sslv3 alert handshake error

[Reyes Garcia]

Hello all,

I have been attempting you use this module with no luck. I feel I am getting closer but maybe y'all can help.

I am receiving an error that states

apn Error occurred with trace: +1ms Error: 7580:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:openssl\ssl\s3_pkt.c:1275:SSL alert number 40

As you can tell from the error I have debugging enabled but there is nothing tangible that I can go off here. After googleing "error:14094410" I am finding a couple of potential culprits.

1. They are saying that sslv3 alert means that apple doesn't use sslv3 for push notifications anymore. "Try to use explicitely sslv2:// or sslv3:// "

I am not sure how I can change the method in which I connect.

2. I have also found posts saying that the certificate location may be the problem.

I have this set to the default cert.pem and key.pem in the top level directory with my server.js (See Below)

---- Application

-config

-node_modules

-server.js

-cert.pem

-key.pem

-entrust_2048_ca.pem

-AppleWWDRCA.pem

-AppleIncRootCertificate.pem

I have also added the chained certificates in the options parameter

var options = {

    cert : 'cert.pem',

    key: 'key.pem',

    ca: ['entrust_2048_ca.pem','AppleIncRootCertificate.pem','AppleWWDRCA.pem']

};

One additional note I have used the openssl client to successfully connect to the apn so I know the certs work. I am just unable to get them to work in node-apn.

Here is the output from the openssl s_client

    Start Time: 1416378490

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

Thanks for all the help in advance and wish me luck!

 

 

[Andrew R. Naylor]

Hi,

I have noticed a number of people with a similar error. It may be due to the SSLv3 change however the same error occurs with some certificate/key problems and I have yet to be able to reproduce the error on any of my machines without specifying SSLv3 explicitly. If you could try making a change to one of the node-apn files we can find out whether it is in fact a TLS/SSL problem or something else.

node tls is designed so that by default it will select the highest TLS/SSL protocol it has in common with the server. On most machines this should be TLS so it will use that. The only thing I can think is that perhaps your machine doesn’t have TLS compiled in which seems very strange as it is not exactly a new protocol.

It is possible to force node to use TLS by changing a line in node-apn. If you could open apn/lib/connection.js, around line 170 you should find a set of lines setting properties on a `socketOptions` object. Add the following line somewhere in that group, before “this.socket = …”

socketOptions.secureProtocol = "TLSv1_method”;

Try connecting again and see whether it connects successfully.

Regards,

—A

--
You received this message because you are subscribed to the Google Groups "node-apn" group.
To unsubscribe from this group and stop receiving emails from it, send an email to node-apn+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Reyes Garcia]

Hey Andrew,

I went in and added that additional property but I am still getting the same sslv3 alert handshake failure. Now I am starting to think it has something to do with the certificates but like I said before I have validated them using the openssl s_client. I am not sure what I am doing wrong. 

a couple of other notes:

-I am running this node server on a windows box I don't know whether or not this makes a difference.(Just haven't see a lot of examples trying to push notifications from windows.)

-I have telnet to the sandbox gateway to ensure the port was open.

Thanks for help man. I really appreciate it.

[Michael Hielscher]

Hi There, 

I have exactly the same problem and tried the solution with "TLSv1_method” but did't make a change. With the openssl test command the certificate works if I add "-ssl3" to the openssl command I get exactly the same Error 40 like from nodejs. I had a successfull connection yesterday with another pair of .pem files so I guess it is something related to the certificates. 

I solved the issue by creating a new SSL Certificate apn_production.cer on the Apple page with my own SignRequestCert. Maybe try the whole certificate creation process again.

Kind regards

[Andrew R. Naylor]

Something I discovered is that if you try to run:

openssl s_client -connect gateway.sandbox.apple.com:2195

Without specifying certificates you also get the Error 40. I'm pretty sure it's related to OpenSSL not being able to supply a certificate that matches what the server requested. The likely reason that -ssl3 causes the same problem is that it's not able to negotiate a certificate exchange because the server is rejecting an SSLv3 handshake.

—A

[Reyes Garcia]

Hey Guys,

Sorry never gave my final update. 

So I decided to recreate the certificate request using my mac instead of the windows machine and submitted to apple. The new certificate works without a problem so if you are having a similar issue I suggest just starting from scratch using keychain access from mac.

Thanks to everyone that contributed to this thread!!!!!