[openssl-users] Failed TLSv1.2 handshake
Nounou Dadoun
nounou.dadoun at avigilon.com
Mon Dec 7 22:46:26 UTC 2015
Hi folks, running into a failed handshake problem -
Although we upgraded to openssl 1.0.2d last summer, we had never changed our context setup from accepting any version other than TLSv1, i.e. (in boost)
m_context(pIoService->GetNative(), boost::asio::ssl::context::tlsv1)
When we recently changed to accepting other versions (didn't matter if we disabled sslv2 and sslv3) to (in boost):
m_context(pIoService->GetNative(), boost::asio::ssl::context::sslv23)
our ssl handshakes started failing with "decryption failed or bad record mac"
I've attached a packet capture, the client does a TLSv1.2 CLIENT HELLO and offers up 72 cipher suites.
The server responds with the SERVER HELLO, CERTIFICATE, SERVER HELLO DONE and appears to select
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
The Client does the CLIENT KEY EXCHANGE, CHANGE CIPHER SPEC, ENCRYPTED HANDSHAKE MESSAGE
and then the exchange appears to finish with the above error in the server log.
The cipher setting on the server is:
SSL_CTX_set_cipher_list(pSslContext->GetNativeRef().impl(), "ALL:SEED:!EXPORT:!LOW:!DES:!RC4");
Any suggestions? Is it possible that we've selected a cipher setting which is not compiled in?
Thanks in advance for any help ... N
Nou Dadoun
Senior Firmware Developer, Security Specialist
Office: 604.629.5182 ext 2632
Support: 888.281.5182 | avigilon.com
Follow Twitter | Follow LinkedIn
This email, including any files attached hereto (the "email"), contains privileged and confidential information and is only for the intended addressee(s). If this email has been sent to you in error, such sending does not constitute waiver of privilege and we request that you kindly delete the email and notify the sender. Any unauthorized use or disclosure of this email is prohibited. Avigilon and certain other trade names used herein are the registered and/or unregistered trademarks of Avigilon Corporation and/or its affiliates in Canada and other jurisdictions worldwide.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: failed_tls1.2_handshake.pcapng
Type: application/octet-stream
Size: 28676 bytes
Desc: failed_tls1.2_handshake.pcapng
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151207/88d93efa/attachment-0001.obj>
More information about the openssl-users
mailing list