Hi,
when I try to connect to <api.media.atlassian.com> i get the error:
error: 1408f10b:SSL routines: SSL_GET_RECORD:wrong version number:SSL error at server handshake: state 26: Application response 500 handshakefailed.
but my and servers cypher-lists overlap (with tls 1.2).
Also when I perform a
openssl s_client -connect api.media.atlassian.com:443
on the Gateway, I get an proper session with TLSv1.2.
What could be the reason here?
Best regards
Hansle
Solved! Go to Solution.
Hi,
Hope you are doing well.
Issue is reproducible at my end as well.
After MWG sending Client Hello to server we were getting Alert message from server stating handshake failure error, which meant their is something missing in client hello which server was expecting.
On checking further in https://www.ssllabs.com URL for https://api.media.atlassian.com/, found issue with signature algorithm MWG was sending.
In SSL scanner rule set, their is a rule set named Handle Connect Call, in which their is a rule named Enable Certificate Verification in which in events Enable SSL Scanner < Default Certificate Verification> is present, if you click on this their is an option Allow legacy signatures in the handshake. You need to enable this and website https://api.media.atlassian.com/ works fine, which concludes that web server is expecting legacy signatures in Client Hello.
If you check the output from SSLLabs, you will see there is one CA within the chain that shows:
Signature algorithm SHA1withRSA WEAK.
This will lead to MWG closing the connection during the handshake (for security reasons, SHA1 is not allowed anymore by default). By enabling the setting you allow the SHA1 signatures in the handshake.
You can use openssl s_client signature algorithms which web server supports and MWG should use the additional signature algorithm if we enable allow legacy signatures in handshake.
So you can either enable in this option allow legacy signatures in your existing rule which would be applicable for all SSL traffic or else you can create a new rule in SSL rule set which says URL.host matches api.media.atlassian.com for which in events you can set Enable SSL Scanner < use your custom created content inspection in which you can enable Allow legacy signatures in handshake.
Regards
Alok Sarda
Hi,
Hope you are doing well.
Issue is reproducible at my end as well.
After MWG sending Client Hello to server we were getting Alert message from server stating handshake failure error, which meant their is something missing in client hello which server was expecting.
On checking further in https://www.ssllabs.com URL for https://api.media.atlassian.com/, found issue with signature algorithm MWG was sending.
In SSL scanner rule set, their is a rule set named Handle Connect Call, in which their is a rule named Enable Certificate Verification in which in events Enable SSL Scanner < Default Certificate Verification> is present, if you click on this their is an option Allow legacy signatures in the handshake. You need to enable this and website https://api.media.atlassian.com/ works fine, which concludes that web server is expecting legacy signatures in Client Hello.
If you check the output from SSLLabs, you will see there is one CA within the chain that shows:
Signature algorithm SHA1withRSA WEAK.
This will lead to MWG closing the connection during the handshake (for security reasons, SHA1 is not allowed anymore by default). By enabling the setting you allow the SHA1 signatures in the handshake.
You can use openssl s_client signature algorithms which web server supports and MWG should use the additional signature algorithm if we enable allow legacy signatures in handshake.
So you can either enable in this option allow legacy signatures in your existing rule which would be applicable for all SSL traffic or else you can create a new rule in SSL rule set which says URL.host matches api.media.atlassian.com for which in events you can set Enable SSL Scanner < use your custom created content inspection in which you can enable Allow legacy signatures in handshake.
Regards
Alok Sarda
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA