<div dir="ltr">I wasn&#39;t suggesting the version was the issue, just warning you that you&#39;re on an old version. Date/time was in case the certificate was expired / not valid yet - I&#39;ve seen that before on an embedded system where connections would fail before NTP set the correct time. OpenSSL error messages aren&#39;t always user friendly...</div>

<div class="gmail_extra"><br><br><div class="gmail_quote">On 22 April 2014 16:11, Assaf Dahary <span dir="ltr">&lt;<a href="mailto:adahary@gmail.com" target="_blank">adahary@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">The date/time is OK (1 year from now).<u></u><u></u></span></p><p class="MsoNormal">

<span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">The thing with openssl version is that I have the same installation with another box with version </span>1.0.1e and I can connect over TLS with same kind of PositiveSSL CA (but different sub domain). The Heartbleed bug is known but that shouldn&#39;t be the problem.<u></u><u></u></p>

<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">It looks like something with the FS is broken with the cipher list which I cannot figure out, because the PossitveSSL CA works on the same box on different port with apache.<u></u><u></u></p>

<p class="MsoNormal">Sp the apache can mange the right cipher but the FS does not. Why?<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I read more about Centos/RedHat which is missing EC ciphers. I see that also the gentls script requires it (I got PossitiveSSL to get around this self-signed option).    <u></u><u></u></p>

<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I&#39;ll try anyway to upgrade openssl to the latest (<a href="http://www.openssl.org/source/openssl-1.0.1g.tar.gz" target="_blank">http://www.openssl.org/source/openssl-1.0.1g.tar.gz</a>) and see if it will resolve it – hopefully.<u></u><u></u></p>

<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Assaf<u></u><u></u></p><p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"><u></u> <u></u></span></p><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;"> <a href="mailto:freeswitch-users-bounces@lists.freeswitch.org" target="_blank">freeswitch-users-bounces@lists.freeswitch.org</a> [mailto:<a href="mailto:freeswitch-users-bounces@lists.freeswitch.org" target="_blank">freeswitch-users-bounces@lists.freeswitch.org</a>] <b>On Behalf Of </b>Steven Ayre<br>

<b>Sent:</b> Tuesday, April 22, 2014 5:32 PM<br><b>To:</b> FreeSWITCH Users Help<br><b>Subject:</b> Re: [Freeswitch-users] SSL3_READ_BYTES:sslv3 alert handshake failure<u></u><u></u></span></p><div><div class="h5"><p class="MsoNormal">

<u></u> <u></u></p><div><p class="MsoNormal">Can&#39;t help you with what the issue would be (though I&#39;d verify your date/time settings are correct)... but I would update your OpenSSL version since 1.0.1e is vulnerable to the heartbleed bug.<u></u><u></u></p>

</div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p><div><p class="MsoNormal">On 22 April 2014 13:46, Assaf Dahary &lt;<a href="mailto:adahary@gmail.com" target="_blank">adahary@gmail.com</a>&gt; wrote:<u></u><u></u></p>

<div><div><p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Hi,</span><u></u><u></u></p><p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"> </span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">I&#39;ve successfully installed a FS server with TLS using PsitiveSSL and it is working great.</span><u></u><u></u></p><p class="MsoNormal">

<span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Few days ago I&#39;ve followed the same installation on another standalone machine with the same FS-1.2.22 and  PsitivieSSL CA but this time I cannot connect over TLS. </span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">It seems that FS has no cipher to response with and it fails on negotiations.</span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">The PositiveSSL is OK because I verified it locally with &quot;openssl s_client&quot; and from the internet using browser/https.</span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">My ssl/ pem files are made with (like I did with the first server - OK):</span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">#cat mysite_com.crt myserver.key &gt; agent.pem</span><u></u><u></u></p><p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">#cat PositiveSSLCA2.crt AddTrustExternalCARoot.crt &gt; cafile.pem</span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"># chown freeswitch.freeswitch *.pem</span><u></u><u></u></p><p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">#chmod 640 *.pem</span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"> </span><u></u><u></u></p><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:12.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">When issuing &quot;</span><span style="font-size:9.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm">$ sslscan <a href="http://myfs.com:5091" target="_blank">myfs.com:5091</a> | grep Accepted &quot;</span><span style="font-size:12.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"> </span><u></u><u></u></pre>

<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:12.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">I get no single cipher. I get long list of &#39;Rejected&#39; ciphers.</span><u></u><u></u></pre>

<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:12.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">When I&#39;m running the same command for my first server I get </span><span style="font-size:9.0pt;font-family:Consolas;color:#333333">a list of supported ciphers – which is OK.</span><u></u><u></u></pre>

<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> </span><u></u><u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">When </span><u></u><u></u></pre>

<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">[root@www ~]# openssl s_client -connect <a href="http://myfs.com:5091" target="_blank">myfs.com:5091</a></span><u></u><u></u></pre>

<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">CONNECTED(00000003)</span><u></u><u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline">

<u></u> <u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><u></u> <u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root</span><u></u><u></u></pre>

<pre style="background:#f3f3f3;vertical-align:baseline"><u></u> <u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><u></u> <u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">verify return:1</span><u></u><u></u></pre>

<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = PositiveSSL CA 2</span><u></u><u></u></pre>

<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">verify return:1</span><u></u><u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = <a href="http://myfs.com" target="_blank">myfs.com</a></span><u></u><u></u></pre>

<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">verify return:1</span><u></u><u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">140160541112136:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40</span><u></u><u></u></pre>

<div style="border:none;border-bottom:solid windowtext 1.0pt;padding:0cm 0cm 1.0pt 0cm"><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">140160541112136:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:</span><u></u><u></u></pre>

</div><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> </span><u></u><u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas"> </span><u></u><u></u></pre>

<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas">I&#39;ve already re-installed FS with clean config files.</span><u></u><u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline">

<u></u> <u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><u></u> <u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas"> </span><u></u><u></u></pre>

<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas">Centos 6.x 64, OpenSSL 1.0.1e-fips 11 Feb 2013.</span><u></u><u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline">

<span style="font-size:9.0pt;font-family:Consolas"> </span><u></u><u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">I would appreciate any help/tip on this TLS fail issue.</span><u></u><u></u></pre>

<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"> </span><u></u><u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Regards</span><u></u><u></u></pre>

<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:#888888"> </span><span style="color:#888888"><u></u><u></u></span></pre><pre style="background:#f3f3f3;vertical-align:baseline">

<span style="color:#888888"><u></u> <u></u></span></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="color:#888888"><u></u> <u></u></span></pre><pre style="background:#f3f3f3;vertical-align:baseline">

<span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:#888888">Assaf</span><span style="color:#888888"><u></u><u></u></span></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#888888"> </span><span style="color:#888888"><u></u><u></u></span></pre>

</div></div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>_________________________________________________________________________<br>Professional FreeSWITCH Consulting Services:<br><a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>

<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br><br>FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br><a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>

<br>Official FreeSWITCH Sites<br><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br><a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br><a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>

<br>FreeSWITCH-users mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>

UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><u></u><u></u></p>

</div><p class="MsoNormal"><u></u> <u></u></p></div></div></div></div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div>