cancel
Showing results for 
Search instead for 
Did you mean: 
alojzyk
Level 7

The SSL handshake could not be performed

Dear all,

on several sites I'm receiving error "The SSL handshake could not be performed" followed by zeros in reason.  I cannot find anything in logs of the Web Gateway related to this. I tried to open one of the sites bypassing the MWG and it worked fine (however, one browser said "SSL negotiation failed"). Personally I have no clue how to solve this issue. Have any of you came across this issue?

0 Kudos
6 Replies
georgec
Level 13

Re: The SSL handshake could not be performed

Can you mention the sites so people that use MWG can try to replicate your problem?

0 Kudos
alojzyk
Level 7

Re: The SSL handshake could not be performed

0 Kudos
jspanitz
Level 7

Re: The SSL handshake could not be performed

I can confirm we are seeing the same thing here.  MWG 7.3

0 Kudos
btlyric
Level 12

Re: The SSL handshake could not be performed

In the case of https://forums.citrix.com, if you aren't behind a proxy, you get a 301 Moved Permanently response that sends you to http://community.citrix.com.

Looking at some openssl conns:

openssl s_client -connect forums.citrix.com:443

CONNECTED(00000003)

depth=2 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root

verify return:1

depth=1 /O=Cybertrust Inc/CN=Cybertrust SureServer Standard Validation CA

verify return:1

depth=0 /C=US/ST=FL/L=Fort Lauderdale/O=Citrix Systems Inc./OU=IT/CN=*.citrix.com

verify return:1

write:errno=104

errno=104 is ECONNRESET which means that the remote side reset the connection.

Using the -prexit option supplies more info (snipped for brevity):

openssl s_client -connect forums.citrix.com:443 -prexit

write:errno=104

SSL-Session:

    Protocol  : TLSv1

    Cipher    : EXP-RC2-CBC-MD5

This is a weak cipher. See https://www.ssllabs.com/ssltest/analyze.html?d=forums.citrix.com for a more detailed analysis of the ciphers being used by that site.

When HIGH, MEDIUM or LOW ciphers are specified, the openssl connection succeeds and will return a 301 Moved Permanently message:

openssl s_client -connect forums.citrix.com:443 -cipher HIGH

SSL-Session:

    Protocol  : TLSv1

    Cipher    : AES128-SHA

    Session-ID: B5B568CA2668311B160FA1E1FD4F7D17971DC6809C379F4DD4ECC223C311062B

    Session-ID-ctx:

    Master-Key: 3A303BE75F6EC705E6FA8CDC8816B8B35D9DC904C75A16200499FFB144202931876550427B646C97BE5986B2B4969CF1

    Key-Arg   : None

    Krb5 Principal: None

    Start Time: 1353115411

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

GET /

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>301 Moved Permanently</title>

</head><body>

<h1>Moved Permanently</h1>

<p>The document has moved <a href="http://community.citrix.com/">here</a>.</p>

<hr>

<address>Apache/2.2.3 (Red Hat) Server at ftlxwsforums02.dmz.citrite.net Port 8190</address>

</body></html>

closed

I played around a bit with the default CA cipher list, but no success with that. My final solution was to implement a rule as follows:

Criteria: URL.Host matches forums.citrix.com, Action: Continue, Events: Set URL.Host="community.citrix.com"

As an aside (which has no bearing on your original issue), the default cipher list in MWG is set to:

ALL:!ADH:+RC4:@STRENGTH

Excerpted from http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT

If ! is used then the ciphers are permanently deleted from the list.

If - is used then the ciphers are deleted from the list, but can be re-added.

If + is used then the ciphers are moved to the end of the list.

This can be interpreted as follows:

ALL -- all cipher suites except the eNULL ciphers which must be explicitly enabled; as of OpenSSL, the ALL cipher suites are reasonably ordered by default

!ADH -- disallow ADH

+RC4 -- move RC4 to the end of the list

@STRENGTH -- sort the list according to strength.

This last value negates the previous +RC4 statement. @STRENGTH can be utilized at any point during the series of commands so +RC4:@STRENGTH is equivalent to @STRENGTH. If you really want to push RC4 to the end of the list, ALL:!ADH:@STRENGTH:+RC4 is what should be used.

You can use openssl to evaluate the ciphers:

MWG default:

openssl ciphers -v 'ALL:!ADH:+RC4:@STRENGTH'

With all RC4 actually at the end:

openssl ciphers -v 'ALL:!ADH:@STRENGTH:+RC4'

on 11/16/12 10:05:29 PM CST
0 Kudos
alojzyk
Level 7

Re: The SSL handshake could not be performed

Thank you very much. It explained me a lot. I will try play around with ciphers.

0 Kudos
kubaros
Level 9

Re: The SSL handshake could not be performed

This error sometimes occur when you search in google.com in https session. If you try the link again, you can clear the error and successfully connect to the page. I couldn't figure how to solve this.

0 Kudos