cancel
Showing results for 
Search instead for 
Did you mean: 
otruniger
Level 10

Cannot connect to a specific https webserver

Hi,

I cannot make our MWG 7.4.2.7.0 (18936) connect to https://www.journal21.ch and I don't fully understand the problem.

When I try to debug the problem with openssl I find that the server accepts only these ciphers available on MWG: AES256-GCM-SHA384, AES256-SHA256, AES256-SHA, AES128-GCM-SHA256, AES128-SHA256, AES128-SHA, DES-CBC3-SHA

So this command works: openssl s_client -connect www.journal21.ch:443 -cipher AES256-GCM-SHA384

But whatever I try, I never works with the local curl command. I alway get:

$ curl https://www.journal21.ch/

curl: (35) error:14077410Smiley FrustratedSL routinesSmiley FrustratedSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

If I use curl on Solaris or Ubuntu it works using ECDHE-ECDSA-AES128-GCM-SHA256, which is not available on MWG. But it also fails like this:

curl -k --ciphers AES256-GCM-SHA384 https://www.journal21.ch (but it works with "curl -k --ciphers ECDHE-ECDSA-AES128-GCM-SHA256 https://www.journal21.ch"

So my conclusion so far: openssl does not the same like curl. While openssl can do a successful handshake with www.journal21.ch for some ciphers, curl never succeeds for any of the available ciphers, but fails also on different OS with the same ciphers (while succeeding with different ciphers not available on MWG).

When curl always fails on MWG, I guess I should not wonder why my proxy always fails. BTW: I have a decent setup for SSL accourding to the guide for Poodle.

Is there any chance to get this working on MWG? And if not what's the problem with the webserver? Yes, I can set up a SSL-Tunnel for the site, but I would like to understand the technical background.

Thanks for any insights

0 Kudos
2 Replies
skloepping
Level 9

Re: Cannot connect to a specific https webserver

Hi ,

as far as i can see both IP adresses associated with the domain Name are behinf a cloudflare CDN and are only supporting TLS_ECDHE_ECDSA-* Ciphers:

Qualys SSL Labs - Projects / SSL Server Test / journal21.ch

Qualys SSL Labs - Projects / SSL Server Test / journal21.ch

As of now a whitelist entry / "Tunneld Host" List entry for that domain should be working, correct?

0 Kudos
otruniger
Level 10

Re: Cannot connect to a specific https webserver

Hi Stefan,

yes, a SSL-Tunnel would work, as I already stated above.

Your tests with Qualys SSL Labs tool confirm my findings with curl on MWG. And also confirm that this site cannot be connected with MWG SSL Scanner.

I just still don't understand why SSL handshake works with the openssl tool with all the ciphers cited in my first message but not with curl and the SSL Scanner

0 Kudos