TLS Handshake fails on Mac OS X

Similar Messages

• Wireless ISE - 12508 EAP-TLS handshake failed

  Hi guys,
  I'm in the middle of my very first wireless ISE deployment and I'm hitting issues with EAP-TLS based authentication.  In short, all EAP-TLS authentication is failing with the following error.  Below that is the relevant excerpt from the logs:
  Authentication failed : 12508 EAP-TLS handshake failed
  OpenSSLErrorMessage=SSL alert: code=0x233=563 \; source=local \; type=fatal \; message="X509 decrypt error -  certificate signature failure", OpenSSLErrorStack=   597863312:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown  message digest algorithm:a_verify.c:146:,
  Setup:
  - Single standalone ISE 3355 appliance
  - Two tier MS enterprise PKI (outside of my direct control)
  - WLC 5508
  - Windows 7 laptop\
  - The ISE has both the root and intermediate CA server certificates installed (individually, not chained) and has an identity certificate from the intermediate CA.
  - The test laptop has both the root and intermediate CA server certificates installed  (individually, not chained) and has an identity certificate from the  intermediate CA.
  Now, I'm pretty new to certs so I'm sure I'm missing something simple here.  One thing that has come to mind as I'm writing this is that all of the issued certificates are using SHA1 as the Signature hash algorithm but if I remember correctly ISE defaults to SHA-256 when generating a CSR and I can't remember actually changing that.  Could my issue be as simple as this, or does this hash algorithm only apply to the CSR process?
  This is what TAC came back with, but none of the workarounds helped
  Symptom:
  ========
  EAP-TLS auth handshake  failing with X509 decrypt error. The error presented to the ISE  administrator is "12508: EAP-TLS handshake failed"
  Conditions:
  =========
  EAP-TLS certificate based authentications ISE 1.1.2.145
  Workaround:
  ===========
  1) Reboot or restart ISE  application service 2) Recreate CAP (Certificate Authentication Profile)  3) Toggle between ID sequence and single ID source

  Hi Amjad,
  Thanks for the response.  I realise that SHA256 is highly preferable, however as per my post the PKI is outside of my direct control so that's a whole other conversation.
  Cisco actually recommends avoiding chained certs for ISE, their best practice is that the intermediate and root CA server certificates should be imported into the ISE individually (I don't have a link for this, but it was presented in the Advanced ISE session at Cisco Live this year).  On the client side the identity certificate (machine) shows the full trust chain, so I would assume that there isn't an issue there but I'm happy to be corrected.
  The certificate format has not been modified in any way.  The server and identity certs have been pushed out to the clients via GPO. Tthe root and intermediate certs were exported in DER format directly from each the respective CAs and imported directly in to the ISE
  Cheers,
  Owen

• EAP-TLS error .........failed SSL/TLS handshake because of an unknown CA in client certificate chain

  Hi,
  I am using 802.1x and EAP-TLS as authentication protocol. The clients are not able to pass the authentication the error log on ACS is
  Authentication failed: EAP-TLS handshake failed SSL/TLS handshake because of an unknown CA in the client certification chain.
  I have installed certificates on the WLC and ACS, however authentication is unsuccessful.
  Can anybody help regarding this issue.

  Hi Sandeep,
  Web auth certificate is defult certificate in wlc but you can also use your own(3rd party).
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/70584-csr-wlc-00.html
  Virtual interface : This interface handles any mobility management, VPN Termination, Web authentication, and is also a DHCP relay for WLAN clients.
  Yes its interconnected, the purpose for this entry is so that the controller knows the name of the of the certificates to virtual address translation.
  1. Guest Client go to google.com
  2. Client goes to DNS (the one its is assign in DHCP)
  3. DNS resolves the DNS for google.com
  4. Client then attempts to go to google.com
  5. Controller intercepts GET and replaces it with a 1.1.1.1
  6. Controller then takes the 1.1.1.1 and translates this to the DNS name to negat the (accpet this cert screen)
  7. DNS then gets resolve to the name (example guest.xxx.com)
  8. Controller presents the guest screen
  Hope it helps.
  Regards
  Dont forget to rate helpful posts

• ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

  Hello, I´m stucked with this problem for 3 weeks now.
  I´m not able to configure the EAP-TLS autentication.
  In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
  The ISE´s certificate has been issued with the "server Authentication certificate" template.
  The clients have installed the certificates  also the certificate chain.
  When I try to authenticate the wireless clients I allways get the same error: "     Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
  and "OpenSSLErrorMessage=SSL alert
  code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack=  1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
  I don´t know what else can I do.
  Thank you
  Jorge

  Hi Rik,
  the Below are the certificate details
  ISE Certificate Signed by XX-CA-PROC-06
  User PKI Signed by XX-CA-OTHER-08
  In ISE certificate Store i have the below certificates
  XX-CA-OTHER-08 signed by XX-CA-ROOT-04
  XX-CA-PROC-06 signed by XX-CA-ROOT-04
  XX-CA-ROOT-04 signed by XX-CA-ROOT-04
  ISE certificate signed by XX-CA-PROC-06
  I have enabled - 'Trust for client authentication' on all three certificates
  this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'
  when i check the certificates of current user in the Client PC this is how it shows.
  XX-CA-ROOT-04 is listed in Trusted root Certification Authority
  and XX-CA-PROC-06 and XX-CA-OTHER-08  are in Intermediate Certificate Authorities

• 12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

  Hi guys,
  I have root CA and intermediate CA in ISE local certificate store trusted for client authentication.
  I have imported both root ca and client certificate in the device I want to authenticate, but ISE keeps spitting out this error :
  12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

  Refer the link for troubleshooting in page no 22 the issue is mentioned, check it: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_81_troubleshooting_failed_authc.pdf

• ISE 1.2 EAP-TLS handshake to external RADIUS

  Hi everyone!
  I'm trying to implement ISE to authenticate a wireless network using a cisco WLC 5508, I have an ISE virtual Appliance version 1.2  and a WLC 5508 version 7.6 with several 3602e Access Points (20 aproximately).
  Right now they are authenticating with a RADIUS Server (which I don't manage, it's out of my scope), the WLC uses this RADIUS Server to authenticate using 802.1x and EAP-TLS (which means the clients need to have a valid certificate and be in the RADIUS database which is integrated to the Active Directory), I can't touch the CA either. So now I need to authenticate using Cisco ISE instead of the RADIUS Server (at least directly), the problem is that for "security" reasons or whatever they don't let me integrate the ISE to the CA, so I added the RADIUS server as an external identity source and made my authentication Policy rule pointing at it, like this:
  If: Wireless_802.1X          Allow Protocols: Default Network Access          Use: RADIUS
  Then I added ISE as a RADIUS Server on my WLC and made a Test SSID 802.1X pointing to ISE to authenticate and all that, I did some tests and I got this error:
  12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate
  Which means the clients are trying to do the EAP-TLS Process to validate the certificate with the Cisco ISE (but ISE does not have the certificate because they won't let me integrate to the CA directly) so it fails. Is there any way I can do something to redirect that EAP-TLS handshake to the exernal RADIUS Server? Making ISE kind of like a connecting point only for the authentication, I realize it's not the best scenario but giving the circumstances it's the best I can do for now, later on I will add the AD to ISE and start creating some authorization policies based on that, but right now I just want them to authenticate.
  Any help is appreciated, thanks in advance!

• Eap tls authentication fails if bluetooth device connected

  Hi All, I'm new to Macs but was tasked with getting a MacBook Air connected to our AD integrated, 802.1x wifi network. After a lot of trial and error with certificates I finally got this working but now have a rather bizarre problem. With the MBA on it's own it will connect to the wifi network, sucessfully authenticate and work perfectly well. However, if my Apple bluetooth mouse or keyboard are connected to the MBA the EAP-TLS authentication fails. A packet capture of the connection process shows that at the same point every time the process take a while then a packet shows as "Unknown Error Ignored", then loops thorugh the process. Turning off the keybpard and mouse at this point and the MBA will connect. Once connected I can then connect the keyboard and mouse and continue to stay connected for a while before, I assume, the AP forces a re-auth and the connection drops again.
  Has anyone come across this elsewhere?
  Thanks

  I have a Macbook Pro Retina 15" from 2012 and it has the same issue. Running 10.8.4. I have spent probably 5-6 hours trying to troubleshoot cert's network settings, did a complete fresh install (then restored from timemachine when that did not work) with no luck this solution worked but obviously is not a real solution as it should not confilct in this way. Great job on finding a workaround! I will be contacting apple about this ASAP under my applecare.

• Regarding mountain lion server: clients experience intermittent service connections. the server system log has the following error- Client handshake failed (6):113: Server not accepting client connections (any ideas???)

  regarding mountain lion server: clients experience intermittent service connections. the server system log has the following error- Client handshake failed (6):113: Server not accepting client connections. any suggestions would be greatly appreciated - thank you

  Hi Jason
  I was getting the same behavior after Apple support had me delete some plist files to get Airplay going. I was also getting the following error:
  the error occurred while processing a command of type 'writesettings' in the plug-in 'server vpn'
  I went into ~/Library/Preferences/ and /Library/Preferences/ and deleted every plist contating the word server. I had to re-set up my server (meaning walk through some intial steps) but all of my settings were still there after that and everything started working again.
  Just a thought, obviously try at your own risk but it worked for me.
  Kellen

• SSL handshake failed: X509CertChainIncompleteErr - How to call secure WS?

  Hi all, I'm trying to use a third party web service over SSL. I'm using jdk 1.5.0_11 and jDev 10.1.3.0.4.
  Here is what I've done so far:
  1 - I generated a web service proxy using jDev's wizard.
  2 - I created a simple keystore with keytool with the following cmd:
  keytool -genkey -keystore techdspc.keystore -storepass ****** . I copied the .keystore file in my project under the src directory.
  3 - I used the wizard "Secure Proxy" on my web service with the following options:
  - "Use x509 to authenticate"
  - I specified my newly created keystore file as the keystore path as well as the password.
  - I left the default choice to all the other options.
  Once the files were all created by the wizard, I tried out the proxy and got the following error:
  ATTENTION: Unable to connect to URL: https://test.eai.adpclaims.com/WSProxy/WS_Proxy.asmx due to java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: javax.net.ssl.SSLException: SSL handshake failed: X509CertChainIncompleteErr
  java.rmi.RemoteException: ; nested exception is:
       HTTP transport error: javax.xml.soap.SOAPException: java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: javax.net.ssl.SSLException: SSL handshake failed: X509CertChainIncompleteErr
       at audatex3.runtime.WSProxySoap_Stub.transmit(WSProxySoap_Stub.java:679)
       at audatex3.WSProxySoapClient.transmit(WSProxySoapClient.java:83)
       at audatex3.WSProxySoapClient.main(WSProxySoapClient.java:43)
  The owner of the Web Service told me that the error is without a doubt on the proxy side. Si my question is: What am I doing wrong?
  Your help will be greatly appreciated.
  thanks!

  I tried generating an other keystore with a slightly different cmd and I still get the same error so this does not seem to be the problem...
  Any ideas?¸
  Thanks

• SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has be

  Hello, I have a sql 2005 server, and I am a developer, with the database on my own machine.  It alwayws works for me but after some minutes the other developer cant work in the application
  He got this error
  Login failed for user ''. The user is not associated with a trusted SQL Server connection. [CLIENT: 192.168.1.140]
  and When I see the log event after that error, it comes with another error.
  SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has been closed. [CLIENT: 192.168.1.140]
  He has IIS5 and me too.
  I created a user on the domain called ASPSYS with password, then in the IIS on anonymous authentication I put that user with that password, and it works, on both machines.
  and in the connection string I have.
  <add key="sqlconn" value="Data Source=ESTACION15;Initial Catalog=GescomDefinitiva;Integrated Security=SSPI; Trusted_Connection=true"/>
  I go to the profiler, and I see that when he browses a page, the database is accesed with user ASPSYS, but when I browse a page, the database is accesed with user SE\levalencia.
  Thats strange.
  The only way that the other developer can work again on the project is to restart the whole machine. He has windows xp profession, I have windows 2000.
  If you want me to send logs please tellme

  Well here's my problem, maybe you can help. Intermittenly I get a login failed when connecting to a db engine through Server Management Studio using Windows authentication. When this happens the following entries are generated on the server's application event log:
  Event Type:        Error
  Event Source:    MSSQLSERVER
  Event Category:                (4)
  Event ID:              17806
  Date:                     1/14/2009
  Time:                     10:41:31 AM
  User:                     N/A
  Computer:          <server name>
  Description:
  SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has been closed. [CLIENT: <ip address>]
  Event Type:        Failure Audit
  Event Source:    MSSQLSERVER
  Event Category:                (4)
  Event ID:              18452
  Date:                     1/14/2009
  Time:                     10:41:31 AM
  User:                     N/A
  Computer:          <server name>
  Description:
  Login failed for user ''. The user is not associated with a trusted SQL Server connection. [CLIENT: <ip address>]
  I've already ensured that the server is set to mixed authentication mode. Oddly enough, the workaround that I've found is that if I remote desktop into the server, log in and then log back out, Management Studio is suddenly able to connect again. No idea why it works. 
  As I said before, it is intermitten. Some days it errors on login, other days it doesn't and there are no configuration changes between them. Also, both client and server are in the same domain and same site so there is no VPN or anything in between. I'm really quite stumped. Any help would be great, or if you can point me in the right direction of where to look. Thank you in advance!

• My home sharing continually fails between mac and apple tv 2.

  my home sharing continually fails between mac and apple tv 2, even during watching a movie.  I go to the mac to re-turn on home sharing but it is still on.  Any tips?  I also have to turn off and back on at the mac every time i switch on my apple tv.

  Sharing Stopped working again over night.
  I went to Apple Support Artical TS2972
  As soon as I did this Home Sharing started working
  http://support.apple.com/kb/TS2972
  Firewall Section
  5. Check Firewall Settings
  If you have a firewall enabled in your router or computer, make sure that the firewall is not blocking communication between your computers. Home Sharing uses TCP port 3689 and UDP port 5353 to communicate with shared iTunes libraries.
  In addition, Apple TV and Mac computers will use port 123 to set the time automatically. Incorrect date and time on either the computer or Apple TV can cause errors for Home Sharing and connections in general.
  If you are unsure whether your router has a firewall or the required ports open, test additional devices or another network to help isolate the issue. If the devices tested work on another home network, it is your router or network configuration.
  For Mac OS X, you don't have to edit the port addresses, but make sure the firewall in Apple () menu > System Preferences > Security > Firewall are not set to:
  Block all incoming connections
  Allow only essential services
  If you use another security/firewall software on your computer or router, follow this article or contact the manufacturer or check the documentation on how to open TCP ports 123 and 3689 as well as UDP ports 123 and 5353.
  It made sense to me, but its still puzzling me after restarting a router would (in my first attempt) resolve the issue for a day.  This this time I applied the port forwarding TCP and UDP ports and saved the settings in the DLink DIR-655 and both my iPad2 and iPhone 3GS were now again finding the share. My ATV2 is also now accepting the Share.
  Tommorrow will be the true test.

• I am trying to attach an Ipod touch to an older Power Book G4, It says that the Ipod cannot be used because it needs Itunes version 9.2 (running 8.0.1). When I try to install the latest 10.3.1 it says ("Open failed" requires Mac OX S 10.5

  I am trying to attach an Ipod touch to an older Power Book G4.
  Itunes says that the Ipod cannot be used because it needs Itunes version 9.2 (running 8.0.1).
  When I try to install the latest Itunes version 10.3.1 Mac says ("Open failed" requires Mac OX S 10.5.

  Click here and install the software.
  (58765)

• Sending mail with attachment fails on MAC Mail and WRP400.

  Sending mail with attachment fails on MAC Mail and WRP400.
  We have hundreds of WRP400 connected with Mac (Machintosh) computers. No special configurations are applied (no virtual server or DMZ). Web navigation, P2P programs and sending mail without attachment work right.
  The problem is the impossibility to send mails with medium or big size files attachment from MAC Mail.
  If we use Windows PCs or a different linksys routers (eg. WRT54G) the problem not happens.
  We have upgraded WRP400 firmware version from 1.00.06 to 2.00.05 but the result is the same. Sending mail with attachment using Mac fails.
  We tried to configure WRP400 with DMZ to a particular MAC. We tried to configure Virtual server on tcp 25 port of a MAC. The result is always the same.
  This is a WRP400 bug? Windows PCs work right. MAC and MAC mail works right with other linksys router.
  We need help. Thanks.

  The problem was fixed since beta firmware 2.00.11.
  I think that this issue was caused from a bug that decrease upload bitrate of WRP400 after some days of activity.
  See more details on Cisco forum under title "WRP400 stops responding after browsing certain websites".
  Thanks.

• SSL handshake failed: X509CertChainIncompleteErr

  I am trying to send name-value pairs using https and JSSE. I am using JDev 9i, and first I create a war file and bundle JSSE with it, then deploy it to an ear file, and use Enterprise Manager of 9iAS Rel2 to deploy the ear file to the server (on Windows 2000).
  I get the following error (please excuse the test output lines):
  Response: xxx test000+ test0+ test1+ test2+ test3+ test4+ test4a+
  javax.net.ssl.SSLException: SSL handshake failed: X509CertChainIncompleteErr
  Here's my code:
  import java.net.*;
  import java.io.*;
  import com.sun.net.ssl.*;
  public class testsend {
  public testsend()
  public String myTest () throws Exception {
  String endresult = "xxx ";
  String url = "https://www.mysite.com/myfile.php?" ;
  endresult = endresult + "test000+ ";
  // actual name-value pairs are sent out, this is just an example
  String data = "name1=value1&name2=value2";
  URL server = null;
  try {
  server = new URL(url);
  endresult = endresult + "test0+ ";
  catch(MalformedURLException e) {
  endresult = endresult + e.getMessage();
  ObjectInputStream myresponse = null;
  Object result = null;
  try {
  URLConnection con = server.openConnection();
  endresult = endresult + "test1+ ";
  con.setDoOutput(true);
  con.setUseCaches(false);
  con.setRequestProperty("Content-Type", "application/octet-stream");
  endresult = endresult + "test2+ ";
  ObjectOutputStream request = new ObjectOutputStream(new BufferedOutputStream(con.getOutputStream()));
  endresult = endresult + "test3+ ";
  request.writeObject(data);
  endresult = endresult + "test4+ ";
  request.flush();
  endresult = endresult + "test4a+ ";
  request.close();
  endresult = endresult + "test4b+ ";
  // get the result input stream
  myresponse = new ObjectInputStream(new BufferedInputStream(con.getInputStream()));
  endresult = endresult + "test6+ ";
  // read response back from the server
  result = myresponse.readObject();
  endresult = endresult + result.toString();
  catch(Exception e) {
  endresult = endresult + e.getMessage();
  return endresult;
  I've searched for the error message on the web but did not have much luck finding a solution. It obviously won't open a input stream.
  Any one have any thoughts? Thanks.
  jv

  Hi Francisco,
  I am(Oracle 9iAS) sending SOAP messages over SSL to a remote server(Microsoft IIS) hosting the web services. The remote HTTPS site is up and I can view the certificate. It has a 3 level chain. user certificate, intermediate and a root CA.
  Through my application when I try to establish handshake, I have some code to display the certificate chain of the remote server. Here I see only the user and the intermediate certificate. I donot see the root CA. I understand that this is the reason for the Incomplete cert chain error. Is this something the remote server hosting the web services should do with their configuration?? Or can I do something at my end??
  Please let me know,
  Thank you

• SSPI handshake failed with error code 0x8009030c and Login failed for user''

  I got the following error when tried to connect to local machine in the
  non-domain environment with Windows Authentication by SSMS.
  "SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security."
  "Login failed for user''. the user is nothing associated with a trusted SQL server connection."
  questions
  1,if I saw the "SSPI handshake failed ", does it means it must used Kerberos but failed? or it is also possible used the NTLM but failed?
  2,Any ideas for this issue?
  Please click the Mark as Answer button if a post solves your problem!

  Hi Michael,
  Firstly, "SSPI Handshake Failed" error happens usually when connection failed between the server and domain controllers or failed Kerberos authentication. For more details about "SSPI Handshake Failed" error, please review this
  FAQ.
  Secondly, regarding to your error message, it could be caused by loopback check. To resolve the issue, please set the DisableLoopbackCheck registry entry to 1 by performing the following steps.
  1.Click Start, click Run, type regedit, and then click OK.
  2.Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3.Right-click Lsa, point to New, and then click DWORD Value.
  4.Type DisableLoopbackCheck, and then press ENTER.
  5.Right-click DisableLoopbackCheck, and then click Modify.
  6.In the Value data box, type 1, and then click OK.
  7.Exit Registry Editor.
  8.Restart the computer.
  There is a similar blog about your scenario for your reference.
  http://www.bhcblog.com/2009/10/08/fix-for-login-failed-for-user-the-user-is-not-associated-with-a-trusted-sql-server-connection/
  Thanks,
  Lydia Zhang
  If you have any feedback on our support, please click
  here.
  Lydia Zhang
  TechNet Community Support