Ruleset checker handshake error

[jsha]

Copying @semenko's comment from #1036:

Huh, the AA rule was strange here. Curl throws me that same error, 'error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure' -- but Chrome & Qualys deal with it fine.

https://www.ssllabs.com/ssltest/analyze.html?d=aa.com&s=23.203.222.57

$ openssl s_client -connect aa.com:443

New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : RC4-SHA
Session-ID: ...
Session-ID-ctx:
Master-Key: ....
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)

This can also be reproduced with curl, which makes sense since the checker uses PyCurl. Not sure what is going on here. We should track down the cause of the handshake error, and whether it can be fixed with configuration parameters.

[jsha]

It looks like curl disables the RC4 cipher, which differs from Firefox and the OpenSSL default: http://curl.haxx.se/mail/tracker-2014-03/0014.html. We can change that on the command line, so I'm pretty sure we can change it in PyCurl.

[semenko]

Ah cool!

Yeah, that works: curl -v --cipher 'RC4-SHA' -X HEAD https://aa.com

Useful since it looks like this is served via Akamai, so likely to impact more sites:

< HTTP/1.1 301 Moved Permanently
* Server AkamaiGHost is not blacklisted
< Server: AkamaiGHost
< Content-Length: 0
< Location: https://www.aa.com/
< Date: Wed, 11 Feb 2015 03:01:28 GMT
< Connection: keep-alive

[jsha]

Fixed.

[jsha]

Fixed.