on several sites I'm receiving error "The SSL handshake could not be performed" followed by zeros in reason. I cannot find anything in logs of the Web Gateway related to this. I tried to open one of the sites bypassing the MWG and it worked fine (however, one browser said "SSL negotiation failed"). Personally I have no clue how to solve this issue. Have any of you came across this issue?
Looking at some openssl conns:
openssl s_client -connect forums.citrix.com:443
depth=2 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
depth=1 /O=Cybertrust Inc/CN=Cybertrust SureServer Standard Validation CA
depth=0 /C=US/ST=FL/L=Fort Lauderdale/O=Citrix Systems Inc./OU=IT/CN=*.citrix.com
errno=104 is ECONNRESET which means that the remote side reset the connection.
Using the -prexit option supplies more info (snipped for brevity):
openssl s_client -connect forums.citrix.com:443 -prexit
Protocol : TLSv1
Cipher : EXP-RC2-CBC-MD5
This is a weak cipher. See https://www.ssllabs.com/ssltest/analyze.html?d=forums.citrix.com for a more detailed analysis of the ciphers being used by that site.
When HIGH, MEDIUM or LOW ciphers are specified, the openssl connection succeeds and will return a 301 Moved Permanently message:
openssl s_client -connect forums.citrix.com:443 -cipher HIGH
Protocol : TLSv1
Cipher : AES128-SHA
Key-Arg : None
Krb5 Principal: None
Start Time: 1353115411
Timeout : 300 (sec)
Verify return code: 0 (ok)
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<title>301 Moved Permanently</title>
<p>The document has moved <a href="http://community.citrix.com/">here</a>.</p>
<address>Apache/2.2.3 (Red Hat) Server at ftlxwsforums02.dmz.citrite.net Port 8190</address>
I played around a bit with the default CA cipher list, but no success with that. My final solution was to implement a rule as follows:
Criteria: URL.Host matches forums.citrix.com, Action: Continue, Events: Set URL.Host="community.citrix.com"
As an aside (which has no bearing on your original issue), the default cipher list in MWG is set to:
If ! is used then the ciphers are permanently deleted from the list.
If - is used then the ciphers are deleted from the list, but can be re-added.
If + is used then the ciphers are moved to the end of the list.
This can be interpreted as follows:
ALL -- all cipher suites except the eNULL ciphers which must be explicitly enabled; as of OpenSSL, the ALL cipher suites are reasonably ordered by default
!ADH -- disallow ADH
+RC4 -- move RC4 to the end of the list
@STRENGTH -- sort the list according to strength.
This last value negates the previous +RC4 statement. @STRENGTH can be utilized at any point during the series of commands so +RC4:@STRENGTH is equivalent to @STRENGTH. If you really want to push RC4 to the end of the list, ALL:!ADH:@STRENGTH:+RC4 is what should be used.
You can use openssl to evaluate the ciphers:
openssl ciphers -v 'ALL:!ADH:+RC4:@STRENGTH'
With all RC4 actually at the end:
openssl ciphers -v 'ALL:!ADH:@STRENGTH:+RC4'on 11/16/12 10:05:29 PM CST
This error sometimes occur when you search in google.com in https session. If you try the link again, you can clear the error and successfully connect to the page. I couldn't figure how to solve this.