cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
anupt1986
Level 7

SSL error at server handshake:state 25:Application response 500 handshakefailed

I have two proxy appliances placed. One with version 7.6.2.2.0(21927) & other with 7.7.2.4 (24164).

On accessing a url from a network which points to 7.6 version proxy gives me an error of SSL error at server handshake:state 25:Application response 500 handshakefailed and other works fine when i redirects to 7.7.2.4 one.  .

Rules are same across both the proxies.

Rule tracing shows ssl packet getting dropped , Looks like the Proxy must be dropping certain ciphers

please suggest on this?

0 Kudos
2 Replies
McAfee Employee

Re: SSL error at server handshake:state 25:Application response 500 handshakefailed

Hi,

I think the best is to open a ticket with support, name the website on which the issue occurs and attach a feedback file and rule trace (from both systems, 7.6.2 and 7.7.2) as well as screenshot of error message.

Such issues can be caused by wrong entered ciphers or settings.

With the feedback file and rule trace it can be further investigated.

Then we can also try to reproduce this issue with your policy and test different ciphers/settings.

Further, is there a reason why one appliance is still on 7.6.2 and not running on 7.7.2 as the other?

Is upgrading to latest version not an option for this appliance?

Regards,

Marcel

0 Kudos
johnaldridge
Level 10

Re: SSL error at server handshake:state 25:Application response 500 handshakefailed

Usually when I see this--and I've worked many of these, it's the distant server that dropping the connection.  Sometimes their nice enough to send an SSL error, while others just drop the socket.  Either way, it won't tell you anything about why the handshake failed.

Submit the destination host here: SSL Server Test (Powered by Qualys SSL Labs).

When that test completes, examine the cipher list.  Most of those that I've worked like this don't handle ciphers better than SHA1 and 3DES, but there are other possible issues.

You can create multiple SSL scanner/certificate verification settings and apply them selectively for different destinations by way of a white list.

There's a discussion of cipher suites here:

0 Kudos