cancel
Showing results for 
Search instead for 
Did you mean: 
kbolt
Level 10
Report Inappropriate Content
Message 1 of 4

Handshake Failed SSL Error

Jump to solution

I'm seeing an issue while trying to access the site https://rewards.firstglobal-bank.com which results in the following block page:
errpage.JPG

I find that strange since https://www.firstglobal-bank.com works without an issue. In my SSL Scanner ruleset, I've allowed banking institutions to proceed without undergoing Content Inspection by looking for certain website categories. What exactly is this error telling me? After looking at the rule trace, I realize that while trying to access this problem webpage the Certificate Verification rule under "Handle CONNECT Call" isn't hit because Command.Name variable is never equal to CERTVERIFY, it's only CONNECT. I'm not sure how to force a CERTVERIFY or if that's even the source of the problem.

I looked at some Wireshark captures and it seems that the normal 3way TCP and 2way SSL handshakes go through without issue, with the strange exception that the Server Hello is separate from the Server Certificate and the Server Key Exchange meaning I'm used to seeing as one one packet. I'll attach two images of the TCP streams.

After reading this user's question I imported the rulest attached and the log file results in this:

2017-03-08 18:45:01 WGL-MWG01 500 HTTP rewards.firstglobal-bank.com 208.138.39.203 handshakefailed GET 10.0.11.143 error:00000000:lib(0):func(0):reason(0)Smiley FrustratedSL error at server handshake:state 25:Application response 500 handshakefailed Block Applications in Response Cycle https://rewards.firstglobal-bank.com/

2017-03-08 18:45:02 WGL-MWG01 500 HTTP rewards.firstglobal-bank.com 208.138.39.203 handshakefailed GET 10.0.11.143 error:00000000:lib(0):func(0):reason(0)Smiley FrustratedSL error at server handshake:state 25:Application response 500 handshakefailed Block Applications in Response Cycle https://rewards.firstglobal-bank.com/favicon.ico

Can anyone help me to see what's going wrong here?

1 Solution

Accepted Solutions
Highlighted
McAfee Employee smasnizk
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: Handshake Failed SSL Error

Jump to solution

You can test those websites on SSLlabs.com:

SSL Server Test: rewards.firstglobal-bank.com (Powered by Qualys SSL Labs)

this will most likely show you what the server support. Finally you will need to adjust your SSL scanner settings to your needs. Alternative and this is what i would suggest you to do is to create new SSL scanner setting where your allow weak ciphers and match this setting only for a list of URLs you may trust.

A sample how this can work is posted a while ago:

-Sergej

3 Replies
kbolt
Level 10
Report Inappropriate Content
Message 2 of 4

Re: Handshake Failed SSL Error

Jump to solution

I'm currently trying to further understand the process of what's going on to cause the issue I described above so I tried doing curl -v to https://rewards.firstglobal-bank.com  and this was the result:

[root@WGL-MWG01 ~]# curl -v https://rewards.firstglobal-bank.com

* About to connect() to rewards.firstglobal-bank.com port 443 (#0)

*   Trying 208.138.39.203...

* Connected to rewards.firstglobal-bank.com (208.138.39.203) port 443 (#0)

* successfully set certificate verify locations:

*   CAfile: /etc/pki/tls/certs/ca-bundle.crt

  CApath: none

* SSLv3, TLS Unknown, Unknown (22):

* SSLv3, TLS handshake, Client hello (1):

* Unknown SSL protocol error in connection to rewards.firstglobal-bank.com:443

* Closing connection 0

Also could all of these obsolete connection settings be causing the failure?

obsolete_prot_ike_cipher.JPG

Highlighted
McAfee Employee smasnizk
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: Handshake Failed SSL Error

Jump to solution

You can test those websites on SSLlabs.com:

SSL Server Test: rewards.firstglobal-bank.com (Powered by Qualys SSL Labs)

this will most likely show you what the server support. Finally you will need to adjust your SSL scanner settings to your needs. Alternative and this is what i would suggest you to do is to create new SSL scanner setting where your allow weak ciphers and match this setting only for a list of URLs you may trust.

A sample how this can work is posted a while ago:

-Sergej

kbolt
Level 10
Report Inappropriate Content
Message 4 of 4

Re: Handshake Failed SSL Error

Jump to solution

Awesome! This is what I was just asking on a separate thread. Thank you for this clarification. I'll make moves to implement an additional SSL Scanner setting this week.

McAfee ePO Support Center Plug-in
Check out the new McAfee ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.