Errore di handshake SSL [chiuso]

Question

Errore di handshake SSL [chiuso]

#1 da (1 voti)

1

Sto usando shibbolet per l'autenticazione di un singolo utente e necessita di una configurazione SSL che faciliti il processo di autenticazione dell'utente. Prima stava funzionando bene, ma ora sto affrontando un errore SSL handshake failure e la connessione sicura viene ignorata. Ecco il messaggio di errore dettagliato sulla schermata del browser (firefox):

Secure Connection Failed

An error occurred during a connection to www.mydomain.com.

SSL peer was unable to negotiate an acceptable set of security parameters.

(Error code: ssl_error_handshake_failure_alert)


  The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
  Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

Aggiornamento:

Ecco il log degli errori di Shibbolet aggiornato:

2012-09-20 15:14:59 DEBUG Shibboleth.Listener [17]: dispatching message (default/SAML/POST)
2012-09-20 15:14:59 DEBUG OpenSAML.MessageDecoder.SAML1POST [17]: validating input
2012-09-20 15:14:59 DEBUG OpenSAML.MessageDecoder.SAML1POST [17]: decoded SAML response:
<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2012-09-20T13:10:43.494Z" MajorVersion="1" MinorVersion="1" Recipient="https://inami-riziv.dokeosnet.com/Shibboleth.sso/SAML/POST" ResponseID="_faf482981786daacf938e158e87d75f8"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#_faf482981786daacf938e158e87d75f8">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>qgvrV2yDB88HKXStzqT3sFrpLlo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
ifKK73UUbsOxqpsnfGcloErG5Vsrklckv/xpbsMAWDzrTm8ZvWjaLru0d7smEYmKFXdkJ/JayAXW
cM5aAKAwazWM7tj5YYvY3bTFlq4k/qI3GR46Kr5apGKkTEtDR9DkZDJ6N2+/vqOvdIxwefdFvaPs
FzsrZeGkt+IAcKmgCFZ78/2tbfckYd4sFGko0Lw3nIl9/dac03OJUsUVuScsiEVd6f/DjzedHgkk
3DD0xR2HFIY5MQzDdztz1f4PyuGFdXiyauUtm2bF+7XULQ8XwfGd+K0qIMOKBykTQuq0ijL+PpgZ
jRr3G2ylqSsJ1/NIwT6pRG79gJlcw55RB25XzA==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIE0DCCA7igAwIBAgILAQAAAAABMu4tWh8wDQYJKoZIhvcNAQEFBQAwNDELMAkGA1UEBhMCQkUx
FjAUBgNVBAMTDUdvdmVybm1lbnQgQ0ExDTALBgNVBAUTBDIwMTAwHhcNMTExMDEwMTUwMTMyWhcN
MTMwMTEwMTUwMTMyWjCBrTEcMBoGA1UEAxMTQ0JFPTA4MDkzOTQ0MjcsIElBTTELMAkGA1UEBhMC
QkUxDDAKBgNVBAsTA0lBTTEXMBUGA1UECxMOQ0JFPTA4MDkzOTQ0MjcxGTAXBgNVBAsTEEVIRUFM
VEgtUExBVEZPUk0xITAfBgNVBAsTGGVIZWFsdGgtcGxhdGZvcm0gQmVsZ2l1bTEbMBkGA1UEChMS
RmVkZXJhbCBHb3Zlcm5tZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwgdTZNoR
CU7urB0+tdDDlVfrplxwcEwp+QoMJpiznNjMHZLxzwzl6PSMc8V7Gd2OGSGSHZJqrDz0643Djo6o
t59Tai2itHy9ZIQle3wmREi9ek86ousZuP6sZDw019xzztFLCaqO1Jfs28sBAeZovZZou7dDuD7w
86lkxvPssdJWZ0MO9FTwsseRoUowfWUfxp8E+3PpYdEy6BxGo5hh13lm2RphbcW0v0ouvR9yqVRh
cYhonol4Yj7nEm6tTc6NmCf2zEaX+F3e2hbj7bzgWJ1wKuhiMuQItLgN/XKhb6/jy44wjLj6IWIS
DH8LVPYITm+ImidDKI7WcGzJhu0IowIDAQABo4IBZzCCAWMwHwYDVR0jBBgwFoAUQZbOhaflXugW
WT0K8YTd8/K7TokwbgYIKwYBBQUHAQEEYjBgMDYGCCsGAQUFBzAChipodHRwOi8vY2VydHMucGtp
LmJlbGdpdW0uYmUvYmVsZ2l1bXJzMi5jcnQwJgYIKwYBBQUHMAGGGmh0dHA6Ly9vY3NwLnBraS5i
ZWxnaXVtLmJlMAkGA1UdEwQCMAAwRAYDVR0gBD0wOzA5BgdgOAkBAQMDMC4wLAYIKwYBBQUHAgEW
IGh0dHA6Ly9yZXBvc2l0b3J5LnBraS5iZWxnaXVtLmJlMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6
Ly9jcmwucGtpLmJlbGdpdW0uYmUvZ292ZXJubWVudDIwMTAuY3JsMA4GA1UdDwEB/wQEAwIE8DAR
BglghkgBhvhCAQEEBAMCBLAwHQYDVR0OBBYEFGtvDxQis8EQNHkujqvXW0CGhSbnMA0GCSqGSIb3
DQEBBQUAA4IBAQCDfqrhNJeB+tiesyXiAfuIwz2rJiVANb71VptyPGh96qMHBfU/w9fKdN87cF2J
IHg23ll0MEUo7I8oA2F5Dv0Jw/sB7GovOsosC6QcYzEo/D24vSYKI7Clw3SkKPUcqv3u68IPs8wF
L/Nowmxy6HGAvDlt1fQBpwePVKifGOygUcz0KWHMqNV7IJzyXrF2nbvg3TUJKaDR0zV4CjzLpaCI
IY1wY6e2/08mxf/Q5D7YO3sTxmjixkjRqCKXBCJa0CjXxT3/8Pfg5lHGNr7onIL84SMCZREur5I0
3u64HiqHBtSZaDWrw7d4CcjY/NoPfHO8hmAXEBMTm4zEhG4Nw0+2
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></ds:Signature><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_56927407beba7fd1762d43bb15f71303" IssueInstant="2012-09-20T13:10:43.494Z" Issuer="http://idp.smals-mvm.be/shibboleth" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2012-09-20T13:10:43.494Z" NotOnOrAfter="2012-09-20T13:15:43.494Z"><AudienceRestrictionCondition><Audience>https://inami-riziv.dokeosnet.com/shibboleth</Audience><Audience>urn:be:fgov:ehealth:trust:partners</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement AuthenticationInstant="2012-09-20T13:10:43.494Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="http://idp.smals-mvm.be/shibboleth">_99e6f544a77e9b878ff54a1091c2c603</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><SubjectLocality IPAddress="193.191.246.82"></SubjectLocality></AuthenticationStatement></Assertion></Response>

2012-09-20 15:14:59 DEBUG OpenSAML.MessageDecoder.SAML1 [17]: extracting issuer from SAML 1.x Response
2012-09-20 15:14:59 DEBUG OpenSAML.MessageDecoder.SAML1 [17]: response from (http://idp.smals-mvm.be/shibboleth)
2012-09-20 15:14:59 DEBUG OpenSAML.MessageDecoder.SAML1 [17]: searching metadata for response issuer...
2012-09-20 15:14:59 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [17]: evaluating message flow policy (replay checking on, expiration 60)
2012-09-20 15:14:59 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [17]: rejected expired message, timestamp (1348146643), oldest allowed (1348146659)
2012-09-20 15:19:53 INFO XMLTooling.StorageService : purged 1 expired record(s) from storage
2012-09-20 15:34:53 INFO XMLTooling.StorageService : purged 1 expired record(s) from storage
2012-09-20 15:42:06 DEBUG Shibboleth.Listener [18]: dispatching message (default::getHeaders::Application)
2012-09-20 15:42:06 DEBUG Shibboleth.Listener [18]: dispatching message (default/Login::run::Shib1SI)
2012-09-20 15:42:06 DEBUG XMLTooling.StorageService [18]: inserted record (9699add17fc90926f21c8fa06efec1e1) in context (RelayState) with expiration (1348149126)
2012-09-20 16:04:53 INFO XMLTooling.StorageService : purged 1 expired record(s) from storage
2012-09-20 16:19:53 INFO XMLTooling.StorageService : purged 2 expired record(s) from storage
2012-09-20 16:20:21 DEBUG Shibboleth.Listener [21]: dispatching message (default::getHeaders::Application)
2012-09-20 16:20:21 DEBUG Shibboleth.Listener [21]: dispatching message (default/Login::run::Shib1SI)
2012-09-20 16:20:21 DEBUG XMLTooling.StorageService [21]: inserted record (5bfae2fab27dfd8026a14e253696bc3a) in context (RelayState) with expiration (1348151421)
2012-09-20 16:34:53 INFO XMLTooling.StorageService : purged 1 expired record(s) from storage
2012-09-20 16:39:19 DEBUG Shibboleth.Listener [22]: dispatching message (default::getHeaders::Application)
2012-09-20 16:39:19 DEBUG Shibboleth.Listener [22]: dispatching message (default/Login::run::Shib1SI)
2012-09-20 16:39:19 DEBUG XMLTooling.StorageService [22]: inserted record (fbf6b65fc660ed134500345faef56f0a) in context (RelayState) with expiration (1348152559)
2012-09-20 16:43:29 INFO Shibboleth.Listener [15]: detected socket closure, shutting down worker thread
2012-09-20 16:49:53 INFO XMLTooling.StorageService : purged 1 expired record(s) from storage
2012-09-20 17:20:55 INFO Shibboleth.Listener [19]: detected socket closure, shutting down worker thread
2012-09-20 17:31:10 INFO Shibboleth.Listener [21]: detected socket closure, shutting down worker thread
2012-09-20 18:21:09 INFO Shibboleth.Listener [18]: detected socket closure, shutting down worker thread
2012-09-20 18:28:29 INFO Shibboleth.Listener [17]: detected socket closure, shutting down worker thread
2012-09-20 18:28:31 INFO Shibboleth.Listener [20]: detected socket closure, shutting down worker thread
2012-09-20 18:48:23 DEBUG Shibboleth.Listener [23]: dispatching message (default::getHeaders::Application)
2012-09-20 18:48:23 DEBUG Shibboleth.Listener [23]: dispatching message (default/Login::run::Shib1SI)
2012-09-20 18:48:23 DEBUG XMLTooling.StorageService [23]: inserted record (0b316ef6e5acf1da562899feb0b84ec1) in context (RelayState) with expiration (1348160303)
2012-09-20 18:52:26 DEBUG Shibboleth.Listener [24]: dispatching message (default::getHeaders::Application)
2012-09-20 18:52:26 DEBUG Shibboleth.Listener [24]: dispatching message (default/Login::run::Shib1SI)
2012-09-20 18:52:26 DEBUG XMLTooling.StorageService [24]: inserted record (b89fbe4deecae876148bd470e7aa6f85) in context (RelayState) with expiration (1348160546)
2012-09-20 18:52:38 DEBUG Shibboleth.Listener [25]: dispatching message (default::getHeaders::Application)
2012-09-20 18:52:38 DEBUG Shibboleth.Listener [25]: dispatching message (default/Login::run::Shib1SI)
2012-09-20 18:52:38 DEBUG XMLTooling.StorageService [25]: inserted record (b76b99286d06dd0ce84da39c9947e344) in context (RelayState) with expiration (1348160558)
2012-09-20 18:53:03 INFO Shibboleth.Listener [16]: detected socket closure, shutting down worker thread
2012-09-20 18:53:27 DEBUG Shibboleth.Listener [26]: dispatching message (default::getHeaders::Application)
2012-09-20 18:53:27 DEBUG Shibboleth.Listener [26]: dispatching message (default/Login::run::Shib1SI)
2012-09-20 18:53:27 DEBUG XMLTooling.StorageService [26]: inserted record (59fc5fa8d1589ffc94077f4e0e079f38) in context (RelayState) with expiration (1348160607)
2012-09-20 19:00:41 DEBUG Shibboleth.Listener [27]: dispatching message (default::getHeaders::Application)
2012-09-20 19:00:41 DEBUG Shibboleth.Listener [27]: dispatching message (default/Login::run::Shib1SI)
                                                                                                                              3865,1        99%

Modifica

Passaggi per vedere l'errore in tempo reale: : vai a questa pagina > fai clic su Accedi > quindi fare clic su "Identification par card d'identité électronique". > messaggio di errore (il login è protetto da shibbolet)

Nota: ho eseguito tutte le impostazioni del browser, anche l'ultimo browser installato. C'è un problema con ssl config, credo e ho sincronizzato l'orologio ma non è utile.

tls certificates

posta Subhransu Mishra 20.09.2012 - 17:23

fonte

1 risposta

Leggi altre domande sui tag tls certificates

Per i certificati SSL, è necessario stabilire una sorta di connessione alla CA di emissione (o altra risorsa di rete) necessaria per la connessione SSL? Activesync: se disattivo o rinominare l'account AD significa che il telefono non verrà cancellato?

score 1 · Answer 1

Shibbolet ritiene che la richiesta sia troppo vecchia (puoi verificare il tuo messaggio di errore con l'origine ). Ti consiglio di controllare l'inclinazione dell'orologio tra il tuo client e il server (ad esempio, assicurati che siano sincronizzati abbastanza da vicino con il secondo).