[openssl-users] Ubuntu Xenial + Postgresql v9.5 == SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

Michael Wojcik Michael.Wojcik at microfocus.com
Thu Nov 9 16:05:31 UTC 2017


> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Graham Leggett
> Sent: Thursday, November 09, 2017 08:30
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] Ubuntu Xenial + Postgresql v9.5 == SSL
> routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
> 
> On 09 Nov 2017, at 2:57 PM, Michael Wojcik
> <Michael.Wojcik at microfocus.com> wrote:
> 
> > DEFAULT includes ECC suites. You should try something like
> > DEFAULT:!ECDHE:!ECDH to eliminate the ECC Kx suites.
> 
> I just tried that - no change in behaviour, apart from the negotiation of a
> different cipher before the connection fails (0x9f).

OK. 9f is TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, so it's not an ECC issue after all. At least not with this client. It's not clear to me if you've gone back to the 1.0.1f client, or if you were still using 1.0.2m here.

> Does or did openssl server have any known bugs with respect to the length
> of a ClientHello packet being in excess of 255 bytes?

Someone else will have to answer this. As far as I know, it was only the F5 TLS implementation that had this issue.

-- 
Michael Wojcik 
Distinguished Engineer, Micro Focus 





More information about the openssl-users mailing list