Hi Lukas,
> Well, with this configuration there is now a real TLS handshake problem.
> Please just try with no-tlsv12, without the cipher configuration and redo
> those
> test.
I did a couple of new tests. But as my self-compiled version 1.5.5 did behave
weird sometimes I decided to have a try with the 1.5.2 from Red Hat which was
packaged with RHEL 6.6. I will do a re-test tomorrow but:
- the self-compiled version tried to use TLS 1.2 a couple of times although the
‘no-tlsv12’ option was set.
The Red Hat version did strictly what was defined in the config file. I could
follow this in the tcpdump with option 'no-tlsv12’ set:
- with ‘force-sslv3’ (just as a test, do not want to use it in production) the
Java client blocked the encryption as disallowed protocol
- with TLS1.0 (force option) I got a couple of TLS Encrypted Alert errors
instead of the ‘Alert: level fatal’ messages
- with TLS1.1 I could see that the 'Server Key Exchange' took place after
Client Hello + Server Hello.
> I suspect there is no real SSL/TLS handshake issue here, but that the issue
> is on the application layer (I misread the first capture you sent me: the
> actual
> handshake seems ok, its the client that is sending the FIN+ACK).
Yes, correct, the client closes the connection very quickly. This is still the
case even with the test results I mentioned above (TLS test cases).
While testing I got another idea we had trouble with some time ago. The
certificate we use is a wildcard cert by DigiCert. I replaced it with a
self-signed web certificate but it did not change anything. The results are
identical.
Do you have any further idea what might cause the problem? stunnel was
configured this way in the working setup (with the wildcard cert):
—
; Protocol configuration
sslVersion = all
options = NO_SSLv2
ciphers = RC4-SHA:HIGH:!ADH
—
Thanks again!
Best regards,
Heiko
