Loading

SSL handshake failure error when ECDSA based authentication cipher is used in the connection request but the key pair uploaded to the DLB is RSA based. Authentication cipher: RSA vs ECDSA

게시 일자: Oct 1, 2024
솔루션

SYMPTOM

If an ECDSA cipher is agreed upon between the DLB and a client but we have no ECDSA certificate and key uploaded to the DLB, then it will terminate the SSL handshake with a fatal alert and reporting the following SSL error message: 
SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
or 
Error: write EPROTO 140434219616616:error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE:../../third_party/boringssl/src/ssl/tls_record.cc:594:SSL alert number 40 140434219616616:error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO:../../third_party/boringssl/src/ssl/handshake.cc:603:

CAUSE

The issue is because the certificate and key pair uploaded for the SSL endpoint of the DLB is generated using RSA algorithm and not using ECDSA algorithm.

SOLUTION

To use authentication cipher ECDSA, the certificate and key pair should be generated using ECDSA based algorithm and apply it to the SSL certificate and key configuration on the DLB (How to update a certificate on a DLB (Dedicated Load Balancer)). However, current configuration on the DLB only offers one key pair for each SSL endpoint, so you can configure the DLB with SSL certificate and key that is generated either with RSA or ECDSA algorithm but not both.

Please note that -- if you configure the DLB with key pair that is generated using ECDSA algorithm, then the client(s) that connect to the DLB using RSA based ciphers, won't be able to connect to the DLB.
 
Knowledge 기사 번호

001122374

 
로드 중
Salesforce Help | Article