Showing results for 
Search instead for 
Did you mean: 
Level 12

MWG TLS handshake failure to ?

Chasing down this same fun   (    )  with

Can anyone else confirm?


Reason: error:00000000:lib(0):func(0):reason(0)Smiley FrustratedSL error at server handshake:state 25:Application response 500 handshakefailed

My dev proxy with legacy handshake enabled connects fine, but without it, handshake failed.

I'd love to go beat on Amazon to tell them their security house isn't as in order as they'd like (if these legacy handshakes open attack surface), but when doing so I'd love to make the case to them in terms of RFC's CVE's curl and openssl s_client as possible.  

Anyone happen to know how to reproduce the handshake failure on the command line?

Is there an opportunity for Amazon to fix something here?

0 Kudos
2 Replies
Level 12

Re: MWG TLS handshake failure to ?

So... for those in the know on this, is it the "Peer signing digest: SHA1"  that's offensive to web gateway policy that has legacy signatures disabled?

# openssl s_client -debug -connect


write to 0xc21730 [0xd07eb0] (289 bytes => 289 (0x121))




subject=/C=US/ST=Washington/L=Seattle/ Inc./

issuer=/C=US/O=DigiCert Inc/ Baltimore CA-2 G2


No client certificate CA names sent

Peer signing digest: SHA1

Server Temp Key: ECDH, P-256, 256 bits


SSL handshake has read 3140 bytes and written 415 bytes


New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated


    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES128-GCM-SHA256

    Session-ID: 550623180BCBEB69E319E69C5F9DDD52CBABCB7E317AE54A0E8B5EC2EEF01777


    Master-Key: FA114FD0BCEAFB6CB737BEF4C4B88B3261556E1A70D0EB4778C0395AD8848DF98C3CB0F10A8794DBD2BD824D4856CCD0

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    Start Time: 1475872627

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)


0 Kudos
Level 10

Re: MWG TLS handshake failure to ?

Hi Regis,

in this case it's the "Baltimore CyberTrust Root" certificate with a sha1 signature at the top of the chain.

Regards, Othmar