cancel
Showing results for 
Search instead for 
Did you mean: 

SSL handshake errors on Ver 7.5.2.8 - NOT a SHA1 only site

Has anyone else noticed an uptick in SSL handshake failures after upgrading to 7.5.2.8.0. Here is the message we are typically getting when these sites fail:

Reason: error:1408F10BSmiley FrustratedSL routinesSmiley FrustratedSL3_GET_RECORD:wrong version numberSmiley FrustratedSL error at server handshake:state 25:Application response 500 handshakefailed

Of course we can bypass SSL scanning for these sites but that's probably not the preferred solution. We've have the recommended POODLE configuration already.

I understand there is a problem with SHA1 fallback but I'm seeing handshake failures on sites that are SHA2 as well. Below are a couple of examples:

https://www.epsoninsider.com

https://pbctax.com/services/property-tax/real-estate-property-tax

0 Kudos
4 Replies
eelsasser
Level 15

Re: SSL handshake errors on Ver 7.5.2.8 - NOT a SHA1 only site

I see the same issue.

I had to checkmark the

"Allow legacy signatures in handshake" in the certificate verification.

0 Kudos

Re: SSL handshake errors on Ver 7.5.2.8 - NOT a SHA1 only site

Are you running 7.5.2.8? I don't seem to have that option.

0 Kudos
eelsasser
Level 15

Re: SSL handshake errors on Ver 7.5.2.8 - NOT a SHA1 only site

7.5.2.10

0 Kudos
btlyric
Level 12

Re: SSL handshake errors on Ver 7.5.2.8 - NOT a SHA1 only site

7.5.2.8 removed 6 signature hash algorithms. 7.5.2.9 adds 3 back if you select the option to Allow legacy signatures in the handshake.

It's possible to get the pcbtax site working on 7.5.2.8 by configuring the certificate verification settings so that TLS 1.1 is the strongest option selected in the alternative handshake settings. When this is done, the initial handshake using TLS 1.2 will fail and the attempt that uses TLS 1.1 will succeed.

This doesn't help for the epsoninsider site because that site only supports TLS 1.2, but it will work if certificate verification is configured with TLS 1.2 selected and Server cipher list: TLSv1.2:!DSS:!DH:!NULL:@STRENGTH

0 Kudos