cancel
Showing results for 
Search instead for 
Did you mean: 
back_ache
Level 7

The SSL handshake could not be performed

We are the vendor of a Software as  a Service (SAAS)

One of our clients customers cannot access our SSL encrypted webpage and receive the error from their gateway of "The SSL handshake could not be performed"

They have worked around it by getting out their mobile and using that instead to access us, but of course I would like to remedy any worries the gateway may have.

I have googled about but cannot find any recent posts on the subject, our clients customer thinks it maybe to do with new POODLE vunerablitys found yesterday (8th Dec 14)  to that end I tested our URL with the following sites (one McAfee and one independent) and got a clean bill of health, what else should I be checking (in the light of SHA-2 we are using reissued certificates and have disabled SSL3).

Qualys SSL Labs - Projects / SSL Server Test

SSL Certificate Checker - Check for vulnerabilities like HeartBleed

0 Kudos
4 Replies
mbagheryan
Level 12

Re: The SSL handshake could not be performed

I can suggest you to fetch your site in ssl scanner but I can not say that it is the best way to solve the problem you have but it works.

0 Kudos
back_ache
Level 7

Re: The SSL handshake could not be performed

SSL scanner is a new tool to me, there doesn't seem to be anything obvious except at the bottom it says

Verify Certificate:

   unable to get local issuer certificate

0 Kudos
mbagheryan
Level 12

Re: The SSL handshake could not be performed

ssl.JPG

0 Kudos
asabban
Level 17

Re: The SSL handshake could not be performed

Hello,

the exception mentioned above should work if MWG is not happy with the certificate provided by the server. However "SSL Handshake Failed" is a failure that can happen before the checks for the certificate takes place. In SSL Scanner -> Handle CONNECT Request you find a rule "Tunneled Hosts". If you specify the host where your site is hosted in this list MWG will not try to intercept the connection, so that client and server basically perform the handshake directly. Otherwise the client will talk to MWG and MWG will make an independet SSL handshake with the server.

Maybe this would be a good approach to prevent MWG from touching anything.

Best,

Andre