Ошибка ssl31 операция выполнена успешно

• Remove From My Forums

• Question

• I’m tring to add SSL certificate  with this command

  netsh http add sslcert 127.0.0.1:8035 certhash=hash appid={guid fo appid}

  This command returns an error

  SSL Certificate add failed, Error: 31 A device attached to the system is not functioning

  Also I’ve tried to add certificate for WebSite directly from IIS Manager and got another error

  Error during operation — A device attached to the system is not functioning (Exception from HRESULT: 0x8007001F)

• Remove From My Forums

• Question

• I’m tring to add SSL certificate  with this command

  netsh http add sslcert 127.0.0.1:8035 certhash=hash appid={guid fo appid}

  This command returns an error

  SSL Certificate add failed, Error: 31 A device attached to the system is not functioning

  Also I’ve tried to add certificate for WebSite directly from IIS Manager and got another error

  Error during operation — A device attached to the system is not functioning (Exception from HRESULT: 0x8007001F)

• Remove From My Forums

• Вопрос

• I’m tring to add SSL certificate  with this command

  netsh http add sslcert 127.0.0.1:8035 certhash=hash appid={guid fo appid}

  This command returns an error

  SSL Certificate add failed, Error: 31 A device attached to the system is not functioning

  Also I’ve tried to add certificate for WebSite directly from IIS Manager and got another error

  Error during operation — A device attached to the system is not functioning (Exception from HRESULT: 0x8007001F)

У меня есть контейнер докеров для прокси (nginx), пользовательского интерфейса и API (.NET 6). API выдает ошибку A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 31 - Encryption( ssl /tls) handshake failed).

Среда развертывания: CentOS 7

Версия SQL Server: Microsoft SQL 2016 SP2

Строка подключения: Data Source=${DB_HOST};Initial Catalog=${DB_NAME};Persist Security Info=True;User ID=${DB_USERNAME};Password=${DB_PASSWORD};MultipleActiveResultSets=True

Решения, которые я пробовал:

1. Включение TLS 1.2 в regedit на сервере базы данных.
2. Перезапущен агент SQL-сервера.
3. В строку подключения добавлено TrustServerCertificate=True или Encrypt=False.
4. Добавлено RUN sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /etc/ssl/openssl.cnf

Ничто не работало из всех этих решений. Очень нужна помощь!

Я только что решил свою проблему, объединив следующее.

• Используется Microsoft.Data.SqlClient вместо Systems.Data.SqlClient.
• Добавлены команды в Dockerfile API

RUN sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /etc/ssl/openssl.cnf

RUN sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /usr/lib/ssl/openssl.cnf

• Добавлено TrustServerCertificate=True в строку подключения к базе данных.

Это понижает версию TLS образа докера или контейнера до TLSv1. Однако это не лучшее решение. Было бы лучше обновить сервер SQL, чтобы соединение могло принимать TLSv1.2. Что в моем случае неприменимо.

System.Data.SqlClient.SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 31 - Encryption(ssl/tls) handshake failed) ---> Interop+Crypto+OpenSslCryptographicException: error:2006D002:BIO routines:BIO_new_file:system lib
   at Interop.Crypto.CheckValidOpenSslHandle(SafeHandle handle)
   at Internal.Cryptography.Pal.StorePal.LoadMachineStores()
   at Internal.Cryptography.Pal.StorePal.FromSystemStore(String storeName, StoreLocation storeLocation, OpenFlags openFlags)
   at System.Security.Cryptography.X509Certificates.X509Store.Open(OpenFlags flags)
   at Internal.Cryptography.Pal.OpenSslX509ChainProcessor.FindCandidates(X509Certificate2 leaf, X509Certificate2Collection extraStore, HashSet`1 downloaded, HashSet`1 systemTrusted, TimeSpan& remainingDownloadTime)
   at Internal.Cryptography.Pal.ChainPal.BuildChain(Boolean useMachineContext, ICertificatePal cert, X509Certificate2Collection extraStore, OidCollection applicationPolicy, OidCollection certificatePolicy, X509RevocationMode revocationMode, X509RevocationFlag revocationFlag, DateTime verificationTime, TimeSpan timeout)
   at System.Security.Cryptography.X509Certificates.X509Chain.Build(X509Certificate2 certificate, Boolean throwOnException)
   at System.Security.Cryptography.X509Certificates.X509Chain.Build(X509Certificate2 certificate)
   at System.Net.Security.CertificateValidation.BuildChainAndVerifyProperties(X509Chain chain, X509Certificate2 remoteCertificate, Boolean checkCertName, String hostName)
   at System.Net.Security.SecureChannel.VerifyRemoteCertificate(RemoteCertValidationCallback remoteCertValidationCallback, ProtocolToken& alertToken)
   at System.Net.Security.SslState.CompleteHandshake(ProtocolToken& alertToken)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslStream.AuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions)
   at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
   at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost)
   at System.Data.SqlClient.SNI.SNITCPHandle.EnableSsl(UInt32 options)
   at System.Data.SqlClient.SNI.SNIProxy.EnableSsl(SNIHandle handle, UInt32 options)
   at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, Boolean applyTransientFaultHandling)
   at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions)
   at System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection owningConnection, DbConnectionPoolGroup poolGroup, DbConnectionOptions userOptions)
   at System.Data.ProviderBase.DbConnectionFactory.<>c__DisplayClass40_0.<TryGetConnection>b__1(Task`1 _)
   at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location where exception was thrown ---
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot)
--- End of stack trace from previous location where exception was thrown ---
   at Microsoft.SqlTools.ServiceLayer.Connection.ReliableConnection.ReliableSqlConnection.<>c__DisplayClass28_0.<<OpenAsync>b__0>d.MoveNext() in D:a1ssrcMicrosoft.SqlTools.ServiceLayerConnectionReliableConnectionReliableSqlConnection.cs:line 298
--- End of stack trace from previous location where exception was thrown ---
   at Microsoft.SqlTools.ServiceLayer.Connection.ConnectionService.TryOpenConnection(ConnectionInfo connectionInfo, ConnectParams connectionParams) in D:a1ssrcMicrosoft.SqlTools.ServiceLayerConnectionConnectionService.cs:line 542
ClientConnectionId:49cf6e19-76ff-46ce-97da-59d61b03307d

There are a lot of SSL errors out there.
Way too much, right?

You as a sysadmin know that for sure – Certificate Errors, Configuration Errors, Server Errors, Protocol Errors, and others.

Here you’ll find a list of the most common xxxxx errors and proven quick fix solutions:

1. SSL Error “ssl_error_no_cypher_overlap”
2. SSL Error “ssl_error_rx_record_too_long”
3. SSL Error “ssl_error_syscall”
4. SSL Error “ssl_error_bad_cert_domain”
5. SSL Error “ssl_error_internal_error_alert”
6. SSL Error “ssl error 31”
7. SSL Error “ssl error 61”
8. SSL Error “ssl certificate problem: unable to get local issuer certificate”
9. SSL Error “ssl error: unable to verify the first certificate”
10. SSL Error “ssl_protocol_error”
11. SSL Error “ssl handshake error” or “ssl handshake failure alert”

And you’ll find the solution to get rid of ALL SSL errors – forever: Test PRTG as your new monitoring tool and get stared within minutes!

 1. SSL error

«ssl_error_no_cypher_overlap»

Quick fix

Did you receive the error message “ssl error no cypher overlap” while using Firefox or another web browser? Then you are dealing with one of the most common SSL errors. The cypher overlap error occurs due to a misconfiguration of the TLS/SSL settings.

The SSL error can easily be solved by adjusting the settings in your browser. If you are using Mozilla Firefox, access the settings page and choose the add-on section. Check the add-on list for any extensions that you did not install yourself. Deactivate all unnecessary add-ons and plug-ins, then restart the browser.

You can also reset both the TLS and the SSL settings. In your brower, type about:config to open the settings. Type TLS in the search box and look through the TLS settings. If there are any modified settings, restore them back to default. Repeat these steps to reset the SSL settings as well.

Best solution: https://www.thewindowsclub.com/ssl_error_no_cypher_overlap-firefox 

 2. SSL error

«ssl_error_rx_record_too_long»

Quick fix

The common SSL error “ssl error rx record too long” may occur in your browser when visiting a website via HTTPS. The error is often accompanied by the error message “SSL received a record that exceeded the maximum permissible length” or a similar message. This means that the web server is sending HTTP data instead of HTTPS data.

This common SSL issue is usually caused by an error in the SSL implementation on the server itself. There are several things that you can do to solve the problem:

1. Ensure that SSL is configured correctly on the server.
2. Check if your browser is using the same port as the web server. To use port 443, some servers such as Apache require a configuration first.
3. If you are using a proxy server, the error can show up as well. In this case, make sure that your local proxy is configured correctly.

Best Solution: https://www.ssl247.de/kb/ssl-certificates/troubleshooting/apache/ssl-error-rx-record-too-long-firefox-apache-tomcat or https://www.xolphin.com/support/Error_messages/Error_-_ssl_error_rx_record_too_long

 3. SSL error

«ssl_error_syscall»

 4. SSL error

«ssl_error_bad_cert_domain»

Quick fix

The error code “ssl error bad cert domain” and the error message “The certificate is only valid for the following names” is often experienced by users while trying to access their SSL encrypted website or network. The error code indicates that there is a configureation problem with the SSL certificate of the website. The SSL error is commonly reported by Firefox users, but may also occur in other browsers.

Depending on the individual cause of the error, try the following troubleshooting solutions:

1. If caused by an SSL misconfiguration of the website itself, the configuration needs to be adjusted by the website’s admin. If it is your website, make sure that your SSL certificate is active and switch to HTTPS.
2. In some cases, the browser’s cache and cookies may lead to an SSL error. If this is the case, you can simply solve the problem by clearing the cache in the settings.

Best Solution: https://appuals.com/fix-ssl_error_bad_cert_domain/

 5. SSL error

«ssl_error_internal_error_alert»

Quick fix

SSL error code “internal error alert” is a common problem faced by users of Mozilla Firefox and other web browsers. The error message indicates that there is a problem with the secure SSL connection. It may be caused either by the SSL certificate or by the settings of your browser.

To fix the problem, try the following troubleshooting steps:

1. Make sure you are using a valid SSL certificate.
2. Update your browser to the latest version.
3. Disable unknown or unnecessary add-ons in the Firefox settings.
4. Ensure that HTTPS is set up correctly.
5. If the error persists after these steps, restart your browser.

Best Solution: https://comparecheapssl.com/how-to-fix-ssl-error-on-firefox-a-complete-guide/

 6. SSL error

“ssl error 31”

 7. SSL error

«ssl error 61”»

Quick fix

SSL error 61 is an error code regularly experienced by Citrix users. There are several error messages that can be displayed for receiver users when accessing Citrix StoreFront or web interface applications, such as:

“Cannot connect to the Citrix XenApp Server. SSL Error 61: You have not chosen to trust ‘Certificate Authority’, the issuer to the server’s security certificate.”

“The server certificate received is not trusted (SSL Error 61)”

“You app is not available. Try again later.”

As a system administrator, you can try the following solutions to get rid of SSL error 61:

1. Update to the latest receiver version, as older versions may not support SHA2 certificates.
2. Ensure that you have the required root certificate or intermediate certificate. You can download the certificates from your SSL certificate provider. If you use an antivirus software, make sure that your antivirus software trusts the SSL certificate.
3. Check if the server certificate is compliant with the instruction in RFC 3280 in terms of the Enhanced Key Usage field.

Best Solution: https://support.citrix.com/article/CTX101990

 8. SSL error

“ssl certificate problem: unable to get local issuer certificate”

Quick fix

The error message “SSl certificate problem: unable to get local issuer certificate” sometimes occurs when making a request for a secure HTTPS destination. The SSL error is caused by a problem with the root certificate. When you use client SSL and make a request for a secure HTTPS source, you need to verify your identity by sharing your SSL/TLS certificate. If this step is not completed successfully, the error message pops up.

There are several solutions to fix the SSL certificate problem:

1. Change php.ini while maintaining SSL.
2. Maintain SSL and add the following code:

$ch = curl_init();

$certificate_location = ‘/usr/local/openssl-0.9.8/certs/cacert.pem’;

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, $certificate_location);

>curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $certificate_location);

3. Disable SSL (not recommended).

Best Solution: https://aboutssl.org/fix-ssl-certificate-problem-unable-to-get-local-issuer-certificate/

 9. SSL error

Error “ssl error: unable to verify the first certificate”

 10. SSL error

“ssl_protocol_error”

Quick fix

Error code “ssl protocol error” is a typical SSL error on Google Chrome. Your browser may also state the error message “This site can’t provide a secure connection” along with the error code. If you encounter this problem, there are many possible solutions:

1. Set the correct date and time on your system, as the SSL certificate is sensitive to your system’s settings.
2. Clear your browser’s SSL state in the Google Chrome settings.
3. Disable QUIC protocol which is enabled by default in Google Chrome.
4. Check your antivirus settings and make sure it scans SSL/TLS protocols correctly.
5. If the website’s SSL/TLS protocols are not in line with your Chrome version, change the SSL/TLS protocol settings accordingly in the advanced settings.

Best Solution: https://www.thesslstore.com/blog/fix-err-ssl-protocol-error/

 11. SSL error

“ssl handshake error” or “ssl handshake failure alert”

Quick fix

The SSL handshake error message can be received when the SSL handshake process fails. The SSL handshake is a process in which the browser sends a secure connection request to the web server. If this request fails, it results in the SSL handshake failure alert.

The SSL error can be caused by a number of reasons. Therefore, the solution depends on the cause. These are the most common ones:

1. The SSL/TLS protocol is not supported by the server.
2. The certificate does not match the hostname in the URL.
3. The certificate is invalid or has expired.
4. The client server is unable to communicate with the servers.

You can fix the problem by adjusting the settings and by making sure that the SSL/TLS certificates are configured correctly.

Best Solution: https://www.rapidsslonline.com/blog/ssl-handshake-failed-error/

Choose your solution: Bugfix or replacement

With PRTG you’ll never have to deal with
SSL errors again. Forever.

Trusted by 500,000 users and recognized
by industry analysts as a leader