[Freeswitch-users] SSL3_READ_BYTES:sslv3 alert handshake failure
Assaf Dahary
adahary at gmail.com
Tue Apr 22 19:11:36 MSD 2014
The date/time is OK (1 year from now).
The thing with openssl version is that I have the same installation with another box with version 1.0.1e and I can connect over TLS with same kind of PositiveSSL CA (but different sub domain). The Heartbleed bug is known but that shouldn't be the problem.
It looks like something with the FS is broken with the cipher list which I cannot figure out, because the PossitveSSL CA works on the same box on different port with apache.
Sp the apache can mange the right cipher but the FS does not. Why?
I read more about Centos/RedHat which is missing EC ciphers. I see that also the gentls script requires it (I got PossitiveSSL to get around this self-signed option).
I'll try anyway to upgrade openssl to the latest (http://www.openssl.org/source/openssl-1.0.1g.tar.gz) and see if it will resolve it – hopefully.
Assaf
From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Steven Ayre
Sent: Tuesday, April 22, 2014 5:32 PM
To: FreeSWITCH Users Help
Subject: Re: [Freeswitch-users] SSL3_READ_BYTES:sslv3 alert handshake failure
Can't help you with what the issue would be (though I'd verify your date/time settings are correct)... but I would update your OpenSSL version since 1.0.1e is vulnerable to the heartbleed bug.
On 22 April 2014 13:46, Assaf Dahary <adahary at gmail.com> wrote:
Hi,
I've successfully installed a FS server with TLS using PsitiveSSL and it is working great.
Few days ago I've followed the same installation on another standalone machine with the same FS-1.2.22 and PsitivieSSL CA but this time I cannot connect over TLS.
It seems that FS has no cipher to response with and it fails on negotiations.
The PositiveSSL is OK because I verified it locally with "openssl s_client" and from the internet using browser/https.
My ssl/ pem files are made with (like I did with the first server - OK):
#cat mysite_com.crt myserver.key > agent.pem
#cat PositiveSSLCA2.crt AddTrustExternalCARoot.crt > cafile.pem
# chown freeswitch.freeswitch *.pem
#chmod 640 *.pem
When issuing "$ sslscan myfs.com:5091 | grep Accepted "
I get no single cipher. I get long list of 'Rejected' ciphers.
When I'm running the same command for my first server I get a list of supported ciphers – which is OK.
When
[root at www ~]# openssl s_client -connect myfs.com:5091
CONNECTED(00000003)
depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = PositiveSSL CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = myfs.com
verify return:1
140160541112136:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
140160541112136:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
I've already re-installed FS with clean config files.
Centos 6.x 64, OpenSSL 1.0.1e-fips 11 Feb 2013.
I would appreciate any help/tip on this TLS fail issue.
Regards
Assaf
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org
http://www.freeswitchsolutions.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140422/d607dd4b/attachment-0001.html
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users
mailing list