6 Replies Latest reply: Mar 6, 2014 6:10 AM by kubaros RSS

    The SSL handshake could not be performed


      Dear all,


      on several sites I'm receiving error "The SSL handshake could not be performed" followed by zeros in reason.  I cannot find anything in logs of the Web Gateway related to this. I tried to open one of the sites bypassing the MWG and it worked fine (however, one browser said "SSL negotiation failed"). Personally I have no clue how to solve this issue. Have any of you came across this issue?

        • 1. Re: The SSL handshake could not be performed

          Can you mention the sites so people that use MWG can try to replicate your problem?

          • 3. Re: The SSL handshake could not be performed

            I can confirm we are seeing the same thing here.  MWG 7.3

            • 4. Re: The SSL handshake could not be performed

              In the case of https://forums.citrix.com, if you aren't behind a proxy, you get a 301 Moved Permanently response that sends you to http://community.citrix.com.


              Looking at some openssl conns:


              openssl s_client -connect forums.citrix.com:443


              depth=2 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root

              verify return:1

              depth=1 /O=Cybertrust Inc/CN=Cybertrust SureServer Standard Validation CA

              verify return:1

              depth=0 /C=US/ST=FL/L=Fort Lauderdale/O=Citrix Systems Inc./OU=IT/CN=*.citrix.com

              verify return:1



              errno=104 is ECONNRESET which means that the remote side reset the connection.


              Using the -prexit option supplies more info (snipped for brevity):


              openssl s_client -connect forums.citrix.com:443 -prexit





                  Protocol  : TLSv1

                  Cipher    : EXP-RC2-CBC-MD5


              This is a weak cipher. See https://www.ssllabs.com/ssltest/analyze.html?d=forums.citrix.com for a more detailed analysis of the ciphers being used by that site.


              When HIGH, MEDIUM or LOW ciphers are specified, the openssl connection succeeds and will return a 301 Moved Permanently message:


              openssl s_client -connect forums.citrix.com:443 -cipher HIGH



                  Protocol  : TLSv1

                  Cipher    : AES128-SHA

                  Session-ID: B5B568CA2668311B160FA1E1FD4F7D17971DC6809C379F4DD4ECC223C311062B


                  Master-Key: 3A303BE75F6EC705E6FA8CDC8816B8B35D9DC904C75A16200499FFB144202931876550427B646C9 7BE5986B2B4969CF1

                  Key-Arg   : None

                  Krb5 Principal: None

                  Start Time: 1353115411

                  Timeout   : 300 (sec)

                  Verify return code: 0 (ok)


              GET /

              <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">


              <title>301 Moved Permanently</title>


              <h1>Moved Permanently</h1>

              <p>The document has moved <a href="http://community.citrix.com/">here</a>.</p>


              <address>Apache/2.2.3 (Red Hat) Server at ftlxwsforums02.dmz.citrite.net Port 8190</address>




              I played around a bit with the default CA cipher list, but no success with that. My final solution was to implement a rule as follows:


              Criteria: URL.Host matches forums.citrix.com, Action: Continue, Events: Set URL.Host="community.citrix.com"


              As an aside (which has no bearing on your original issue), the default cipher list in MWG is set to:




              Excerpted from http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT


              If ! is used then the ciphers are permanently deleted from the list.

              If - is used then the ciphers are deleted from the list, but can be re-added.

              If + is used then the ciphers are moved to the end of the list.


              This can be interpreted as follows:


              ALL -- all cipher suites except the eNULL ciphers which must be explicitly enabled; as of OpenSSL, the ALL cipher suites are reasonably ordered by default


              !ADH -- disallow ADH


              +RC4 -- move RC4 to the end of the list


              @STRENGTH -- sort the list according to strength.


              This last value negates the previous +RC4 statement. @STRENGTH can be utilized at any point during the series of commands so +RC4:@STRENGTH is equivalent to @STRENGTH. If you really want to push RC4 to the end of the list, ALL:!ADH:@STRENGTH:+RC4 is what should be used.


              You can use openssl to evaluate the ciphers:


              MWG default:


              openssl ciphers -v 'ALL:!ADH:+RC4:@STRENGTH'


              With all RC4 actually at the end:


              openssl ciphers -v 'ALL:!ADH:@STRENGTH:+RC4'


              on 11/16/12 10:05:29 PM CST
              • 5. Re: The SSL handshake could not be performed

                Thank you very much. It explained me a lot. I will try play around with ciphers.

                • 6. Re: The SSL handshake could not be performed

                  This error sometimes occur when you search in google.com in https session. If you try the link again, you can clear the error and successfully connect to the page. I couldn't figure how to solve this.