Skip to content
This repository has been archived by the owner on Nov 6, 2023. It is now read-only.

Ruleset checker handshake error #1038

Closed
jsha opened this issue Feb 11, 2015 · 4 comments
Closed

Ruleset checker handshake error #1038

jsha opened this issue Feb 11, 2015 · 4 comments

Comments

@jsha
Copy link
Member

jsha commented Feb 11, 2015

Copying @semenko's comment from #1036:

Huh, the AA rule was strange here. Curl throws me that same error, 'error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure' -- but Chrome & Qualys deal with it fine.

https://www.ssllabs.com/ssltest/analyze.html?d=aa.com&s=23.203.222.57

$ openssl s_client -connect aa.com:443

New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : RC4-SHA
Session-ID: ...
Session-ID-ctx:
Master-Key: ....
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)

This can also be reproduced with curl, which makes sense since the checker uses PyCurl. Not sure what is going on here. We should track down the cause of the handshake error, and whether it can be fixed with configuration parameters.

@jsha
Copy link
Member Author

jsha commented Feb 11, 2015

It looks like curl disables the RC4 cipher, which differs from Firefox and the OpenSSL default: http://curl.haxx.se/mail/tracker-2014-03/0014.html. We can change that on the command line, so I'm pretty sure we can change it in PyCurl.

@semenko
Copy link
Contributor

semenko commented Feb 11, 2015

Ah cool!

Yeah, that works: curl -v --cipher 'RC4-SHA' -X HEAD https://aa.com

Useful since it looks like this is served via Akamai, so likely to impact more sites:

< HTTP/1.1 301 Moved Permanently
* Server AkamaiGHost is not blacklisted
< Server: AkamaiGHost
< Content-Length: 0
< Location: https://www.aa.com/
< Date: Wed, 11 Feb 2015 03:01:28 GMT
< Connection: keep-alive

jsha added a commit that referenced this issue Feb 11, 2015
Per #1038, sites that only
support RC4 were incorrectly disabled by curl, used by
https-everywhere-checker, disables RC4 by default. I re-enabled RC4 and re-ran
the checker for all rules with SSL23_GET_SERVER_HELLO in the disable message.
Some rules are still disabled for unrelated handshake reasons. Other rules are
now disabled for different reasons. And a lot of rules are now re-enabled.
@jsha
Copy link
Member Author

jsha commented Feb 12, 2015

Fixed.

1 similar comment
@jsha
Copy link
Member Author

jsha commented Feb 12, 2015

Fixed.

@jsha jsha closed this as completed Feb 12, 2015
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants