<div dir="ltr">I wasn't suggesting the version was the issue, just warning you that you're on an old version. Date/time was in case the certificate was expired / not valid yet - I've seen that before on an embedded system where connections would fail before NTP set the correct time. OpenSSL error messages aren't always user friendly...</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On 22 April 2014 16:11, Assaf Dahary <span dir="ltr"><<a href="mailto:adahary@gmail.com" target="_blank">adahary@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">The date/time is OK (1 year from now).<u></u><u></u></span></p><p class="MsoNormal">
<span style="font-family:"Arial","sans-serif""><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">The thing with openssl version is that I have the same installation with another box with version </span>1.0.1e and I can connect over TLS with same kind of PositiveSSL CA (but different sub domain). The Heartbleed bug is known but that shouldn't be the problem.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">It looks like something with the FS is broken with the cipher list which I cannot figure out, because the PossitveSSL CA works on the same box on different port with apache.<u></u><u></u></p>
<p class="MsoNormal">Sp the apache can mange the right cipher but the FS does not. Why?<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I read more about Centos/RedHat which is missing EC ciphers. I see that also the gentls script requires it (I got PossitiveSSL to get around this self-signed option). <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I'll try anyway to upgrade openssl to the latest (<a href="http://www.openssl.org/source/openssl-1.0.1g.tar.gz" target="_blank">http://www.openssl.org/source/openssl-1.0.1g.tar.gz</a>) and see if it will resolve it – hopefully.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Assaf<u></u><u></u></p><p class="MsoNormal"><span style="font-family:"Arial","sans-serif""><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-family:"Arial","sans-serif""><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""><u></u> <u></u></span></p><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:freeswitch-users-bounces@lists.freeswitch.org" target="_blank">freeswitch-users-bounces@lists.freeswitch.org</a> [mailto:<a href="mailto:freeswitch-users-bounces@lists.freeswitch.org" target="_blank">freeswitch-users-bounces@lists.freeswitch.org</a>] <b>On Behalf Of </b>Steven Ayre<br>
<b>Sent:</b> Tuesday, April 22, 2014 5:32 PM<br><b>To:</b> FreeSWITCH Users Help<br><b>Subject:</b> Re: [Freeswitch-users] SSL3_READ_BYTES:sslv3 alert handshake failure<u></u><u></u></span></p><div><div class="h5"><p class="MsoNormal">
<u></u> <u></u></p><div><p class="MsoNormal">Can't help you with what the issue would be (though I'd verify your date/time settings are correct)... but I would update your OpenSSL version since 1.0.1e is vulnerable to the heartbleed bug.<u></u><u></u></p>
</div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p><div><p class="MsoNormal">On 22 April 2014 13:46, Assaf Dahary <<a href="mailto:adahary@gmail.com" target="_blank">adahary@gmail.com</a>> wrote:<u></u><u></u></p>
<div><div><p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">Hi,</span><u></u><u></u></p><p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">I've successfully installed a FS server with TLS using PsitiveSSL and it is working great.</span><u></u><u></u></p><p class="MsoNormal">
<span style="font-family:"Arial","sans-serif""> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">Few days ago I've followed the same installation on another standalone machine with the same FS-1.2.22 and PsitivieSSL CA but this time I cannot connect over TLS. </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">It seems that FS has no cipher to response with and it fails on negotiations.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">The PositiveSSL is OK because I verified it locally with "openssl s_client" and from the internet using browser/https.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">My ssl/ pem files are made with (like I did with the first server - OK):</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">#cat mysite_com.crt myserver.key > agent.pem</span><u></u><u></u></p><p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">#cat PositiveSSLCA2.crt AddTrustExternalCARoot.crt > cafile.pem</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""># chown freeswitch.freeswitch *.pem</span><u></u><u></u></p><p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">#chmod 640 *.pem</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""> </span><u></u><u></u></p><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:12.0pt;font-family:"Arial","sans-serif"">When issuing "</span><span style="font-size:9.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm">$ sslscan <a href="http://myfs.com:5091" target="_blank">myfs.com:5091</a> | grep Accepted "</span><span style="font-size:12.0pt;font-family:"Arial","sans-serif""> </span><u></u><u></u></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:12.0pt;font-family:"Arial","sans-serif"">I get no single cipher. I get long list of 'Rejected' ciphers.</span><u></u><u></u></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:12.0pt;font-family:"Arial","sans-serif"">When I'm running the same command for my first server I get </span><span style="font-size:9.0pt;font-family:Consolas;color:#333333">a list of supported ciphers – which is OK.</span><u></u><u></u></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> </span><u></u><u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">When </span><u></u><u></u></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">[root@www ~]# openssl s_client -connect <a href="http://myfs.com:5091" target="_blank">myfs.com:5091</a></span><u></u><u></u></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">CONNECTED(00000003)</span><u></u><u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline">
<u></u> <u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><u></u> <u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root</span><u></u><u></u></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><u></u> <u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><u></u> <u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">verify return:1</span><u></u><u></u></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = PositiveSSL CA 2</span><u></u><u></u></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">verify return:1</span><u></u><u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = <a href="http://myfs.com" target="_blank">myfs.com</a></span><u></u><u></u></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">verify return:1</span><u></u><u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">140160541112136:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40</span><u></u><u></u></pre>
<div style="border:none;border-bottom:solid windowtext 1.0pt;padding:0cm 0cm 1.0pt 0cm"><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333">140160541112136:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:</span><u></u><u></u></pre>
</div><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#333333"> </span><u></u><u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas"> </span><u></u><u></u></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas">I've already re-installed FS with clean config files.</span><u></u><u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline">
<u></u> <u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><u></u> <u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas"> </span><u></u><u></u></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas">Centos 6.x 64, OpenSSL 1.0.1e-fips 11 Feb 2013.</span><u></u><u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline">
<span style="font-size:9.0pt;font-family:Consolas"> </span><u></u><u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-family:"Arial","sans-serif"">I would appreciate any help/tip on this TLS fail issue.</span><u></u><u></u></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-family:"Arial","sans-serif""> </span><u></u><u></u></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-family:"Arial","sans-serif"">Regards</span><u></u><u></u></pre>
<pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-family:"Arial","sans-serif";color:#888888"> </span><span style="color:#888888"><u></u><u></u></span></pre><pre style="background:#f3f3f3;vertical-align:baseline">
<span style="color:#888888"><u></u> <u></u></span></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="color:#888888"><u></u> <u></u></span></pre><pre style="background:#f3f3f3;vertical-align:baseline">
<span style="font-family:"Arial","sans-serif";color:#888888">Assaf</span><span style="color:#888888"><u></u><u></u></span></pre><pre style="background:#f3f3f3;vertical-align:baseline"><span style="font-size:9.0pt;font-family:Consolas;color:#888888"> </span><span style="color:#888888"><u></u><u></u></span></pre>
</div></div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>_________________________________________________________________________<br>Professional FreeSWITCH Consulting Services:<br><a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br><br>FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br><a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>Official FreeSWITCH Sites<br><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br><a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br><a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>FreeSWITCH-users mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><u></u><u></u></p>
</div><p class="MsoNormal"><u></u> <u></u></p></div></div></div></div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div>