]
    >                                         [BER Error: String expected]
    >                                         [Severity level: Warn]
    >                                         [Group: Malformed]
    This is odd, is tshark buggy, too picky, or is the issuer cert actually malformed?

I don’t know off-hand, will check, and bring to the attention of those who run the proxy.

    >                     algorithmIdentifier (shaWithRSAEncryption)
    >                         Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
    >                     Padding: 0
    >                     encrypted: 408fc9a991e6cebbec05fa6b2463d89bcb8b2dc888c1a1b6...
    Issuer cert is an MiTM proxy, and possibly has encoding errors.
Got it, thanks.

    > Secure Sockets Layer
    >     TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Certificate Unknown)
    >         Content Type: Alert (21)
    >         Version: TLS 1.2 (0x0303)
    >         Length: 2
    >         Alert Message
    >             Level: Fatal (2)
    >             Description: Certificate Unknown (46)
    Client objects to the server chain.  Either does not trust the MiTM root CA, or
    is unhappy about its encoding (assuming tshark is not generating an FP warning).
Thank you!  So it is the *client* that breaks the connection, and it is unhappy either about MiTM, or the encoding. I will check for both (though not much I can do about either).

Thanks! (At least I have an idea now what’s going on.) 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170425/0847d446/attachment-0001.bin>

More information about the openssl-users mailing list