Checking for update failed. Reason: Remote host terminated the handshake
search cancel

Checking for update failed. Reason: Remote host terminated the handshake

book

Article ID: 252370

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

On PAM environment were fixing issues with SSL certificate.  We stopped the cluster and uploaded this year certificates into the node. After the certificated are activated 2 of the node connectivity is failing.

Out of 3 servers xxx.xxx.com  is working able to connect. Start and stop of cluster is working.

 xxx.xxx.com   not able to connect.

PAM Client is gives  below error.

Curl to these machine fail with below error.

 

#  curl    -vvv 'https://xxx.xxx.com'

* Rebuilt URL to: https://xxx.xxx.com/

*   Trying 10.0.0.10...

* TCP_NODELAY set

* Failed to set TCP_KEEPALIVE on fd 4

* Connected to xxx.xxx.com (x.x.x.x) port 443 (#0)

* ALPN, offering http/1.1

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

* successfully set certificate verify locations:

  CAfile: none

  CApath: /etc/openssl/certs

* TLSv1.2 (OUT), TLS header, Certificate Status (22):

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* TLSv1.2 (IN), TLS header, Unknown (21):

* TLSv1.2 (IN), TLS alert, Server hello (2):

* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

* Closing connection 0

curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

openssl also failing.

openssl  s_client -connect xxx.xxx.com:443

CONNECTED(00000004)

2249710069462008:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:802:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 7 bytes and written 295 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : 0000

    Session-ID:

    Session-ID-ctx:

    Master-Key:

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1665578692

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

 

 

 

Environment

Release : 4.1.x

Cause

Client had installed an RSA signed certificate but deselected the 2 RSA ciphers in the configuration

Resolution

After adding the certificate, the client confirmed the appropriate options were selected

Powered by Wolken Software