I cannot make our MWG 184.108.40.206.0 (18936) connect to https://www.journal21.ch and I don't fully understand the problem.
When I try to debug the problem with openssl I find that the server accepts only these ciphers available on MWG: AES256-GCM-SHA384, AES256-SHA256, AES256-SHA, AES128-GCM-SHA256, AES128-SHA256, AES128-SHA, DES-CBC3-SHA
So this command works: openssl s_client -connect www.journal21.ch:443 -cipher AES256-GCM-SHA384
But whatever I try, I never works with the local curl command. I alway get:
$ curl https://www.journal21.ch/
curl: (35) error:14077410SL routinesSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
If I use curl on Solaris or Ubuntu it works using ECDHE-ECDSA-AES128-GCM-SHA256, which is not available on MWG. But it also fails like this:
So my conclusion so far: openssl does not the same like curl. While openssl can do a successful handshake with www.journal21.ch for some ciphers, curl never succeeds for any of the available ciphers, but fails also on different OS with the same ciphers (while succeeding with different ciphers not available on MWG).
When curl always fails on MWG, I guess I should not wonder why my proxy always fails. BTW: I have a decent setup for SSL accourding to the guide for Poodle.
Is there any chance to get this working on MWG? And if not what's the problem with the webserver? Yes, I can set up a SSL-Tunnel for the site, but I would like to understand the technical background.
Thanks for any insights
as far as i can see both IP adresses associated with the domain Name are behinf a cloudflare CDN and are only supporting TLS_ECDHE_ECDSA-* Ciphers:
As of now a whitelist entry / "Tunneld Host" List entry for that domain should be working, correct?
yes, a SSL-Tunnel would work, as I already stated above.
Your tests with Qualys SSL Labs tool confirm my findings with curl on MWG. And also confirm that this site cannot be connected with MWG SSL Scanner.
I just still don't understand why SSL handshake works with the openssl tool with all the ciphers cited in my first message but not with curl and the SSL Scanner