Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

SSL handshake fail

Hi all,

We have configured https on a router 3845.

The IOS is : C3845-ADVIPSERVICESK9-M, Version 12.4(22)T, RELEASE SOFTWARE (fc1)

When opening SDM from web browser, it stops in "Loading SDM, please wait".

Here is the debug output :

*Jan 7 07:26:33.319: %HTTPS: SSL handshake fail (-6992)

*Jan 7 07:26:33.319: HTTP: ssl handshake failed (-40404)

*Jan 7 07:27:27.183: HTTP: Priv level granted 15

*Jan 7 07:27:27.183: Wed, 07 Jan 2009 07:27:27 GMT 192.168.100.185 ok

Protocol = HTTP/1.1 Method = GET

*Jan 7 07:27:27.183:

*Jan 7 07:27:28.803: %HTTPS: SSL read fail (-6992)

*Jan 7 07:27:29.219: its_urlhook url: /archive/flash:home/html/home_aux.shtml, method 1

*Jan 7 07:27:29.219: lds_urlhook, url=/archive/flash:home/html/home_aux.shtml

*Jan 7 07:27:29.239: HTTP: Priv level granted 15

*Jan 7 07:27:29.239: Wed, 07 Jan 2009 07:27:29 GMT 192.168.100.185 /archive/flash:home/html/home_aux.shtml ok

Protocol = HTTP/1.1 Method = GET

*Jan 7 07:27:29.239:

*Jan 7 07:27:29.279: %HTTPS: SSL read fail (-6992)

*Jan 7 07:27:29.523: its_urlhook url: /archive/flash:home/html/home_ui.shtml, method 1

*Jan 7 07:27:29.523: lds_urlhook, url=/archive/flash:home/html/home_ui.shtml

*Jan 7 07:27:29.539: HTTP: Priv level granted 15

*Jan 7 07:27:29.539: Wed, 07 Jan 2009 07:27:29 GMT 192.168.100.185 /archive/flash:home/html/home_ui.shtml ok

Protocol = HTTP/1.1 Method = GET

*Jan 7 07:27:32.939: %HTTPS: SSL read fail (-6992)

*Jan 7 07:27:32.951: %HTTPS: SSL read fail (-6992)

*Jan 7 07:27:33.027: its_urlhook url: /archive/flash:common/common/common.js, method 1

*Jan 7 07:27:33.031: lds_urlhook, url=/archive/flash:common/common/common.js

*Jan 7 07:27:33.035: HTTP: Priv level granted 15

*Jan 7 07:27:33.035: Wed, 07 Jan 2009 07:27:33 GMT 192.168.100.185 /archive/flash:common/common/common.js ok

Protocol = HTTP/1.1 Method = GET

*Jan 7 07:27:33.035:

*Jan 7 07:27:33.067: %HTTPS: SSL read fail (-6992)

*Jan 7 07:27:33.131: its_urlhook url: /archive/flash:home/html/home_ui.shtml, method 1

*Jan 7 07:27:33.131: lds_urlhook, url=/archive/flash:home/html/home_ui.shtml

*Jan 7 07:27:33.147: HTTP: Priv level granted 15

*Jan 7 07:27:33.147: Wed, 07 Jan 2009 07:27:33 GMT 192.168.100.185 /archive/flash:home/html/home_ui.shtml ok

Protocol = HTTP/1.1 Method = GET Query = SecureChecked&APPLaunched

*Jan 7 07:27:33.147:

*Jan 7 07:27:33.207: %HTTPS: SSL read fail (-6992)

*Jan 7 07:27:33.263: its_urlhook url: /archive/flash:home/html/home_engine.shtml, method 1

*Jan 7 07:27:33.263: lds_urlhook, url=/archive/flash:home/html/home_engine.shtml

*Jan 7 07:27:33.283: HTTP: Priv level granted 15

*Jan 7 07:27:33.283: Wed, 07 Jan 2009 07:27:33 GMT 192.168.100.185 /archive/flash:home/html/home_engine.shtml ok

Protocol = HTTP/1.1 Method = GET Query = SecureChecked&APPLaunched

*Jan 7 07:27:33.283:

*Jan 7 07:27:34.703: %HTTPS: SSL handshake fail (-6992)

*Jan 7 07:27:34.703: HTTP: ssl handshake failed (-40404)

*Jan 7 07:27:34.703: its_urlhook url: /archive/flash:common/common/appsupport.js, method 1

*Jan 7 07:27:34.703: lds_urlhook, url=/archive/flash:common/common/appsupport.js

*Jan 7 07:27:34.711: HTTP: Priv level granted 15

*Jan 7 07:27:34.711: Wed, 07 Jan 2009 07:27:34 GMT 192.168.100.185 /archive/flash:common/common/appsupport.js ok

Protocol = HTTP/1.1 Method = GET

*Jan 7 07:27:34.711:

*Jan 7 07:27:35.451: HTTP:Enable sock read fd 5 failed

*Jan 7 07:27:35.531: %HTTPS: SSL read fail (-6992)

3 REPLIES

Re: SSL handshake fail

If you are sure everthing is setup correctly, it might be related to this bug CSCsr08017.

I suggested that you can try to use "Cisco Configuration Professional" ver 1.2

Community Member

Re: SSL handshake fail

Hi,

Here's the config we have put:

ip http server

ip http secure-server

ip http authentication local

On other IOS , we use the same config, there's no problem.

We haven't found no information on the bug CSCsr08017.

Should we change IOS version?

Re: SSL handshake fail

Is the working IOS the same version as this one? If not, you can try to change IOS to the same as working one.

This is only bug I found which has a similar symptom as yours. The problem is on SDM side. "Cisco Configuration Professional ver 1.2" should have fix for this bug.

Could you please try if HTTP works?

What kind of web browser are you using?

Can you try a different browser?

You can try the following. If none of them works, I suggest you to use "Cisco configuration professional 1.2".

1. Please make sure that SSL 2.0 and SSL 3.0 is enabled and TLS 1.0 is disabled in Java Control Panel > Advanced > Security.

2. Reconfig self-sign trust point and re-generate RSA key by the following steps;

ourend(config)#no crypto pki trustpoint TP-self-signed-2460894829

------> delete the trust points on the router

ourend(config)#crypto key zeroize rsa

ourend(config)#crypto key generate rsa

The name for the keys will be: ourend.vpn.com Choose the size of the key

modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.

How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys,

keys will be non-exportable...[OK]

ourend(config)#crypto pki trustpoint selfsigned

ourend(ca-trustpoint)#enrollment selfsigned

ourend(config)#crypto pki enroll selfsigned % Include the router serial

number in the subject name? [yes/no]: n % Include an IP address in the

subject name? [no]: n Generate Self Signed Router Certificate? [yes/no]:

y

Router Self Signed Certificate successfully created

4894
Views
4
Helpful
3
Replies
CreatePlease to create content