Showing results for 
Search instead for 
Did you mean: 
Level 7

The SSL handshake could not be performed

Dear all,

on several sites I'm receiving error "The SSL handshake could not be performed" followed by zeros in reason.  I cannot find anything in logs of the Web Gateway related to this. I tried to open one of the sites bypassing the MWG and it worked fine (however, one browser said "SSL negotiation failed"). Personally I have no clue how to solve this issue. Have any of you came across this issue?

0 Kudos
6 Replies
Level 13

Re: The SSL handshake could not be performed

Can you mention the sites so people that use MWG can try to replicate your problem?

0 Kudos
Level 7

Re: The SSL handshake could not be performed

0 Kudos
Level 7

Re: The SSL handshake could not be performed

I can confirm we are seeing the same thing here.  MWG 7.3

0 Kudos
Level 12

Re: The SSL handshake could not be performed

In the case of, if you aren't behind a proxy, you get a 301 Moved Permanently response that sends you to

Looking at some openssl conns:

openssl s_client -connect


depth=2 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root

verify return:1

depth=1 /O=Cybertrust Inc/CN=Cybertrust SureServer Standard Validation CA

verify return:1

depth=0 /C=US/ST=FL/L=Fort Lauderdale/O=Citrix Systems Inc./OU=IT/CN=*

verify return:1


errno=104 is ECONNRESET which means that the remote side reset the connection.

Using the -prexit option supplies more info (snipped for brevity):

openssl s_client -connect -prexit



    Protocol  : TLSv1

    Cipher    : EXP-RC2-CBC-MD5

This is a weak cipher. See for a more detailed analysis of the ciphers being used by that site.

When HIGH, MEDIUM or LOW ciphers are specified, the openssl connection succeeds and will return a 301 Moved Permanently message:

openssl s_client -connect -cipher HIGH


    Protocol  : TLSv1

    Cipher    : AES128-SHA

    Session-ID: B5B568CA2668311B160FA1E1FD4F7D17971DC6809C379F4DD4ECC223C311062B


    Master-Key: 3A303BE75F6EC705E6FA8CDC8816B8B35D9DC904C75A16200499FFB144202931876550427B646C97BE5986B2B4969CF1

    Key-Arg   : None

    Krb5 Principal: None

    Start Time: 1353115411

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)





<title>301 Moved Permanently</title>


<h1>Moved Permanently</h1>

<p>The document has moved <a href="">here</a>.</p>


<address>Apache/2.2.3 (Red Hat) Server at Port 8190</address>



I played around a bit with the default CA cipher list, but no success with that. My final solution was to implement a rule as follows:

Criteria: URL.Host matches, Action: Continue, Events: Set URL.Host=""

As an aside (which has no bearing on your original issue), the default cipher list in MWG is set to:


Excerpted from

If ! is used then the ciphers are permanently deleted from the list.

If - is used then the ciphers are deleted from the list, but can be re-added.

If + is used then the ciphers are moved to the end of the list.

This can be interpreted as follows:

ALL -- all cipher suites except the eNULL ciphers which must be explicitly enabled; as of OpenSSL, the ALL cipher suites are reasonably ordered by default

!ADH -- disallow ADH

+RC4 -- move RC4 to the end of the list

@STRENGTH -- sort the list according to strength.

This last value negates the previous +RC4 statement. @STRENGTH can be utilized at any point during the series of commands so +RC4:@STRENGTH is equivalent to @STRENGTH. If you really want to push RC4 to the end of the list, ALL:!ADH:@STRENGTH:+RC4 is what should be used.

You can use openssl to evaluate the ciphers:

MWG default:

openssl ciphers -v 'ALL:!ADH:+RC4:@STRENGTH'

With all RC4 actually at the end:

openssl ciphers -v 'ALL:!ADH:@STRENGTH:+RC4'

on 11/16/12 10:05:29 PM CST
0 Kudos
Level 7

Re: The SSL handshake could not be performed

Thank you very much. It explained me a lot. I will try play around with ciphers.

0 Kudos
Level 9

Re: The SSL handshake could not be performed

This error sometimes occur when you search in in https session. If you try the link again, you can clear the error and successfully connect to the page. I couldn't figure how to solve this.

0 Kudos