2 Replies Latest reply on Oct 10, 2016 6:55 AM by otruniger

    MWG TLS handshake failure to s3.amazonaws.com ?

    Regis

      Chasing down this same fun   ( MWG cannot make SSL-Handshake with www.iif.com   )  with https://s3.amazonaws.com/

       

      Can anyone else confirm?

       

      Host: s3.amazonaws.com

      Reason: error:00000000:lib(0):func(0):reason(0):SSL error at server handshake:state 25:Application response 500 handshakefailed

       

      My dev proxy with legacy handshake enabled connects fine, but without it, handshake failed.

       

      I'd love to go beat on Amazon to tell them their security house isn't as in order as they'd like (if these legacy handshakes open attack surface), but when doing so I'd love to make the case to them in terms of RFC's CVE's curl and openssl s_client as possible.  

       

      Anyone happen to know how to reproduce the handshake failure on the command line?

       

      Is there an opportunity for Amazon to fix something here?

        • 1. Re: MWG TLS handshake failure to s3.amazonaws.com ?
          Regis

          So... for those in the know on this, is it the "Peer signing digest: SHA1"  that's offensive to web gateway policy that has legacy signatures disabled?

           

           

          # openssl s_client -debug -connect s3.amazonaws.com:443

          CONNECTED(00000003)

          write to 0xc21730 [0xd07eb0] (289 bytes => 289 (0x121))

           

          ...

           

          6A2k0LiJws+jJpwj9rydUE/DWFlmnFY=

          -----END CERTIFICATE-----

          subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=s3.amazonaws.com

          issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Baltimore CA-2 G2

          ---

          No client certificate CA names sent

          Peer signing digest: SHA1

          Server Temp Key: ECDH, P-256, 256 bits

          ---

          SSL handshake has read 3140 bytes and written 415 bytes

          ---

          New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256

          Server public key is 2048 bit

          Secure Renegotiation IS supported

          Compression: NONE

          Expansion: NONE

          No ALPN negotiated

          SSL-Session:

              Protocol  : TLSv1.2

              Cipher    : ECDHE-RSA-AES128-GCM-SHA256

              Session-ID: 550623180BCBEB69E319E69C5F9DDD52CBABCB7E317AE54A0E8B5EC2EEF01777

              Session-ID-ctx:

              Master-Key: FA114FD0BCEAFB6CB737BEF4C4B88B3261556E1A70D0EB4778C0395AD8848DF98C3CB0F10A8794D BD2BD824D4856CCD0

              Key-Arg   : None

              Krb5 Principal: None

              PSK identity: None

              PSK identity hint: None

              Start Time: 1475872627

              Timeout   : 300 (sec)

              Verify return code: 0 (ok)

          ---

          • 2. Re: MWG TLS handshake failure to s3.amazonaws.com ?
            otruniger

            Hi Regis,

            in this case it's the "Baltimore CyberTrust Root" certificate with a sha1 signature at the top of the chain.

             

            Regards, Othmar

            1 of 1 people found this helpful