cancel
Showing results for 
Search instead for 
Did you mean: 
Hansle
Level 7
Report Inappropriate Content
Message 1 of 3

SSL Handshake error

Jump to solution

Hi,

when I try to connect to <api.media.atlassian.com> i get the error: 

 

error: 1408f10b:SSL routines: SSL_GET_RECORD:wrong version number:SSL error at server handshake: state 26: Application response 500 handshakefailed.

 

but my and servers cypher-lists overlap (with tls 1.2).

Also when I perform a

openssl s_client -connect api.media.atlassian.com:443

on the Gateway, I get an proper session with TLSv1.2.

 

What could be the reason here?

 

Best regards

Hansle

1 Solution

Accepted Solutions
McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: SSL Handshake error

Jump to solution

Hi,

Hope you are doing well.

Issue is reproducible at my end as well.

After MWG sending Client Hello to server we were getting Alert message from server stating handshake failure error, which meant their is something missing in client hello which server was expecting.

On checking further in https://www.ssllabs.com URL for https://api.media.atlassian.com/, found issue with signature algorithm MWG was sending.



In SSL scanner rule set, their is a rule set named Handle Connect Call, in which their is a rule named Enable Certificate Verification in which in events Enable SSL Scanner < Default Certificate Verification> is present, if you click on this their is an option Allow legacy signatures in the handshake. You need to enable this and website https://api.media.atlassian.com/  works fine, which concludes that web server is expecting legacy signatures in Client Hello.



If you check the output from SSLLabs, you will see there is one CA within the chain that shows:
Signature algorithm SHA1withRSA WEAK.



This will lead to MWG closing the connection during the handshake (for security reasons, SHA1 is not allowed anymore by default). By enabling the setting you allow the SHA1 signatures in the handshake.


You can use openssl s_client signature algorithms which web server supports and MWG should use the additional signature algorithm if we enable allow legacy signatures in handshake.



So you can either enable in this option allow legacy signatures in your existing rule which would be applicable for all SSL traffic or else you can create a new rule in SSL rule set which says URL.host matches api.media.atlassian.com for which in events you can set Enable SSL Scanner < use your custom created content inspection in which you can enable Allow legacy signatures in handshake.

 

 

Regards

Alok Sarda

View solution in original post

2 Replies
McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: SSL Handshake error

Jump to solution

Hi,

Hope you are doing well.

Issue is reproducible at my end as well.

After MWG sending Client Hello to server we were getting Alert message from server stating handshake failure error, which meant their is something missing in client hello which server was expecting.

On checking further in https://www.ssllabs.com URL for https://api.media.atlassian.com/, found issue with signature algorithm MWG was sending.



In SSL scanner rule set, their is a rule set named Handle Connect Call, in which their is a rule named Enable Certificate Verification in which in events Enable SSL Scanner < Default Certificate Verification> is present, if you click on this their is an option Allow legacy signatures in the handshake. You need to enable this and website https://api.media.atlassian.com/  works fine, which concludes that web server is expecting legacy signatures in Client Hello.



If you check the output from SSLLabs, you will see there is one CA within the chain that shows:
Signature algorithm SHA1withRSA WEAK.



This will lead to MWG closing the connection during the handshake (for security reasons, SHA1 is not allowed anymore by default). By enabling the setting you allow the SHA1 signatures in the handshake.


You can use openssl s_client signature algorithms which web server supports and MWG should use the additional signature algorithm if we enable allow legacy signatures in handshake.



So you can either enable in this option allow legacy signatures in your existing rule which would be applicable for all SSL traffic or else you can create a new rule in SSL rule set which says URL.host matches api.media.atlassian.com for which in events you can set Enable SSL Scanner < use your custom created content inspection in which you can enable Allow legacy signatures in handshake.

 

 

Regards

Alok Sarda

View solution in original post

Highlighted
Hansle
Level 7
Report Inappropriate Content
Message 3 of 3

Re: SSL Handshake error

Jump to solution
Hi Alok,

thanks for your extensive and detailed answer and the description on how you solved it! Very Nice! Thats exactly what I was searching for.
I could solve the problem.

Thanks and best regards
Hansle
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community