cancel
Showing results for 
Search instead for 
Did you mean: 
stifi
Level 7

error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure on access to https://surveymonkey.com/

Jump to solution

Hi there

We recognized an ssl handshake error on accessing the url https://surveymonkey.com (detailed error message is "error:14094410Smiley FrustratedSL routinesSmiley FrustratedSL3_READ_BYTES:sslv3 alert handshake failure"). Having a deeper look to the ssl handshake using tcpdump we determined that the webserver on https://surveymonkey.com seems not to be willing to accept any of the ciphers offered by our webwasher (version is 7.5.1, openssl version is 1.0.1j-fips).

Running an ssh handshake from the command line using the command "openssl s_client -connect surveymonkey.com:443 -tls1_2" fails as you would expect. Running the same command from another system using openssl 1.0.1f succeeds, this is the cipher which is offered from the webserver:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Unfortunately this is not in the list of the supported ciphers on the webwasher. From my understanding the openssl version running on our webwasher is not capable to offer that cipher. That means that we are also not able to enlarge the actual Server cipher list on the webwasher which is "ALL:!ADH:+RC4:@STRENGTH".

So how to securely allow access to that website?

Thanks for any hints, Stefan

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure on access to https://surveymonkey.com/

Jump to solution

Hi Stefan,

I can get there from my MWG running 7.6.1, but I imagine it works on 7.5.2 as well. 7.5.2 is when we added support for elliptic curve ciphers.

Have you configured your MWG to protect against POODLE? If MWG is offering SSLv3 some servers will reject the handshake outright:

Best Regards,

Jon

0 Kudos
4 Replies
McAfee Employee

Re: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure on access to https://surveymonkey.com/

Jump to solution

Hi Stefan,

I can get there from my MWG running 7.6.1, but I imagine it works on 7.5.2 as well. 7.5.2 is when we added support for elliptic curve ciphers.

Have you configured your MWG to protect against POODLE? If MWG is offering SSLv3 some servers will reject the handshake outright:

Best Regards,

Jon

0 Kudos
stifi
Level 7

Re: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure on access to https://surveymonkey.com/

Jump to solution

Hi Jon

Many thanks for your reply. I understand that the web gateway from version 7.5.2 onward provides another openssl version and therefore also enlarged support for stong(er) ciphers. Could u provide me the output of "openssl version" on the 7.6.1 system? We scheduled an upgrade to the latest version later this year.

Yes, we protected our ww against the poodle attack. SSLv3 is definitely over ...

Bye, Stefan

0 Kudos
McAfee Employee

Re: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure on access to https://surveymonkey.com/

Jump to solution

Hi Stefan!

Here is the version info:

OpenSSL 1.0.1q-fips 3 Dec 2015

For reference 7.5.1 is a controlled release that is ok to run for a little while, but it's assumed that you upgrade to the main release once it comes out. Maybe you know this maybe you dont, here is the obligatory upgrade guide:

https://community.mcafee.com/docs/DOC-5036

Best Regards,

Jon

0 Kudos
stifi
Level 7

Re: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure on access to https://surveymonkey.com/

Jump to solution

Jon, we scheduled an update to 7.5.2 for January this year. After I have gone through the release notes I had to recognize that there are no improvements which would affect us in any kind ... so I decided to reschedule the upgrade for later on this year. If I had knew about the added support for ECC I would have done the update ... did not read anything in the notes as I can remember

However, many thanks for your support.

Bye, Stefan

0 Kudos