Re: SSL Error

Tue, 03 Jun 2003 07:24:38 -0700

Wan-Teh Chang wrote:
Karthik Krishnamoorthy wrote:

 > the error I see is handshake failure ..
 >
 > SSL trace below ..
 >
 > Version: $Revision: 1.1 $ ($Date: 2000/03/31 20:12:54 $) $Author:
 > relyea%netscape.com $
 > Connection #1 [Thu May 22 11:57:17 2003]
 > Connected to regis.central.sun.com:7070
 > --> [
 > alloclen = 72 bytes
 > (72 bytes of 72)
 >   [Thu May 22 11:57:17 2003] [ssl2]  ClientHelloV2 {
 >             version = {0x03, 0x01}
 >             cipher-specs-length = 45 (0x2d)
 >             sid-length = 0 (0x00)
 >             challenge-length = 16 (0x10)
 >             cipher-suites = {
 >                  (0x010080) SSL2/RSA/RC4-128/MD5
 >                  (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
 >                  (0x030080) SSL2/RSA/RC2CBC128/MD5
 >                  (0x060040) SSL2/RSA/DES56-CBC/MD5
 >                  (0x020080) SSL2/RSA/RC4-40/MD5
 >                  (0x040080) SSL2/RSA/RC2CBC40/MD5
 >                  (0x000004) SSL3/RSA/RC4-128/MD5
 >                  (0x00feff) ??????????????????
 >                  (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
 >                  (0x00fefe) ??????????????????
 >                  (0x000009) SSL3/RSA/DES56-CBC/SHA
 >                  (0x000064) TLS/RSA_EXPORT1024/RC4-56/SHA
 >                  (0x000062) TLS/RSA_EXPORT1024/DES56_CBC/SHA
 >                  (0x000003) SSL3/RSA/RC4-40/MD5
 >                  (0x000006) SSL3/RSA/RC2CBC40/MD5
 >                  }
 >             session-id = { }
 >             challenge = { 0x6129 0xfea9 0x025d 0x7b90 0x506d 0x5027
 > 0xea62 0xa6a6 }
 > }
 > ]

The ClientHello message shows that the client can do TLS.
It uses the version number 3.1 and two TLS cipher suites.

So it is possible that the server is TLS intolerant.  A
TLS intolerant server is a server that does not implement
TLS and does not handle a ClientHello message with version
3.1 correctly.

Could you try enable only SSL v2 and v3 and disable TLS
in your client?

I enabled the SSL V3 ciphers but still the SSL communications seems to go with SSL V 3.1.

I did some more extensive testing, I noticed mozilla 1.3 doing the same as above with exactly the same trace and I get a document contains no data error, however when I connect to the server second time (using refresh or entering the url) it works fine, the browser seems to remember the site failed with SSL V 3.1 and connects successfully using 3.0.

It looks like the JSS libraries don't automatically step down SSL Versions, which I thought it might do ..

When I connect to the same site using Netscape 4.79 it starts with SSL V 3 and hence it works fine from the begining instead of mozilla where the first connection fails everytime I shutdown and restart the browser.

Thanks,
Karthik

Wan-Teh

Reply via email to