Question
Alexander Grishkan · Aug 9, 2017

SSL_connect() error

I am trying to send an HTTP request and getting "SSL/TLS error return from SSL_connect()." error (Cache 2013). No modification in SSL/TLS Configuration helped. Could anyone point me in the right direction?

Thanks

0
0 2,368
Discussion (16)4
Log in or sign up to continue

before launching your request in your check your %Net.HttpRequest object
property Https is obviously set.

property SSLConfiguration has to be

The name of the activated TLS/SSL configuration to use for https requests.

if the request fails in execution
property SSLError tells you what went wrong

If request uses an SSL connection and a SSL handshake error has occurred, then SSLError contains text describing the SSL error.

more on  %Net.HttpRequest here
http://docs.intersystems.com/latest/csp/documatic/%25CSP.Documatic.cls?P...

I don't have any particular recomendations about openssl. I use openssl that icomes with linux I use.

If connection works Ok on 2016.1 (or 2016.2?) you might try to uncheck tls1.1 and tls1.2 in SSL/TLS configuration settings on 2016.1 installation, leaving only tls1.0 and see if connection succeeds. If no -- probably server requires tls1.1 or tls1.2.

Can you connect to that server using openssl?

If yes, try to match protocol openssl uses with the protocols enabled in SSL/TLS Configuration.

E.g. if SSL/TLS Configuration have only TLS1 enabled, try to connect with openssl using -tls1

openssl s_client -tls1 -connect server:port

Maybe that server requires tls1.2 or SNI that is not available in Caché 2013.1

Hi Alex,

Thank you for detailed answer. This might be a reason why the SSL handshake works on Cache 2016 but not on 2013. What openssl do you recommend to use (I don't have it installed)?

I am also getting SSL/TLS error in SSL_connect(), SSL_ERROR_SYSCALL: I/O error (104) but this time it is in IRIS HealthShare HealthConnect 2021.2 on RedHat using Apache and the Web Gateway. As soon as I turn on the SSL/TLS within the server settings on the Gateway I am getting the error. But as soon as I switch it back to password I am able to get the "Test Server Connection" to work.

Scott, the SSL error is fairly generic. Using REDEBUG as suggested in one of the comments might give you more info. Otherwise, a network trace would be the ultimate source of truth in terms of why the SSL handshake is failing.

@Vic Sun 

Private key file: /etc/pki/tls/private/ssl_vd01.key
02/28/22-14:48:35:457 (770618) 0 [Generic.Event]
error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
02/28/22-14:48:35:457 (770618) 0 [Generic.Event]
error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error
02/28/22-14:48:35:457 (770618) 0 [Generic.Event]
error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error
02/28/22-14:48:35:457 (770618) 0 [Generic.Event]
error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib
02/28/22-14:48:35:457 (770618) 0 [Generic.Event]
error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib
 

Did I miss something in the documentation that the private key needed to be pkcs12 format? This is the first time I have seen this requirement.

Right I had formatted it for PEM not pkcs12 which is why I was confused. I can't remember what openssl command I used to create the key but pkcs12 was not involved.

I think it was something like openssl req -newkey x509  rsa:4096 -keyout PRIVATEKEY.key -out MYCSR.csr -config my_config.cnf

When I downloaded the returned certificate file it was in PEM format.

PEM should be correct. I'm not sure then! Are there no other errors in the log? It may be time for a network trace.

I ran into this issue with a customer within the last few days. The customer provided me with a GoDaddy-supplied certificate (in PEM/x509 format) and a private key file. Unfortunately the private key wasn't anything recognizable by openssl (it definitely wasn't an RSA key at least), and it did not appear to be encrypted.

The resolution was to regenerate an RSA private key and CSR ourselves with openssl, then submit the CSR to GoDaddy for generation of the certificate. The RSA key and the cert from GoDaddy were supplied as the certificate and private key for both the %SuperServer SSL configuration and the cert/private key in the Web Gateway server configuration.

I generated the Key and CSR from openssl on the Red Hat server. I sent the CSR to our server folks for them to generate the Cert. 

SSL/TLS configuration: %SuperServer
02/28/22-14:48:42:680 (770636) 0 [Generic.Event]
TLS enabled versions, minimum: 16, maximum: 32
02/28/22-14:48:42:680 (770636) 0 [Generic.Event]
Cipher list for TLSv1.2 and below: ALL:!aNULL:!eNULL:!EXP:!SSLv2
02/28/22-14:48:42:680 (770636) 0 [Generic.Event]
Ciphersuites for TLSv1.3: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
02/28/22-14:48:42:680 (770636) 0 [Generic.Event]
Certificate file: /etc/pki/tls/certs/ssl_vd01.crt
02/28/22-14:48:42:680 (770636) 0 [Generic.Event]
Private key file: /etc/pki/tls/private/ssl_vd01.key
02/28/22-14:48:42:681 (770636) 0 [Generic.Event]
error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
02/28/22-14:48:42:681 (770636) 0 [Generic.Event]
error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error
02/28/22-14:48:42:681 (770636) 0 [Generic.Event]
error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error
02/28/22-14:48:42:681 (770636) 0 [Generic.Event]
error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib
02/28/22-14:48:42:681 (770636) 0 [Generic.Event]
error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib
02/28/22-14:49:02:170 (770555) 0 [Utility.Event] REDEBUG: new netdebugflags FF
02/28/22-18:01:15:093 (759932) 1 [Utility.Event] [SYSTEM MONITOR] DBLatency(/ensemble/DEV/mgr/iristemp/) Warning: DBLatency = 2075.368 ( Warnvalue is 1000).
02/28/22-18:11:45:685 (759932) 0 [Utility.Event] [SYSTEM MONITOR] DBLatency(/ensemble/DEV/

So it sounds like the Key and CSR/Cert wasn't generated correctly.

Are you using the private key you created at the time you generated the CSR, or one provided by your server folks? You need to use the one you generated.

And I'm assuming your private key is encrypted, and therefore has the following header in the file:

-----BEGIN ENCRYPTED PRIVATE KEY-----

Have you tried decrypting it with openssl?

openssl rsa -in /etc/pki/tls/private/ssl_vd01.key -text

You should be prompted for a passphrase; use the one you provided when you generated the CSR. If it decrypts OK, you'll get something similar to this:

RSA Private-Key: (2048 bit, 2 primes)
modulus:
    00:98:42:c5:37:28:e4:b9:69:e4:a0:45:86:b1:20:
    39:5f:78:36:96:14:f8:e9:4f:49:7d:44:31:16:3c:
<remainder elided>

If you don't get something like this, the passphrase is wrong for the key file. If you do, verify that you've provided the proper passphrase in both the %SuperServer SSL configuration and the Web Gateway Server Access configuration.

You'll also need to provide the passphrase when starting httpd, which may not be obvious if SELinux is blocking it; running the following command will allow the prompting for a password when starting/restarting httpd:

setsebool -P httpd_read_user_content 1

It looks like the Private Key is not encrypted as I am not seeing 

-----BEGIN ENCRYPTED PRIVATE KEY-----

this is what I am seeing...

-----BEGIN RSA PRIVATE KEY-----
 

So that is probably my issue. Thanks