3 Replies Latest reply on Oct 16, 2017 12:53 PM by johnaldridge

    SSL Problem with https://www.web.statistik.zh.ch:8443


      MWG cannot establish a SSL handshake with https://www.web.statistik.zh.ch:8443/ and I cannot find out why It returns 1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number.

      It works for openssl and curl from the MWG command line and also directly from browsers. The server uses TLS1.2 with a decent cipher.


      Is this some missing capability of MWG?


      Regards, Othmar

        • 1. Re: SSL Problem with https://www.web.statistik.zh.ch:8443

          I've mentioned this in other posts; there are now many sites that will reject clients allowing weak SSL settings--regardless of what stronger settings you allow.  SSL v3 is a common one to be rejected, but there are others.


          I suggest setting up a rule that uses different SSL settings for destinations like this.


          I highly recommend Qualys SSL Labs Server Test, and they give the destination you mentioned a grade of 'C': SSL Server Test: www.web.statistik.zh.ch (Powered by Qualys SSL Labs)


          The summary from that test states:

          This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.

          This server does not mitigate the CRIME attack. Grade capped to C.

          The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C.

          The server does not support Forward Secrecy with the reference browsers.


          And, given the cipher suites listed in that test, I recommend these cipher settings: HIGH:SSLv3:!SEED:!IDEA:!aNULL:!eNULL:!ADH:!CAMELLIA:!PSK:!RC4:!MD5:-ECDH:ECDHE:- DH:-kEDH:DHE:@STRENGTH:+RSA


          Note that this includes SHA1 and 3DES, which are not recommended, but that site can't do better.


          Other settings may also be needed.


          You'll find more detail here: sslv3 errors


          EDIT: Eeek!  Just realized SSL Labs Server Test won't do ports other than 443.  So, we'd be guessing that the test results would be the same--however likely.

          • 2. Re: SSL Problem with https://www.web.statistik.zh.ch:8443

            I found the problem. I realized that this server runs two different websites on the same name and IP. The standard one on 443 only supports weak ciphers and I overlooked that we had this one already in our special rule for weak ciphers (by name). Now the website on port 8443 requires strong ssl settings and therefore refuses to talk with the weak ciphers we offer for that server.

            I guess I have to set up a special rule for this case. Too bad they don't have a consistent setup on their server.

            • 3. Re: SSL Problem with https://www.web.statistik.zh.ch:8443

              I've done plenty of research on this.  It's amazing how much inconsistency there is.  Yet, security is a moving target, and it had been difficult to find authoritative answers on what would be a could configuration.  Tip of the hat to Qualys SSL Labs.