<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Arial","sans-serif";
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>The date/time is OK (1 year from now).<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>The thing with openssl version is that I have the same installation with another box with version </span>1.0.1e and I can connect over TLS with same kind of PositiveSSL CA (but different sub domain). The Heartbleed bug is known but that shouldn't be the problem.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>It looks like something with the FS is broken with the cipher list which I cannot figure out, because the PossitveSSL CA works on the same box on different port with apache.<o:p></o:p></p><p class=MsoNormal>Sp the apache can mange the right cipher but the FS does not. Why?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I read more about Centos/RedHat which is missing EC ciphers. I see that also the gentls script requires it (I got PossitiveSSL to get around this self-signed option). <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I'll try anyway to upgrade openssl to the latest (<a href="http://www.openssl.org/source/openssl-1.0.1g.tar.gz">http://www.openssl.org/source/openssl-1.0.1g.tar.gz</a>) and see if it will resolve it – hopefully.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Assaf<o:p></o:p></p><p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> freeswitch-users-bounces@lists.freeswitch.org [mailto:freeswitch-users-bounces@lists.freeswitch.org] <b>On Behalf Of </b>Steven Ayre<br><b>Sent:</b> Tuesday, April 22, 2014 5:32 PM<br><b>To:</b> FreeSWITCH Users Help<br><b>Subject:</b> Re: [Freeswitch-users] SSL3_READ_BYTES:sslv3 alert handshake failure<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Can't help you with what the issue would be (though I'd verify your date/time settings are correct)... but I would update your OpenSSL version since 1.0.1e is vulnerable to the heartbleed bug.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On 22 April 2014 13:46, Assaf Dahary <<a href="mailto:adahary@gmail.com" target="_blank">adahary@gmail.com</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif"'>Hi,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif"'>I've successfully installed a FS server with TLS using PsitiveSSL and it is working great.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif"'>Few days ago I've followed the same installation on another standalone machine with the same FS-1.2.22 and PsitivieSSL CA but this time I cannot connect over TLS. </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif"'>It seems that FS has no cipher to response with and it fails on negotiations.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif"'>The PositiveSSL is OK because I verified it locally with "openssl s_client" and from the internet using browser/https.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif"'>My ssl/ pem files are made with (like I did with the first server - OK):</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif"'>#cat mysite_com.crt myserver.key > agent.pem</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif"'>#cat PositiveSSLCA2.crt AddTrustExternalCARoot.crt > cafile.pem</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif"'># chown freeswitch.freeswitch *.pem</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif"'>#chmod 640 *.pem</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></p><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'>When issuing "</span><span style='font-size:9.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm'>$ sslscan <a href="http://myfs.com:5091" target="_blank">myfs.com:5091</a> | grep Accepted "</span><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'> </span><o:p></o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'>I get no single cipher. I get long list of 'Rejected' ciphers.</span><o:p></o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'>When I'm running the same command for my first server I get </span><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>a list of supported ciphers – which is OK.</span><o:p></o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'> </span><o:p></o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>When </span><o:p></o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>[root@www ~]# openssl s_client -connect <a href="http://myfs.com:5091" target="_blank">myfs.com:5091</a></span><o:p></o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>CONNECTED(00000003)</span><o:p></o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><o:p> </o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><o:p> </o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root</span><o:p></o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><o:p> </o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><o:p> </o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>verify return:1</span><o:p></o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = PositiveSSL CA 2</span><o:p></o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>verify return:1</span><o:p></o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = <a href="http://myfs.com" target="_blank">myfs.com</a></span><o:p></o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>verify return:1</span><o:p></o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>140160541112136:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40</span><o:p></o:p></pre><div style='border:none;border-bottom:solid windowtext 1.0pt;padding:0cm 0cm 1.0pt 0cm'><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'>140160541112136:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:</span><o:p></o:p></pre></div><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#333333'> </span><o:p></o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas'> </span><o:p></o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas'>I've already re-installed FS with clean config files.</span><o:p></o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><o:p> </o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><o:p> </o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas'> </span><o:p></o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas'>Centos 6.x 64, OpenSSL 1.0.1e-fips 11 Feb 2013.</span><o:p></o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas'> </span><o:p></o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-family:"Arial","sans-serif"'>I would appreciate any help/tip on this TLS fail issue.</span><o:p></o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-family:"Arial","sans-serif"'> </span><o:p></o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-family:"Arial","sans-serif"'>Regards</span><o:p></o:p></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-family:"Arial","sans-serif";color:#888888'> </span><span style='color:#888888'><o:p></o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='color:#888888'><o:p> </o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='color:#888888'><o:p> </o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-family:"Arial","sans-serif";color:#888888'>Assaf</span><span style='color:#888888'><o:p></o:p></span></pre><pre style='background:#F3F3F3;vertical-align:baseline'><span style='font-size:9.0pt;font-family:Consolas;color:#888888'> </span><span style='color:#888888'><o:p></o:p></span></pre></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_________________________________________________________________________<br>Professional FreeSWITCH Consulting Services:<br><a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br><a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br><br>FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br><a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br><br>Official FreeSWITCH Sites<br><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br><a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br><a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br><br>FreeSWITCH-users mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>