Forum Discussion

Emad's avatar
Emad
Icon for Cirrostratus rankCirrostratus
Apr 22, 2014

SSL handshake Failure

one of my VIP were using ssl profiles, I updated ciphers in my ssl profile not to use RC4 and then changes were reverted to default. but after that i am unable to open that site in browser. After checking SSL dump i can see ssl handshake failure. i.e New TCP connection 4: 172.16.2.83(55847) <-> 199.96.220.18(6443) 4 1 1398154000.3027 (0.3390) C>SV3.1(114) Handshake ClientHello Version 3.1 random[32]= 53 56 23 77 70 87 2f d4 74 d1 e7 b0 ac 3d 16 ab 18 6d 3e 14 e6 1b bb 28 c1 87 0c 7d 33 0f 9c 0d cipher suites TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xc013 Unknown value 0xc014 Unknown value 0xc009 Unknown value 0xc00a TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA compression methods NULL 4 2 1398154000.3027 (0.0000) S>CV3.1(2) Alert level fatal value handshake_failure 4 1398154000.3028 (0.0000) S>C TCP FIN 4 1398154000.6416 (0.3388) C>S TCP FIN

 

  • Emad's avatar
    Emad
    Icon for Cirrostratus rankCirrostratus

    Now CIPHER Set is changed to

    TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
    TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
    TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)  256
    

    I am unable to understand even RC4 was included, why it was not working. Can you guide.

  • You specified RC4 in your client SSL cipher string and, it would seem, never changed that.

    RC4:!SSLv2:!EXPORT40:!EXP:!LOW
    

    This cipher list represents the server's cipher capability, and since the client wasn't presenting any RC4 ciphers, the session was terminated. Changing the cipher string back to "DEFAULT" would have solved that problem.