cancel
Showing results for 
Search instead for 
Did you mean: 
KY
Level 8
Report Inappropriate Content
Message 1 of 5

Handshake Failed SSL Error

Jump to solution
The SSL handshake could not be performed.
Host: www.washingtongas.com
Reason: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol:SSL error at server handshake:state 26:Application response 500 handshakefailed
1 Solution

Accepted Solutions
McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Handshake Failed SSL Error

Jump to solution

Hi,

Hope you are doing well.

Issue is reproducible at my end.

After MWG sending Client Hello to server we were getting Alert message from server stating handshake failure error, which meant their is something missing in client hello which server was expecting.

On checking further in https://www.ssllabs.com URL for https://www.washingtongas.com/, found issue with signature algorithm MWG was sending.



In SSL scanner rule set, their is a rule set named Handle Connect Call, in which their is a rule named Enable Certificate Verification in which in events Enable SSL Scanner < Default Certificate Verification> is present, if you click on this their is an option Allow legacy signatures in the handshake. You need to enable this and website https://www.washingtongas.com/ works fine, which concludes that web server is expecting legacy signatures in Client Hello.



If you check the output from SSLLabs, you will see there is one CA within the chain that shows:
Signature algorithm SHA1withRSA WEAK.



This will lead to MWG closing the connection during the handshake (for security reasons, SHA1 is not allowed anymore by default). By enabling the setting you allow the SHA1 signatures in the handshake.


You can use openssl s_client signature algorithms which web server supports and MWG should use the additional signature algorithm if we enable allow legacy signatures in handshake.



So you can either enable in this option allow legacy signatures in your existing rule which would be applicable for all SSL traffic or else you can create a new rule in SSL rule set which says URL.host matches www.washingtongas.com for which in events you can set Enable SSL Scanner < use your custom created content inspection in which you can enable Allow legacy signatures in handshake.

 

 

Regards

Alok Sarda

4 Replies
KY
Level 8
Report Inappropriate Content
Message 2 of 5

Re: Handshake Failed SSL Error

Jump to solution

It works on my company computer, but get the error on the agency supported network. 

Highlighted
Reliable Contributor marcus69
Reliable Contributor
Report Inappropriate Content
Message 3 of 5

Re: Handshake Failed SSL Error

Jump to solution

Hi @KY 

the target Website has a very special combination of available cipher suites. (see also https://www.ssllabs.com/ssltest/analyze.html?d=www.washingtongas.com)
It seems to be a very old webserver that does not support modern cipher suites, and most of the unsecure ciphers were disabled to ensure a least minimum of security but leaving him very unflexible.  

Chances are, that Your Web Gateway currently does not have the proper configuration of the SSL Scan engine to meet that special requirement.
You may define a SSL Scanner Setting, a SSL Client Context with a separate rule for this special Site to meet its SSL requirements, but in my opinion it would be not worth the effort.
Because of the obviously old SSL constellation of the target you'll hardly meet another server with that special setup so that it makes sense to create a special SSL setup for it.

The quick and dirty solution would be to disable SSL Scan for this special Website by adding it to the list "SSL Tunneled Hosts" which is typically found on the ruleset named "Handle CONNECT Call".
But please keep in mind that the Webgateway would not be able to scan for Malware on SSL Websites that have the SSL Scanner disabled!

Best regards
       Marcus

McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Handshake Failed SSL Error

Jump to solution

Hi,

Hope you are doing well.

Issue is reproducible at my end.

After MWG sending Client Hello to server we were getting Alert message from server stating handshake failure error, which meant their is something missing in client hello which server was expecting.

On checking further in https://www.ssllabs.com URL for https://www.washingtongas.com/, found issue with signature algorithm MWG was sending.



In SSL scanner rule set, their is a rule set named Handle Connect Call, in which their is a rule named Enable Certificate Verification in which in events Enable SSL Scanner < Default Certificate Verification> is present, if you click on this their is an option Allow legacy signatures in the handshake. You need to enable this and website https://www.washingtongas.com/ works fine, which concludes that web server is expecting legacy signatures in Client Hello.



If you check the output from SSLLabs, you will see there is one CA within the chain that shows:
Signature algorithm SHA1withRSA WEAK.



This will lead to MWG closing the connection during the handshake (for security reasons, SHA1 is not allowed anymore by default). By enabling the setting you allow the SHA1 signatures in the handshake.


You can use openssl s_client signature algorithms which web server supports and MWG should use the additional signature algorithm if we enable allow legacy signatures in handshake.



So you can either enable in this option allow legacy signatures in your existing rule which would be applicable for all SSL traffic or else you can create a new rule in SSL rule set which says URL.host matches www.washingtongas.com for which in events you can set Enable SSL Scanner < use your custom created content inspection in which you can enable Allow legacy signatures in handshake.

 

 

Regards

Alok Sarda

KY
Level 8
Report Inappropriate Content
Message 5 of 5

Re: Handshake Failed SSL Error

Jump to solution

Alok,

 

 Thank you for replying. The event settings in our environment is:

Certificate  Verification: Enable

user-defined.ssl.enabled eguals true - Continue - Enable SSL Scanner<SSL Sacnner. Certificate Verification.

 

As per your suggestion, I did change the event settings to Default Certificate verification- but I am getting the same error:

SSL routines:SSL3_GET_RECORD:wrong version number:SSL error at server handshake:state 26:Application response 500 handshakefailed..

 

Thank you,

Karthika Yaratha

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community