Re: SSL handshake failure after httpd upgrade to 2.4.12

[Sunil R <dexterseven@xxxxxxxxx>]

Thanks Daniel.

SSLCipherSuite - ALL:!ADH:!EXPORT40:!EXPORT56:!LOW:!RC4:!MD5:!IDEA:+HIGH:+MEDIUM:+EXP:+eNULL

SSLProtocol all -SSLv2 -SSLv3

This is the openssl version output:
openssl ciphers -v
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
IDEA-CBC-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=MD5
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

Output from the nmap scan of the server:
| ssl-enum-ciphers:
|   TLSv1.0
|     Ciphers (14)
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_RSA_WITH_AES_256_CBC_SHA
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
|       TLS_RSA_WITH_RC4_128_MD5
|       TLS_RSA_WITH_RC4_128_SHA
|       TLS_RSA_WITH_SEED_CBC_SHA
|     Compressors (1)
|_      uncompressed

Thx,

DS

On Thu, Jul 30, 2015 at 8:16 PM, Daniel <dferradal@xxxxxxxxx> wrote:

You should share your SSLCiphersuite and SSLProtocol values first, besides that version of openssl is quite lacking regarding the availability of ciphers and protocols.

2015-07-30 5:37 GMT+02:00 Sunil R <dexterseven@xxxxxxxxx>:

I’m trying to upgrade the Apache version from httpd 2.2.25 to 2.4.12. Im building apache with the same openssl version 0.9.8.After the upgrade I see that the openssl s_client query to the server fails with error:

[Mon Jul 27 02:57:47.982584 2015] [ssl:info] [pid 22460:tid 1943075728] SSL Library Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

 

The openssl client version is Openssl 0.9.8g ( OpenSSL/FIPS). In the httpd config file I have disabled SSLv2 and SSLv3.

When I enable debug options on the s_client this is the output:

 

Linux# /isan/bin/openssl s_client -connect localhost:443 -debug -state -msg

CONNECTED(00000003)

SSL_connect:before/connect initialization

write to 0x9d606b0 [0x9d61678] (124 bytes => 124 (0x7C))

0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00   .z....Q... ..9..

0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............

0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03   ..3..2../.......

0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00   ................

0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08   ......@.........

0050 - 00 00 06 04 00 80 00 00-03 02 00 80 68 fd d4 c6   ............h...

0060 - 77 4c 5e ef 2f 41 d4 18-e6 f8 6d d3 9e 8c b2 2d   wL^./A....m....-

0070 - b4 81 83 fd c7 63 f6 8b-fe 26 e9 97               .....c...&..

>>> SSL 2.0 [length 007a], CLIENT-HELLO

    01 03 01 00 51 00 00 00 20 00 00 39 00 00 38 00

    00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00

    33 00 00 32 00 00 2f 00 00 07 05 00 80 03 00 80

    00 00 05 00 00 04 01 00 80 00 00 15 00 00 12 00

    00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 00

    06 04 00 80 00 00 03 02 00 80 68 fd d4 c6 77 4c

    5e ef 2f 41 d4 18 e6 f8 6d d3 9e 8c b2 2d b4 81

    83 fd c7 63 f6 8b fe 26 e9 97

SSL_connect:SSLv2/v3 write client hello A

read from 0x9d606b0 [0x9d66bd8] (7 bytes => 0 (0x0))

7175:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

Linux#

 

The SSL handshake goes through fine in these cases:

1.When I enable SSLv3, the query goes through fine.

2. When I force the TLSv1 in the s_client query.

3. With the older httpd version 2.2.25

Is this intentional, to honor the disable SSLv3 configured?

Please help me let know what could be the issue? Let me know if any other details are needed.

Thx,

DS

--

Daniel Ferradal

IT Specialist

email         dferradal at gmail.com

linkedin     es.linkedin.com/in/danielferradal