[openssl-users] openssl client v1.1.0 can not connect: handshake failure:ssl/record/rec_layer_s3.c:1385:SSL alert number 40
Matt Caswell
matt at openssl.org
Fri Feb 17 09:57:39 UTC 2017
On 17/02/17 07:46, Matthias Apitz wrote:
> New, TLSv1/SSLv3, Cipher is DHE-DSS-AES128-GCM-SHA256
Your server appears to be configured with a DSA certificate.
OpenSSL 1.1.0 made changes to the default ciphersuites that get sent.
See this CHANGES entry:
*) Changes to the DEFAULT cipherlist:
- Prefer (EC)DHE handshakes over plain RSA.
- Prefer AEAD ciphers over legacy ciphers.
- Prefer ECDSA over RSA when both certificates are available.
- Prefer TLSv1.2 ciphers/PRF.
- Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
default cipherlist.
[Emilia Käsper]
So OpenSSL 1.1.0 does not offer any DSS based ciphersuites by default
any more. If your server only has a DSA certificate then this is going
to fail.
Matt
More information about the openssl-users
mailing list