cancel
Showing results for 
Search instead for 
Did you mean: 
KY
Level 8
Report Inappropriate Content
Message 1 of 5

ssl handshake error - www.charlestonmuseum.org

Jump to solution
1 Solution

Accepted Solutions
Highlighted
McAfee Employee mkutrieba
McAfee Employee
Report Inappropriate Content
Message 3 of 5

Re: ssl handshake error - www.charlestonmuseum.org

Jump to solution

Hello,

I can reproduce this issue and found the cause + solution.
Cause: certificate chain contains a sha1 signature algorithm which are considered as weak:

#4
Subject The Go Daddy Group, Inc. / Go Daddy Class 2 Certification Authority   In trust store
Fingerprint SHA256: c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4
Pin SHA256: VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=
Valid until Thu, 29 Jun 2034 17:06:20 UTC (expires in 14 years and 5 months)
Key RSA 2048 bits (e 3)
Issuer The Go Daddy Group, Inc. / Go Daddy Class 2 Certification Authority   Self-signed
Signature algorithm SHA1withRSA   Weak, but no impact on root certificate


Source:
https://www.ssllabs.com/ssltest/analyze.html?d=www.charlestonmuseum.org


When using rule "Enable Certificate Verification" under "HTTPS Scanning" > "Handle CONNECT Call", an event "Enable SSL Scanner" with "Default Certificate Verification" is used. This contains an option called "Allow legacy signatures in the handshake".
When I enable this, old/unsafe signature algorithms are allowed and site can be accessed. When I disable the option and delete cache, I get the block again.

 

Solution:
Create a NEW setting which you use in a NEW rule which is placed above the default one. This needs to be limited to affected websites online, so use criteria like "URL.Host equals/is in list <name>" and then trigger this event with NEW created setting which allows old/unsafe signature algorithms.

Important: ALL other websites should run in the default rule/setting!
So you avoid that you allow old signature algorithms for all websites.

Example rule set:
Rule 1: Set Client Context, Continue, Enable SSL Client Context with CA<Default CA>
Rule 2: Enable Certificate Verification for special sites (criteria is like URL.host is in list <list with special websites that use old signature algorithms>, Stop rule set, Enable SSL Scanner<special setting with option enabled>
Rule 3: Enable Certificate Verification, Stop rule set, Enable SSL Scanner<Default certificate verification with option disabled>

Regards,
Marcel Kutrieba
Technical Support Engineer

View solution in original post

4 Replies
KY
Level 8
Report Inappropriate Content
Message 2 of 5

Re: ssl handshake error - www.charlestonmuseum.org

Jump to solution

Host: www.charlestonmuseum.org
Reason: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:SSL error at server handshake:state 26:Application response 500 handshakefailed

 

https://www.ssllabs.com/ssltest/analyze.html?d=www.charlestonmuseum.org

Highlighted
McAfee Employee mkutrieba
McAfee Employee
Report Inappropriate Content
Message 3 of 5

Re: ssl handshake error - www.charlestonmuseum.org

Jump to solution

Hello,

I can reproduce this issue and found the cause + solution.
Cause: certificate chain contains a sha1 signature algorithm which are considered as weak:

#4
Subject The Go Daddy Group, Inc. / Go Daddy Class 2 Certification Authority   In trust store
Fingerprint SHA256: c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4
Pin SHA256: VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=
Valid until Thu, 29 Jun 2034 17:06:20 UTC (expires in 14 years and 5 months)
Key RSA 2048 bits (e 3)
Issuer The Go Daddy Group, Inc. / Go Daddy Class 2 Certification Authority   Self-signed
Signature algorithm SHA1withRSA   Weak, but no impact on root certificate


Source:
https://www.ssllabs.com/ssltest/analyze.html?d=www.charlestonmuseum.org


When using rule "Enable Certificate Verification" under "HTTPS Scanning" > "Handle CONNECT Call", an event "Enable SSL Scanner" with "Default Certificate Verification" is used. This contains an option called "Allow legacy signatures in the handshake".
When I enable this, old/unsafe signature algorithms are allowed and site can be accessed. When I disable the option and delete cache, I get the block again.

 

Solution:
Create a NEW setting which you use in a NEW rule which is placed above the default one. This needs to be limited to affected websites online, so use criteria like "URL.Host equals/is in list <name>" and then trigger this event with NEW created setting which allows old/unsafe signature algorithms.

Important: ALL other websites should run in the default rule/setting!
So you avoid that you allow old signature algorithms for all websites.

Example rule set:
Rule 1: Set Client Context, Continue, Enable SSL Client Context with CA<Default CA>
Rule 2: Enable Certificate Verification for special sites (criteria is like URL.host is in list <list with special websites that use old signature algorithms>, Stop rule set, Enable SSL Scanner<special setting with option enabled>
Rule 3: Enable Certificate Verification, Stop rule set, Enable SSL Scanner<Default certificate verification with option disabled>

Regards,
Marcel Kutrieba
Technical Support Engineer

View solution in original post

KY
Level 8
Report Inappropriate Content
Message 4 of 5

Re: ssl handshake error - www.charlestonmuseum.org

Jump to solution

Thank you. That helps, because I did not want to enable legacy certs and ciphers.

McAfee Employee mkutrieba
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: ssl handshake error - www.charlestonmuseum.org

Jump to solution

I understand and that's correct.

Above mentioned method is the common way to achieve this (use extra setting with URL.host criteria or anything similar).

Thanks for marking this post as resolved through accepting my answer as solution!

Regards,
Marcel Kutrieba
Technical Support Engineer
Want to Ask a Question?
Many members like to perform a search first in case other customers have already asked and answered a similar question. However, to ask a question, first select a forum then click on Post a Topic. You must sign in or log in with your existing credentials.

McAfee Service Portal customers please use your existing username and password to log into the community.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community