Re: SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Thu, 16 Apr 2015 04:52:48 -0700

I just tried "ab" against my dev master build without problems. I have SSLv3 disabled. It ended up negotiating tlsv1.2. I saw one error about protocol mismatch while I was playing around.
I also ran the the ssllabs tests against docs.trafficserver.apache.org which is fronted by an ATS server. The only client handshake error it reported was IE6 on winXP (since SSLv3 is disabled). 


Can you give details about your configuration?  We must be doing 
something different.


On 4/16/2015 6:31 AM, Reindl Harald wrote:



Am 16.04.2015 um 13:22 schrieb Susan Hinrichs:

Are you seeing actual failed connections? Or is ATS just logging more
intermediate error cases than httpd?



it is just impossible to use "ab" against a ATS, see difference below 
and when you run https://www.ssllabs.com/ssltest/ against both sites 
you see SSL2/SSL3 disabled on both



that pretty sure affects also other older clients not only "ab" for no 
good reasons

__________________________________________________________

[harry@rh:~]$ ab -n 1 https://www.thelounge.net/
This is ApacheBench, Version 2.3 <$Revision: 1638069 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking www.thelounge.net (be patient)...SSL handshake failed (1).

140536880785376:error:14077410:SSL 
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
failure:s23_clnt.c:770:

..done
__________________________________________________________

[harry@rh:~]$ ab -n 1 https://secure.thelounge.net/
This is ApacheBench, Version 2.3 <$Revision: 1638069 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking secure.thelounge.net (be patient).....done

Server Software:
Server Hostname:        secure.thelounge.net
Server Port:            443
SSL/TLS Protocol: TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,4096,128
__________________________________________________________


On 4/16/2015 6:13 AM, Reindl Harald wrote:


Am 16.04.2015 um 13:08 schrieb Neddy, NH. Nam:

Yeah, it's been long time: 
https://issues.apache.org/jira/browse/TS-2402


"SSL v3 is disabled" is a completly different story than breaking
client handshakes, as said *all* our services have SSL3 disabled and
you can benchmark a httpd-server without any issues with "ab"


On Thu, Apr 16, 2015 at 4:57 PM, Reindl Harald
<[email protected]> wrote:

why is it still a issue doing a benchmark to a ATS server with "ab
-c 100 -n
20000 https://traffic-server-site/"; while the same works just fine
when the
server is a normal httpd with SSLv3 also disabled?

140343245031392:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:770:
SSL handshake failed (1).
140343245031392:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:770:
SSL handshake failed (1).
140343245031392:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:770:
SSL handshake failed (1).
140343245031392:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:770:
SSL handshake failed (1).
140343245031392:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:770:
SSL handshake failed (1).
140343245031392:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:770


























					Reply via email to