Re: SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Thu, 16 Apr 2015 07:18:24 -0700 


On 4/16/2015 7:11 AM, Reindl Harald wrote:




Can you give details about your configuration?  We must be doing
something different.


* Fedora 20 x86_64
* ATS 5.2.1
* openssl-1.0.1e-42.fc20


the certificate is a RSA4096 SHA256 wildcard, the same as on 
https://secure.thelounge.net/ which is running httpd while 
https://www.thelounge.net/ is running ATS in front



I've tried replicating your environment better to no avail.  I'm I 
reading your statement above correctly that there is a httpd proxy in 
between the client and ATS?


Do previous versions of ATS work for you?



cat records.config  | grep ssl
CONFIG proxy.config.http.server_ports STRING 80 443:ssl
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 0
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.client.SSLv2 INT 1
CONFIG proxy.config.ssl.client.SSLv3 INT 1
CONFIG proxy.config.ssl.client.TLSv1 INT 1
CONFIG proxy.config.ssl.client.TLSv1_1 INT 1
CONFIG proxy.config.ssl.client.TLSv1_2 INT 1
CONFIG proxy.config.ssl.client.certification_level INT 0

CONFIG proxy.config.ssl.server.multicert.filename STRING 
ssl_multicert.config

CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl/

CONFIG proxy.config.ssl.server.private_key.path STRING 
/etc/trafficserver/ssl/

CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/

CONFIG proxy.config.ssl.server.cipher_suite STRING 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM

CONFIG proxy.config.ssl.server.honor_cipher_order INT 1

CONFIG proxy.config.ssl.server.dhparams_file STRING 
/etc/trafficserver/ssl/dhparams.pem



On 4/16/2015 6:31 AM, Reindl Harald wrote:


Am 16.04.2015 um 13:22 schrieb Susan Hinrichs:

Are you seeing actual failed connections? Or is ATS just logging more
intermediate error cases than httpd?


it is just impossible to use "ab" against a ATS, see difference below
and when you run https://www.ssllabs.com/ssltest/ against both sites
you see SSL2/SSL3 disabled on both

that pretty sure affects also other older clients not only "ab" for no
good reasons
__________________________________________________________

[harry@rh:~]$ ab -n 1 https://www.thelounge.net/
This is ApacheBench, Version 2.3 <$Revision: 1638069 $>

Copyright 1996 Adam Twiss, Zeus Technology Ltd, 
http://www.zeustech.net/

Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking www.thelounge.net (be patient)...SSL handshake failed (1).
140536880785376:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:770:
..done
__________________________________________________________

[harry@rh:~]$ ab -n 1 https://secure.thelounge.net/
This is ApacheBench, Version 2.3 <$Revision: 1638069 $>

Copyright 1996 Adam Twiss, Zeus Technology Ltd, 
http://www.zeustech.net/

Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking secure.thelounge.net (be patient).....done

Server Software:
Server Hostname:        secure.thelounge.net
Server Port:            443
SSL/TLS Protocol: TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,4096,128
__________________________________________________________


On 4/16/2015 6:13 AM, Reindl Harald wrote:


Am 16.04.2015 um 13:08 schrieb Neddy, NH. Nam:

Yeah, it's been long time:
https://issues.apache.org/jira/browse/TS-2402


"SSL v3 is disabled" is a completly different story than breaking
client handshakes, as said *all* our services have SSL3 disabled and
you can benchmark a httpd-server without any issues with "ab"


On Thu, Apr 16, 2015 at 4:57 PM, Reindl Harald
<[email protected]> wrote:

why is it still a issue doing a benchmark to a ATS server with "ab
-c 100 -n
20000 https://traffic-server-site/"; while the same works just fine
when the
server is a normal httpd with SSLv3 also disabled?

140343245031392:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:770:
SSL handshake failed (1).
140343245031392:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:770:
SSL handshake failed (1).
140343245031392:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:770:
SSL handshake failed (1).
140343245031392:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:770:
SSL handshake failed (1).
140343245031392:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:770:
SSL handshake failed (1).
140343245031392:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:770


























					Reply via email to