KB Article #178072

SSL handshake error: [SSL alert write 0x20a, 0x11d0]: unexpected_message [fatal]

Problem

Customer faces this SSL handshake in the traces:


DEBUG 8/10/16, 10:06:47.797 run filter [Connection ssl] {
DEBUG 8/10/16, 10:06:47.797 get connection to host xxx.yyy-mmm.xxx.com port 5566 scheme https
DEBUG 8/10/16, 10:06:47.797 delete client connection cache 0x7f46d1ee95f0 to xxx.yyy-mmm.xxx.com:5566
DEBUG 8/10/16, 10:06:47.797 reuse idle SSL session 0x7f46d1f06088
DEBUG 8/10/16, 10:06:47.797 poll() with max timeout 3000
DEBUG 8/10/16, 10:06:47.823 poll(): revents =3D 4
DEBUG 8/10/16, 10:06:47.823 connected to 172.16.193.118:5566
DEBUG 8/10/16, 10:06:47.823 new connection 0x7f46d1ee77b0, settings source service-wide defaults (allow 1.1=xxx, idleTimeout=xxxx, activeTimeout=xxx, contentLength: req=xxx, res=xxx)
DEBUG 8/10/16, 10:06:47.823 push SSL protocol on to connection
DATA 8/10/16, 10:06:47.823 [SSL_connect, 0x5000] before/connect initialization.
DATA 8/10/16, 10:06:47.824 [SSL_connect, 0x1110] SSLv3 write client hello A.
DEBUG 8/10/16, 10:06:47.853 No SSL host name provided, defaulting to certificate: { subject: /L=3Dxxyy/ST=3Dxxyy/C=MM/O=xxx UUUU (LLLL) xx/OU=RR/CN=xxx.yyy.mmm }.
DATA 8/10/16, 10:06:47.853 [SSL_connect, 0x1120] SSLv3 read server hello A.
ERROR 8/10/16, 10:06:47.853 [SSL alert write 0x20a, 0x11d0]: unexpected_message [fatal].
ERROR 8/10/16, 10:06:47.853 [SSL_connect, 0x11d0]: error - subject issuer mismatch.
ERROR 8/10/16, 10:06:47.870 transient failure connecting to remote: SSL protocol error
DEBUG 8/10/16, 10:06:47.870 Adding MessageListener: com.vordel.circuit.net.ConnectionProcessor$1@571c6277
DEBUG 8/10/16, 10:06:47.870 connection processor made 1 attempts to transact
DEBUG 8/10/16, 10:06:47.870 } =3D 0, filter [Connection ssl]
DEBUG 8/10/16, 10:06:47.870 Filter [Connection ssl] completes in 73 milliseconds.



Resolution

Often this error occurs because of a load balancer affecting the SSL termination.
There are a couple of things you can try to prevent the error.

Solution 1: in the remote host try switching off the certificate hostname check. So open the remote host being used in Policy Studio and under the general tab untick "Verify server's certificate matches requested hostname".

OK and redeploy.


Solution 2: try switching off the SSL session cache. Again in the remote host Advanced tab. Set the "SSL session cache size" to 0.

OK and redeploy.



Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.