[Freeswitch-users] SSL3_READ_BYTES:sslv3 alert handshake failure

Steven Ayre steveayre at gmail.com
Tue Apr 22 21:02:40 MSD 2014


I wasn't suggesting the version was the issue, just warning you that you're
on an old version. Date/time was in case the certificate was expired / not
valid yet - I've seen that before on an embedded system where connections
would fail before NTP set the correct time. OpenSSL error messages aren't
always user friendly...


On 22 April 2014 16:11, Assaf Dahary <adahary at gmail.com> wrote:

> The date/time is OK (1 year from now).
>
>
>
> The thing with openssl version is that I have the same installation with
> another box with version 1.0.1e and I can connect over TLS with same kind
> of PositiveSSL CA (but different sub domain). The Heartbleed bug is known
> but that shouldn't be the problem.
>
>
>
> It looks like something with the FS is broken with the cipher list which I
> cannot figure out, because the PossitveSSL CA works on the same box on
> different port with apache.
>
> Sp the apache can mange the right cipher but the FS does not. Why?
>
>
>
> I read more about Centos/RedHat which is missing EC ciphers. I see that
> also the gentls script requires it (I got PossitiveSSL to get around this
> self-signed option).
>
>
>
> I'll try anyway to upgrade openssl to the latest (
> http://www.openssl.org/source/openssl-1.0.1g.tar.gz) and see if it will
> resolve it – hopefully.
>
>
>
> Assaf
>
>
>
>
>
>
>
> *From:* freeswitch-users-bounces at lists.freeswitch.org [mailto:
> freeswitch-users-bounces at lists.freeswitch.org] *On Behalf Of *Steven Ayre
> *Sent:* Tuesday, April 22, 2014 5:32 PM
> *To:* FreeSWITCH Users Help
> *Subject:* Re: [Freeswitch-users] SSL3_READ_BYTES:sslv3 alert handshake
> failure
>
>
>
> Can't help you with what the issue would be (though I'd verify your
> date/time settings are correct)... but I would update your OpenSSL version
> since 1.0.1e is vulnerable to the heartbleed bug.
>
>
>
> On 22 April 2014 13:46, Assaf Dahary <adahary at gmail.com> wrote:
>
> Hi,
>
>
>
> I've successfully installed a FS server with TLS using PsitiveSSL and it
> is working great.
>
>
>
> Few days ago I've followed the same installation on another standalone
> machine with the same FS-1.2.22 and  PsitivieSSL CA but this time I cannot
> connect over TLS.
>
>
>
> It seems that FS has no cipher to response with and it fails on
> negotiations.
>
>
>
> The PositiveSSL is OK because I verified it locally with "openssl
> s_client" and from the internet using browser/https.
>
>
>
> My ssl/ pem files are made with (like I did with the first server - OK):
>
> #cat mysite_com.crt myserver.key > agent.pem
>
> #cat PositiveSSLCA2.crt AddTrustExternalCARoot.crt > cafile.pem
>
> # chown freeswitch.freeswitch *.pem
>
> #chmod 640 *.pem
>
>
>
> When issuing "$ sslscan myfs.com:5091 | grep Accepted "
>
> I get no single cipher. I get long list of 'Rejected' ciphers.
>
> When I'm running the same command for my first server I get a list of supported ciphers – which is OK.
>
>
>
> When
>
> [root at www ~]# openssl s_client -connect myfs.com:5091
>
> CONNECTED(00000003)
>
>
>
>
>
> depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
>
>
>
>
>
> verify return:1
>
> depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = PositiveSSL CA 2
>
> verify return:1
>
> depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = myfs.com
>
> verify return:1
>
> 140160541112136:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
>
> 140160541112136:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
>
>
>
>
>
> I've already re-installed FS with clean config files.
>
>
>
>
>
>
>
> Centos 6.x 64, OpenSSL 1.0.1e-fips 11 Feb 2013.
>
>
>
> I would appreciate any help/tip on this TLS fail issue.
>
>
>
> Regards
>
>
>
>
>
>
>
> Assaf
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140422/4d268910/attachment-0001.html 


Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list