Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2216 Views 6 Replies Latest reply: Mar 6, 2014 6:10 AM by kubaros RSS
alojzyk Newcomer 4 posts since
Oct 29, 2012
Currently Being Moderated

Nov 16, 2012 6:39 AM

The SSL handshake could not be performed

Dear all,

 

on several sites I'm receiving error "The SSL handshake could not be performed" followed by zeros in reason.  I cannot find anything in logs of the Web Gateway related to this. I tried to open one of the sites bypassing the MWG and it worked fine (however, one browser said "SSL negotiation failed"). Personally I have no clue how to solve this issue. Have any of you came across this issue?

  • georgec Champion 244 posts since
    Sep 9, 2010
    Currently Being Moderated
    1. Nov 16, 2012 7:34 AM (in response to alojzyk)
    Re: The SSL handshake could not be performed

    Can you mention the sites so people that use MWG can try to replicate your problem?

  • jspanitz Apprentice 120 posts since
    Nov 4, 2009
    Currently Being Moderated
    3. Nov 16, 2012 1:13 PM (in response to alojzyk)
    Re: The SSL handshake could not be performed

    I can confirm we are seeing the same thing here.  MWG 7.3

  • btlyric Apprentice 186 posts since
    Aug 1, 2012
    Currently Being Moderated
    4. Nov 16, 2012 10:05 PM (in response to alojzyk)
    Re: The SSL handshake could not be performed

    In the case of https://forums.citrix.com, if you aren't behind a proxy, you get a 301 Moved Permanently response that sends you to http://community.citrix.com.

     

    Looking at some openssl conns:

     

    openssl s_client -connect forums.citrix.com:443

    CONNECTED(00000003)

    depth=2 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root

    verify return:1

    depth=1 /O=Cybertrust Inc/CN=Cybertrust SureServer Standard Validation CA

    verify return:1

    depth=0 /C=US/ST=FL/L=Fort Lauderdale/O=Citrix Systems Inc./OU=IT/CN=*.citrix.com

    verify return:1

    write:errno=104

     

    errno=104 is ECONNRESET which means that the remote side reset the connection.

     

    Using the -prexit option supplies more info (snipped for brevity):

     

    openssl s_client -connect forums.citrix.com:443 -prexit

     

    write:errno=104

     

    SSL-Session:

        Protocol  : TLSv1

        Cipher    : EXP-RC2-CBC-MD5

     

    This is a weak cipher. See https://www.ssllabs.com/ssltest/analyze.html?d=forums.citrix.com for a more detailed analysis of the ciphers being used by that site.

     

    When HIGH, MEDIUM or LOW ciphers are specified, the openssl connection succeeds and will return a 301 Moved Permanently message:

     

    openssl s_client -connect forums.citrix.com:443 -cipher HIGH

     

    SSL-Session:

        Protocol  : TLSv1

        Cipher    : AES128-SHA

        Session-ID: B5B568CA2668311B160FA1E1FD4F7D17971DC6809C379F4DD4ECC223C311062B

        Session-ID-ctx:

        Master-Key: 3A303BE75F6EC705E6FA8CDC8816B8B35D9DC904C75A16200499FFB144202931876550427B646C9 7BE5986B2B4969CF1

        Key-Arg   : None

        Krb5 Principal: None

        Start Time: 1353115411

        Timeout   : 300 (sec)

        Verify return code: 0 (ok)

    ---

    GET /

    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

    <html><head>

    <title>301 Moved Permanently</title>

    </head><body>

    <h1>Moved Permanently</h1>

    <p>The document has moved <a href="http://community.citrix.com/">here</a>.</p>

    <hr>

    <address>Apache/2.2.3 (Red Hat) Server at ftlxwsforums02.dmz.citrite.net Port 8190</address>

    </body></html>

    closed

     

    I played around a bit with the default CA cipher list, but no success with that. My final solution was to implement a rule as follows:

     

    Criteria: URL.Host matches forums.citrix.com, Action: Continue, Events: Set URL.Host="community.citrix.com"

     

    As an aside (which has no bearing on your original issue), the default cipher list in MWG is set to:

     

    ALL:!ADH:+RC4:@STRENGTH

     

    Excerpted from http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT

     

    If ! is used then the ciphers are permanently deleted from the list.

    If - is used then the ciphers are deleted from the list, but can be re-added.

    If + is used then the ciphers are moved to the end of the list.

     

    This can be interpreted as follows:

     

    ALL -- all cipher suites except the eNULL ciphers which must be explicitly enabled; as of OpenSSL, the ALL cipher suites are reasonably ordered by default

     

    !ADH -- disallow ADH

     

    +RC4 -- move RC4 to the end of the list

     

    @STRENGTH -- sort the list according to strength.

     

    This last value negates the previous +RC4 statement. @STRENGTH can be utilized at any point during the series of commands so +RC4:@STRENGTH is equivalent to @STRENGTH. If you really want to push RC4 to the end of the list, ALL:!ADH:@STRENGTH:+RC4 is what should be used.

     

    You can use openssl to evaluate the ciphers:

     

    MWG default:

     

    openssl ciphers -v 'ALL:!ADH:+RC4:@STRENGTH'

     

    With all RC4 actually at the end:

     

    openssl ciphers -v 'ALL:!ADH:@STRENGTH:+RC4'

     

    on 11/16/12 10:05:29 PM CST
  • kubaros Newcomer 26 posts since
    May 7, 2013
    Currently Being Moderated
    6. Mar 6, 2014 6:10 AM (in response to alojzyk)
    Re: The SSL handshake could not be performed

    This error sometimes occur when you search in google.com in https session. If you try the link again, you can clear the error and successfully connect to the page. I couldn't figure how to solve this.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points