ERROR: Fetching the page failed because SSL handshake error

andypiper · 2015-01-12T10:36:39.014Z

The only thing I’m aware of that changed in the past few months was that we no longer support SSLv3 due to the POODLE vulnerability (and others). I do not think this is the issue here, but I’ll ask the Cards team to take a look at why these issues may be occurring recently.

deanswaydesign · 2015-01-12T11:25:12.992Z

Thanks for the update.

We’re weren’t running SSLv3 either and in any case all of the browsers listed chose TLS1.2 or better. Look forward to your updates.

FRNDSHIPWIDJAV · 2015-01-12T18:06:31.438Z

Thanks for your reply am also looking for further updates and suggestion regarding this error.

deanswaydesign · 2015-01-13T10:17:35.633Z

Has there been any further result here?

Additionally I have been unable to find any log files our side mentioning this error.

deanswaydesign · 2015-01-15T15:15:50.440Z

OK, I think I’ve found the solution to this one. Basically it’s a “design choice” made by both Apache and Java >= 1.7.

The issue is that Java always sends an SNI name request (which is good since IP addresses are in short supply). If you have an apache server that’s only serving one site (or, like ours, where each site has a unique IP) and you don’t specify a ServerName directive, apache will respond using the local host name (if defined) or the IP of the connection. Apache also sends a warning that the names don’t match (which is against the advice in the spec). Java sees that warning and turns it into a fatal error, so the connection is aborted.

The solution is simply to add a ServerName directive that matches the SSL certificate’s CN (add ServerAlias’s too if needed).

For a fuller discussion of this issue, see http://stackoverflow.com/questions/7615645/ssl-handshake-alert-unrecognized-name-error-since-upgrade-to-java-1-7-0

Having made this change to the server config, my cards now once again validate correctly.

Thanks for the assistance.

andypiper · 2015-01-15T16:50:04.490Z

Woah, ninja skills @deanswaydesign - thank you so much for sharing this awesome and detailed description

gamerz · 2015-03-13T05:04:16.068Z

Weird. I am still having this problem. On Apache 2.4. On SSLLabsTest, I got an A+ for the SSL Cert https://www.ssllabs.com/ssltest/analyze.html?d=lesterchan.net

You can test it with this URI https://lesterchan.net/blog/2015/03/13/lesterchan-net-now-on-https/.

ServerName has been setup in Apache

ing_jk · 2015-03-29T01:53:52.684Z

Same problem here…@andypiper any news from the Cards Team?

Marshall_Durham · 2015-06-24T07:01:36.177Z

I’m having the exact same problem. I’ve tested my SSL certificate on SSL labs with an A rating. I’ve made sure to change my ServerName and add an Alias to my site configuration in Apache. I’m not sure what else I can do. My url is https://www.marshalldurham.com.

navjots1ngh · 2015-06-26T09:13:55.600Z

Hello All,

When we try to validate our url on given https://cards-dev.twitter.com/validator url. it gives me an error
ERROR: Fetching the page failed because SSL handshake error.
My Url
https://belive.mobi/multitvfinal/jwplayer/tw.html
Please help me…

cbmainz · 2015-10-15T11:11:27.506Z

Hi,

I habe the same problem, but can not change anything on my server settings (sheared host). Is there anything I can do to avoid this problem?

cheers
cbmainz

andypiper · 2015-11-27T15:07:35.150Z

cbmainz:

the same problem

If you are having an SSL handshake issue then you will need to make sure that your site’s SSL certificate is valid and using a suitable cipher i.e. TLS SHA-256.

litwos1 · 2015-11-27T15:09:50.818Z

We also have problem with our page : https://oneplace.marketplanet.pl/ogloszenie-publiczne/
Can you give us more detailed info what is main problem with our certificate?

andypiper · 2015-11-27T15:11:46.217Z

I’m currently unable to tell what the issue with your certificate might be.

ocean90 · 2015-12-09T15:28:30.119Z

I get the same error with https://dominikschilling.de/wordpress-4-6-release-lead/.

I’ve contacted the support of my host and got this info:

It seems like the validator is using a Java version which doesn’t support DHE with 4K-DH parameters. Modern browsers are supporting this.

omniasoft · 2016-07-27T00:46:45.427Z

Your post seriously helped me. Thank you! I kept getting handshake errors from Twitter when trying to test various Twitter cards. It turns out that it was indeed SNI issues associated with Apache.

Note to others who have a CN (Common Name) associated with your SSL that uses a wildcard (e.g. *.mydomain.com) you will have to set a ServerName and a ServerAlias in your VirtualHost to account for that. For example:

ServerName mydomain.com
ServerAlias *.mydomain.com

This SO article explains wildcard support in more detail: https://serverfault.com/questions/139628/servername-wildcards-in-apache-name-based-virtual-hosts/139629#139629?newreg=523b41dfd9754959b21fcbc7b2ae3912

LogiNext · 2017-03-18T10:07:05.878Z

Hi
I am getting the ERROR: Fetching the page failed because SSL handshake error. , for website

loginextsolutions

Logistics Management Software | Field Service Management | LogiNext

Optimize all your resources mainly field workforce like delivery associates, service agents, field technicians etc., and field services like delivery vehicle fleet, shipment etc., with our logistics management software. We are pioneers in logistics...

image.png1092x601 26.8 KB

Please let me know how can i resolve this issue .
I am using godaddy hosting so i dont have the apache folder access to modify the serverName and serverAlias

The certificate Signature algorithm = SHA256 + RSA

Any help would be appreciated
Thanks

andypiper · 2017-03-20T10:38:02.489Z

You’ll need to talk to your host about this.

Running your site through SSLLabs checker https://www.ssllabs.com/ssltest/analyze.html?d=www.loginextsolutions.com

The key lines here are towards the middle of the report, specifically the errors “Client aborts on SNI unrecognized_name warning” which is what causes the crawler to be unable to connect to your site.

premasagar · 2017-12-03T17:08:33.341Z

This error has been evading us too for sharing a video on a Twitter timeline, e.g. the video on https://beyourself.crohnsandcolitis.org.uk/cards/beyourself/
The player is at https://beyourself.crohnsandcolitis.org.uk/cards/beyourself/player.html

I’m fairly certain the twitter tags are correct (pasted at the bottom). Similarly, on Facebook, the still image displays but not the video in the timeline (with no errors reported), and I wonder if that is down to the same issue as on Twitter. But we don’t know what needs to change on the domain. We are using nginx, so the apache solution doesn’t apply. We believe that SNI is covered.

On https://www.ssllabs.com/ssltest/analyze.html?d=beyourself.crohnsandcolitis.org.uk
the domain gets an overall A rating, with maximum scores on everything except DNS CAA, linked to more info at:
https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum

Can that be relevant to the problem, or should we be looking elsewhere? Any help would be appreciated.

    <meta name="twitter:url" content="https://beyourself.crohnsandcolitis.org.uk/cards/beyourself/">
    <meta name="twitter:card" content="player">
    <meta name="twitter:site" content="@CrohnsColitisUK">
    <meta name="twitter:title" content="Be yoursELF for Crohn’s and Colitis Awareness Week">
    <meta name="twitter:description" content="Be yoursELF | Crohn’s & Colitis UK.
We are making the invisible visible…">
    <meta name="twitter:image" content="https://beyourself.crohnsandcolitis.org.uk/assets/video/video-poster-preview.jpg">
    <meta name="twitter:player" content="https://beyourself.crohnsandcolitis.org.uk/cards/beyourself/player.html">
    <meta name="twitter:player:width" content="1280">
    <meta name="twitter:player:height" content="720">
    <meta name="twitter:player:stream:content_type" content="video/mp4">
    <meta name="twitter:player:stream" content="https://beyourself.crohnsandcolitis.org.uk/videos/beyourself/beyourself.mp4">
    <meta name="twitter:image" content="https://beyourself.crohnsandcolitis.org.uk/assets/video/video-poster-preview.jpg" />
    <meta name="twitter:image:alt" content="Animated Elf card for Crohn’s and Colitis Awareness Week" />

[EDIT]: SSL settings in the nginx conf for the domain

    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
    ssl_ecdh_curve secp384r1;
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;

    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    expires 5m;
    add_header Cache-Control "must-revalidate, proxy-revalidate";

andypiper · 2017-12-04T20:56:00.893Z

Unfortunately although the SSL checker site shows you that “A” rating, it also shows (further down the page) that a Java app attempting to negotiate an SSL handshake fails. That’s the most likely cause of the error and I’m not sure what you’d need to change on the server side, but it looks like an SSL/TLS handshake issue.