[Freeswitch-users] SSL3_READ_BYTES:sslv3 alert handshake failure
adahary at gmail.com
Tue Apr 22 19:11:36 MSD 2014
The date/time is OK (1 year from now).
The thing with openssl version is that I have the same installation with another box with version 1.0.1e and I can connect over TLS with same kind of PositiveSSL CA (but different sub domain). The Heartbleed bug is known but that shouldn't be the problem.
It looks like something with the FS is broken with the cipher list which I cannot figure out, because the PossitveSSL CA works on the same box on different port with apache.
Sp the apache can mange the right cipher but the FS does not. Why?
I read more about Centos/RedHat which is missing EC ciphers. I see that also the gentls script requires it (I got PossitiveSSL to get around this self-signed option).
I'll try anyway to upgrade openssl to the latest (http://www.openssl.org/source/openssl-1.0.1g.tar.gz) and see if it will resolve it – hopefully.
From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Steven Ayre
Sent: Tuesday, April 22, 2014 5:32 PM
To: FreeSWITCH Users Help
Subject: Re: [Freeswitch-users] SSL3_READ_BYTES:sslv3 alert handshake failure
Can't help you with what the issue would be (though I'd verify your date/time settings are correct)... but I would update your OpenSSL version since 1.0.1e is vulnerable to the heartbleed bug.
On 22 April 2014 13:46, Assaf Dahary <adahary at gmail.com> wrote:
I've successfully installed a FS server with TLS using PsitiveSSL and it is working great.
Few days ago I've followed the same installation on another standalone machine with the same FS-1.2.22 and PsitivieSSL CA but this time I cannot connect over TLS.
It seems that FS has no cipher to response with and it fails on negotiations.
The PositiveSSL is OK because I verified it locally with "openssl s_client" and from the internet using browser/https.
My ssl/ pem files are made with (like I did with the first server - OK):
#cat mysite_com.crt myserver.key > agent.pem
#cat PositiveSSLCA2.crt AddTrustExternalCARoot.crt > cafile.pem
# chown freeswitch.freeswitch *.pem
#chmod 640 *.pem
When issuing "$ sslscan myfs.com:5091 | grep Accepted "
I get no single cipher. I get long list of 'Rejected' ciphers.
When I'm running the same command for my first server I get a list of supported ciphers – which is OK.
[root at www ~]# openssl s_client -connect myfs.com:5091
depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = PositiveSSL CA 2
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = myfs.com
140160541112136:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
140160541112136:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
I've already re-installed FS with clean config files.
Centos 6.x 64, OpenSSL 1.0.1e-fips 11 Feb 2013.
I would appreciate any help/tip on this TLS fail issue.
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org
Official FreeSWITCH Sites
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users