Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2216 Views 6 Replies Latest reply: Mar 6, 2014 6:10 AM by kubaros RSS
alojzyk Newcomer 4 posts since
Oct 29, 2012
Currently Being Moderated

Nov 16, 2012 6:39 AM

The SSL handshake could not be performed

Dear all,


on several sites I'm receiving error "The SSL handshake could not be performed" followed by zeros in reason.  I cannot find anything in logs of the Web Gateway related to this. I tried to open one of the sites bypassing the MWG and it worked fine (however, one browser said "SSL negotiation failed"). Personally I have no clue how to solve this issue. Have any of you came across this issue?

  • georgec Champion 244 posts since
    Sep 9, 2010
    Currently Being Moderated
    1. Nov 16, 2012 7:34 AM (in response to alojzyk)
    Re: The SSL handshake could not be performed

    Can you mention the sites so people that use MWG can try to replicate your problem?

  • jspanitz Apprentice 120 posts since
    Nov 4, 2009
    Currently Being Moderated
    3. Nov 16, 2012 1:13 PM (in response to alojzyk)
    Re: The SSL handshake could not be performed

    I can confirm we are seeing the same thing here.  MWG 7.3

  • btlyric Apprentice 186 posts since
    Aug 1, 2012
    Currently Being Moderated
    4. Nov 16, 2012 10:05 PM (in response to alojzyk)
    Re: The SSL handshake could not be performed

    In the case of, if you aren't behind a proxy, you get a 301 Moved Permanently response that sends you to


    Looking at some openssl conns:


    openssl s_client -connect


    depth=2 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root

    verify return:1

    depth=1 /O=Cybertrust Inc/CN=Cybertrust SureServer Standard Validation CA

    verify return:1

    depth=0 /C=US/ST=FL/L=Fort Lauderdale/O=Citrix Systems Inc./OU=IT/CN=*

    verify return:1



    errno=104 is ECONNRESET which means that the remote side reset the connection.


    Using the -prexit option supplies more info (snipped for brevity):


    openssl s_client -connect -prexit





        Protocol  : TLSv1

        Cipher    : EXP-RC2-CBC-MD5


    This is a weak cipher. See for a more detailed analysis of the ciphers being used by that site.


    When HIGH, MEDIUM or LOW ciphers are specified, the openssl connection succeeds and will return a 301 Moved Permanently message:


    openssl s_client -connect -cipher HIGH



        Protocol  : TLSv1

        Cipher    : AES128-SHA

        Session-ID: B5B568CA2668311B160FA1E1FD4F7D17971DC6809C379F4DD4ECC223C311062B


        Master-Key: 3A303BE75F6EC705E6FA8CDC8816B8B35D9DC904C75A16200499FFB144202931876550427B646C9 7BE5986B2B4969CF1

        Key-Arg   : None

        Krb5 Principal: None

        Start Time: 1353115411

        Timeout   : 300 (sec)

        Verify return code: 0 (ok)


    GET /



    <title>301 Moved Permanently</title>


    <h1>Moved Permanently</h1>

    <p>The document has moved <a href="">here</a>.</p>


    <address>Apache/2.2.3 (Red Hat) Server at Port 8190</address>




    I played around a bit with the default CA cipher list, but no success with that. My final solution was to implement a rule as follows:


    Criteria: URL.Host matches, Action: Continue, Events: Set URL.Host=""


    As an aside (which has no bearing on your original issue), the default cipher list in MWG is set to:




    Excerpted from


    If ! is used then the ciphers are permanently deleted from the list.

    If - is used then the ciphers are deleted from the list, but can be re-added.

    If + is used then the ciphers are moved to the end of the list.


    This can be interpreted as follows:


    ALL -- all cipher suites except the eNULL ciphers which must be explicitly enabled; as of OpenSSL, the ALL cipher suites are reasonably ordered by default


    !ADH -- disallow ADH


    +RC4 -- move RC4 to the end of the list


    @STRENGTH -- sort the list according to strength.


    This last value negates the previous +RC4 statement. @STRENGTH can be utilized at any point during the series of commands so +RC4:@STRENGTH is equivalent to @STRENGTH. If you really want to push RC4 to the end of the list, ALL:!ADH:@STRENGTH:+RC4 is what should be used.


    You can use openssl to evaluate the ciphers:


    MWG default:


    openssl ciphers -v 'ALL:!ADH:+RC4:@STRENGTH'


    With all RC4 actually at the end:


    openssl ciphers -v 'ALL:!ADH:@STRENGTH:+RC4'


    on 11/16/12 10:05:29 PM CST
  • kubaros Newcomer 26 posts since
    May 7, 2013
    Currently Being Moderated
    6. Mar 6, 2014 6:10 AM (in response to alojzyk)
    Re: The SSL handshake could not be performed

    This error sometimes occur when you search in in https session. If you try the link again, you can clear the error and successfully connect to the page. I couldn't figure how to solve this.

More Like This

  • Retrieving data ...

Bookmarked By (0)


  • Correct Answers - 5 points
  • Helpful Answers - 3 points