Hi folks, running into a failed handshake problem - Although we upgraded to openssl 1.0.2d last summer, we had never changed our context setup from accepting any version other than TLSv1, i.e. (in boost) m_context(pIoService->GetNative(), boost::asio::ssl::context::tlsv1)
When we recently changed to accepting other versions (didn't matter if we disabled sslv2 and sslv3) to (in boost): m_context(pIoService->GetNative(), boost::asio::ssl::context::sslv23) our ssl handshakes started failing with "decryption failed or bad record mac" I've attached a packet capture, the client does a TLSv1.2 CLIENT HELLO and offers up 72 cipher suites. The server responds with the SERVER HELLO, CERTIFICATE, SERVER HELLO DONE and appears to select Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) The Client does the CLIENT KEY EXCHANGE, CHANGE CIPHER SPEC, ENCRYPTED HANDSHAKE MESSAGE and then the exchange appears to finish with the above error in the server log. The cipher setting on the server is: SSL_CTX_set_cipher_list(pSslContext->GetNativeRef().impl(), "ALL:SEED:!EXPORT:!LOW:!DES:!RC4"); Any suggestions? Is it possible that we've selected a cipher setting which is not compiled in? Thanks in advance for any help ... N Nou Dadoun Senior Firmware Developer, Security Specialist Office: 604.629.5182 ext 2632 Support: 888.281.5182 | avigilon.com Follow Twitter | Follow LinkedIn This email, including any files attached hereto (the "email"), contains privileged and confidential information and is only for the intended addressee(s). If this email has been sent to you in error, such sending does not constitute waiver of privilege and we request that you kindly delete the email and notify the sender. Any unauthorized use or disclosure of this email is prohibited. Avigilon and certain other trade names used herein are the registered and/or unregistered trademarks of Avigilon Corporation and/or its affiliates in Canada and other jurisdictions worldwide.
failed_tls1.2_handshake.pcapng
Description: failed_tls1.2_handshake.pcapng
_______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
