Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 10
Report Inappropriate Content
Message 1 of 3

Cannot connect to a specific https webserver


I cannot make our MWG (18936) connect to and I don't fully understand the problem.

When I try to debug the problem with openssl I find that the server accepts only these ciphers available on MWG: AES256-GCM-SHA384, AES256-SHA256, AES256-SHA, AES128-GCM-SHA256, AES128-SHA256, AES128-SHA, DES-CBC3-SHA

So this command works: openssl s_client -connect -cipher AES256-GCM-SHA384

But whatever I try, I never works with the local curl command. I alway get:

$ curl

curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

If I use curl on Solaris or Ubuntu it works using ECDHE-ECDSA-AES128-GCM-SHA256, which is not available on MWG. But it also fails like this:

curl -k --ciphers AES256-GCM-SHA384 (but it works with "curl -k --ciphers ECDHE-ECDSA-AES128-GCM-SHA256"

So my conclusion so far: openssl does not the same like curl. While openssl can do a successful handshake with for some ciphers, curl never succeeds for any of the available ciphers, but fails also on different OS with the same ciphers (while succeeding with different ciphers not available on MWG).

When curl always fails on MWG, I guess I should not wonder why my proxy always fails. BTW: I have a decent setup for SSL accourding to the guide for Poodle.

Is there any chance to get this working on MWG? And if not what's the problem with the webserver? Yes, I can set up a SSL-Tunnel for the site, but I would like to understand the technical background.

Thanks for any insights

2 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 3

Re: Cannot connect to a specific https webserver

Hi ,

as far as i can see both IP adresses associated with the domain Name are behinf a cloudflare CDN and are only supporting TLS_ECDHE_ECDSA-* Ciphers:

Qualys SSL Labs - Projects / SSL Server Test /

Qualys SSL Labs - Projects / SSL Server Test /

As of now a whitelist entry / "Tunneld Host" List entry for that domain should be working, correct?

Level 10
Report Inappropriate Content
Message 3 of 3

Re: Cannot connect to a specific https webserver

Hi Stefan,

yes, a SSL-Tunnel would work, as I already stated above.

Your tests with Qualys SSL Labs tool confirm my findings with curl on MWG. And also confirm that this site cannot be connected with MWG SSL Scanner.

I just still don't understand why SSL handshake works with the openssl tool with all the ciphers cited in my first message but not with curl and the SSL Scanner

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community