We recognized an ssl handshake error on accessing the url https://surveymonkey.com (detailed error message is "error:14094410SL routinesSL3_READ_BYTES:sslv3 alert handshake failure"). Having a deeper look to the ssl handshake using tcpdump we determined that the webserver on https://surveymonkey.com seems not to be willing to accept any of the ciphers offered by our webwasher (version is 7.5.1, openssl version is 1.0.1j-fips).
Running an ssh handshake from the command line using the command "openssl s_client -connect surveymonkey.com:443 -tls1_2" fails as you would expect. Running the same command from another system using openssl 1.0.1f succeeds, this is the cipher which is offered from the webserver:
Unfortunately this is not in the list of the supported ciphers on the webwasher. From my understanding the openssl version running on our webwasher is not capable to offer that cipher. That means that we are also not able to enlarge the actual Server cipher list on the webwasher which is "ALL:!ADH:+RC4:@STRENGTH".
So how to securely allow access to that website?
Thanks for any hints, Stefan
Solved! Go to Solution.
Many thanks for your reply. I understand that the web gateway from version 7.5.2 onward provides another openssl version and therefore also enlarged support for stong(er) ciphers. Could u provide me the output of "openssl version" on the 7.6.1 system? We scheduled an upgrade to the latest version later this year.
Yes, we protected our ww against the poodle attack. SSLv3 is definitely over ...
Here is the version info:
OpenSSL 1.0.1q-fips 3 Dec 2015
For reference 7.5.1 is a controlled release that is ok to run for a little while, but it's assumed that you upgrade to the main release once it comes out. Maybe you know this maybe you dont, here is the obligatory upgrade guide:
Jon, we scheduled an update to 7.5.2 for January this year. After I have gone through the release notes I had to recognize that there are no improvements which would affect us in any kind ... so I decided to reschedule the upgrade for later on this year. If I had knew about the added support for ECC I would have done the update ... did not read anything in the notes as I can remember
However, many thanks for your support.