Failed TLSv1.2 handshake

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi folks, running into a failed handshake problem -

Although we upgraded to openssl 1.0.2d last summer, we had never changed our context setup from accepting any version other than TLSv1, i.e. (in boost)
m_context(pIoService->GetNative(), boost::asio::ssl::context::tlsv1)


When we recently changed to accepting other versions (didn't matter if we disabled sslv2 and sslv3) to (in boost):
m_context(pIoService->GetNative(), boost::asio::ssl::context::sslv23)

our ssl handshakes started failing with "decryption failed or bad record mac"

I've attached a packet capture, the client does a TLSv1.2 CLIENT HELLO and offers up 72 cipher suites.

The server responds with the SERVER HELLO, CERTIFICATE, SERVER HELLO DONE and appears to select 
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)

The Client does the CLIENT KEY EXCHANGE, CHANGE CIPHER SPEC, ENCRYPTED HANDSHAKE MESSAGE
and then the exchange appears to finish with the above error in the server log.

The cipher setting on the server is:
SSL_CTX_set_cipher_list(pSslContext->GetNativeRef().impl(),  "ALL:SEED:!EXPORT:!LOW:!DES:!RC4");

Any suggestions?  Is it possible that we've selected a cipher setting which is not compiled in?

Thanks in advance for any help ... N


Nou Dadoun
Senior Firmware Developer, Security Specialist


Office: 604.629.5182 ext 2632 
Support: 888.281.5182 ?|? avigilon.com
Follow?Twitter ?|? Follow?LinkedIn


This email, including any files attached hereto (the "email"), contains privileged and confidential information and is only for the intended addressee(s). If this email has been sent to you in error, such sending does not constitute waiver of privilege and we request that you kindly delete the email and notify the sender. Any unauthorized use or disclosure of this email is prohibited. Avigilon and certain other trade names used herein are the registered and/or unregistered trademarks of Avigilon Corporation and/or its affiliates in Canada and other jurisdictions worldwide.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: failed_tls1.2_handshake.pcapng
Type: application/octet-stream
Size: 28676 bytes
Desc: failed_tls1.2_handshake.pcapng
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151207/88d93efa/attachment-0001.obj>


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux