Hi,

I am not sure if this questions should be addressed to this support team but in hope that some positive information might come up.

I am trying to analyze an SSL handshake failure issue. Based on the issue please find below steps to create client / server certificates. :

openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360

At this step I have below files:

ca.crt (which I use as trusted_client.pem), server.crt and server.key at server side

Client Side certificate generation:

openssl genrsa -out client.key 2048
openssl req -out client.csr -key client.key -new
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 360

So now at client side I have below files: client.crt client.key trusted_client.pem [generated during Server certificate step]

I am not sure if I have generated the certificates correctly - but I am trying to test a Mutual trusted Server / Client SSL connection. So there is no certificate chain I have made during their certificate creation - they are self-signed ones.

Note that when asked about the CN I gave "CA" (for CA), "example.com" (for server) and "client" (for client).

When I run the flow I get below error:

TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unknown CA)

Wireshark logs:

103                                                2024-04-01 11:17:42.886627                         Device_00:8c:94 Nearest-non-TPMR-bridge                                           EAPOL               60                     Start

104                                               2024-04-01 11:17:42.887165                          MS-NLB-PhysServer-17_11:11:11:11 Nearest-non-TPMR-bridge            EAP                   60                    Request, Identity
105                                               2024-04-01 11:17:45.890174                          MS-NLB-PhysServer-17_11:11:11:11 Nearest-non-TPMR-bridge            EAP                   60                    Request, Identity
106                                               2024-04-01 11:17:45.892093                         Device_00:8c:94 Nearest-non-TPMR-bridge                                            EAP                   60                     Response, Identity
107                                              2024-04-01 11:17:45.892425                         MS-NLB-PhysServer-17_11:11:11:11 Nearest-non-TPMR-bridge             EAP                    60                    Request, TLS EAP (EAP-TLS)
108                                              2024-04-01 11:17:47.732072                        Device_00:8c:94 Nearest-non-TPMR-bridge                                             TLSv1.2              226                   Client Hello
109                                              2024-04-01 11:17:47.746814                        MS-NLB-PhysServer-17_11:11:11:11 Nearest-non-TPMR-bridge              EAP                  1421                  Request, TLS EAP (EAP-TLS)

110                                              2024-04-01 11:17:47.750570                        Device_00:8c:94 Nearest-non-TPMR-bridge                                              EAP                    60                    Response, TLS EAP (EAP-TLS)

111                                              2024-04-01 11:17:47.750881                        MS-NLB-PhysServer-17_11:11:11:11 Nearest-non-TPMR-bridge              SSL                   1068                  Continuation Data

112                                              2024-04-01 11:17:49.896020                        MS-NLB-PhysServer-17_11:11:11:11 Nearest-non-TPMR-bridge              SSL                   1068                   Continuation Data

113                                              2024-04-01 11:17:50.104051                       Device_00:8c:94 Nearest-non-TPMR-bridge                                               TLSv1.2               233                Client Hello, Alert (Level: Fatal, Description: Certificate Unknown) -- Description: Certificate Unknown (46)

114                                              2024-04-01 11:17:50.104413                       MS-NLB-PhysServer-17_11:11:11:11 Nearest-non-TPMR-bridge               EAP                   60                      Failure

Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done

Frame 111: 1068 bytes on wire (8544 bits), 1068 bytes captured (8544 bits) on interface \Device\NPF_{87758CCA-2149-4961-9FDA-E59432A16D13}, id 0
Ethernet II, Src: MS-NLB-PhysServer-17_11:11:11:11 (02:11:11:11:11:11), Dst: Nearest-non-TPMR-bridge (01:80:c2:00:00:03)
802.1X Authentication
Extensible Authentication Protocol
    Code: Request (1)
    Id: 56
    Length: 1050
    Type: TLS EAP (EAP-TLS) (13)
    EAP-TLS Flags: 0x00
        0... .... = Length Included: False
        .0.. .... = More Fragments: False
        ..0. .... = Start: False
    [2 EAP-TLS Fragments (2437 bytes): #109(1393), #111(1044)]
        [Frame: 109, payload: 0-1392 (1393 bytes)]
        [Frame: 111, payload: 1393-2436 (1044 bytes)]
        [Fragment Count: 2]
        [Reassembled EAP-TLS Length: 2437]
    Transport Layer Security
        TLSv1.2 Record Layer: Handshake Protocol: Server Hello
            Content Type: Handshake (22)
            Version: TLS 1.2 (0x0303)
            Length: 61
            Handshake Protocol: Server Hello
                Handshake Type: Server Hello (2)
                Length: 57
                Version: TLS 1.2 (0x0303)
                Random: e8497a7739576c02beabbb0b95a6b95f026ba3bc167b4992af22b64fb10f1e8b
                    GMT Unix Time: Jun 29, 2093 21:29:51.000000000 India Standard Time
                    Random Bytes: 39576c02beabbb0b95a6b95f026ba3bc167b4992af22b64fb10f1e8b
                Session ID Length: 0
                Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
                Compression Method: null (0)
                Extensions Length: 17
                Extension: renegotiation_info (len=1)
                    Type: renegotiation_info (65281)
                    Length: 1
                    Renegotiation Info extension
                Extension: ec_point_formats (len=4)
                    Type: ec_point_formats (11)
                    Length: 4
                    EC point formats Length: 3
                    Elliptic curves point formats (3)
                        EC point format: uncompressed (0)
                        EC point format: ansiX962_compressed_prime (1)
                        EC point format: ansiX962_compressed_char2 (2)
                Extension: extended_master_secret (len=0)
                    Type: extended_master_secret (23)
                    Length: 0
                [JA3S Fullstring: 771,52392,65281-11-23]
                [JA3S: d7d95b173b904a8f4de65bd751cb534a]
        TLSv1.2 Record Layer: Handshake Protocol: Certificate
            Content Type: Handshake (22)
            Version: TLS 1.2 (0x0303)
            Length: 1793
            Handshake Protocol: Certificate
                Handshake Type: Certificate (11)
                Length: 1789
                Certificates Length: 1786
                Certificates (1786 bytes)
        TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
            Content Type: Handshake (22)
            Version: TLS 1.2 (0x0303)
            Length: 401
            Handshake Protocol: Server Key Exchange
                Handshake Type: Server Key Exchange (12)
                Length: 397
                EC Diffie-Hellman Server Params
        TLSv1.2 Record Layer: Handshake Protocol: Certificate Request
            Content Type: Handshake (22)
            Version: TLS 1.2 (0x0303)
            Length: 153
            Handshake Protocol: Certificate Request
                Handshake Type: Certificate Request (13)
                Length: 149
                Certificate types count: 3
                Certificate types (3 types)
                Signature Hash Algorithms Length: 40
                Signature Hash Algorithms (20 algorithms)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: ed25519 (0x0807)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (7)
                    Signature Algorithm: ed448 (0x0808)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (8)
                    Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (9)
                    Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (10)
                    Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (11)
                    Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: SM2 (4)
                    Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (5)
                    Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (6)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: SHA224 ECDSA (0x0303)
                        Signature Hash Algorithm Hash: SHA224 (3)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: SHA224 RSA (0x0301)
                        Signature Hash Algorithm Hash: SHA224 (3)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: SHA224 DSA (0x0302)
                        Signature Hash Algorithm Hash: SHA224 (3)
                        Signature Hash Algorithm Signature: DSA (2)
                    Signature Algorithm: SHA256 DSA (0x0402)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: DSA (2)
                    Signature Algorithm: SHA384 DSA (0x0502)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: DSA (2)
                    Signature Algorithm: SHA512 DSA (0x0602)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: DSA (2)
                Distinguished Names Length: 101
                Distinguished Names (101 bytes)
        TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
            Content Type: Handshake (22)
            Version: TLS 1.2 (0x0303)
            Length: 4
            Handshake Protocol: Server Hello Done
                Handshake Type: Server Hello Done (14)
                Length: 0



Client Hello, Alert (Level: Fatal, Description: Certificate Unknown)

Extensible Authentication Protocol
    Code: Response (2)
    Id: 56
    Length: 215
    Type: TLS EAP (EAP-TLS) (13)
    EAP-TLS Flags: 0x00
    Transport Layer Security
        TLSv1.2 Record Layer: Handshake Protocol: Client Hello
            Content Type: Handshake (22)
            Version: TLS 1.2 (0x0303)
            Length: 197
            Handshake Protocol: Client Hello
                Handshake Type: Client Hello (1)
                Length: 193
                Version: TLS 1.2 (0x0303)
                Random: 259ea02b1870ac3618e57b7cbdf4a4ad7df085bf1180f24c52141c38f640cdac
                Session ID Length: 0
                Cipher Suites Length: 80
                Cipher Suites (40 suites)
                Compression Methods Length: 1
                Compression Methods (1 method)
                Extensions Length: 72
                Extension: signature_algorithms (len=22)
                Extension: supported_groups (len=24)
                Extension: ec_point_formats (len=2)
                Extension: encrypt_then_mac (len=0)
                Extension: extended_master_secret (len=0)
                Extension: session_ticket (len=0)
                [JA4: 12i400600_9479543b8654_7b0ba9b4cf08]
                [JA4_r [truncated]: 12i400600_002f,0033,0035,0039,003c,003d,0067,006b,009c,009d,009e,009f,00ff,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030,c09c,c09d,c09e,c09f,c0a0,c0a1,c0a2,c0a3,c0ac,c0ad,c0ae,c0af,cca8,cca9,ccaa_000a,000b,]
                [JA3 Fullstring [truncated]: 771,52392-52393-52394-49196-49200-159-49325-49311-49188-49192-107-49162-49172-57-49327-49315-49195-49199-158-49324-49310-49187-49191-103-49161-49171-51-49326-49314-157-49309-61-53-49313-156-49308-60-47-49312-255]
                [JA3: fee1630eb5b7688c9f8303364702933f]
        TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Certificate Unknown)
            Content Type: Alert (21)
            Version: TLS 1.2 (0x0303)
            Length: 2
            Alert Message
                Level: Fatal (2)
                Description: Certificate Unknown (46)

Is it that certificates are correct the server / client code is at fault - I am running EAP-TLS [https://github.com/championswimmer/kernel_sony_tamsui/tree/master/platform/external/hostap-06] code as client and hostapd daemon as server.

Regards,

Prakash