Apache/OpenSSL1.1 sending Fatal, Description: Handshake Failure' packet to WebDAV client

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Apache/OpenSSL1.1 sending Fatal, Description: Handshake Failure' packet to WebDAV client

Todd Blum
Hello,

I have an Apache 2.4.27/OpenSSL1.1.0f server running with mod_dav enabled.  

One of my WebDAV clients can't connect to it, but all other WebDAV clients (WinSCP, etc.) are connecting OK.

Apache sends a 'Handshake Failure' immediately:

No.     Time                    Source                Destination           Length Protocol Src Prt Dst Prt Info
      4 2017-07-24 22:38:38.516 xxx.xxx.xxx.xx        yyy.yyy.yyy.yy        180    SSLv2    52883   443     Client Hello
      5 2017-07-24 22:38:38.516 yyy.yyy.yyy.yy        xxx.xxx.xxx.xx        84     TCP      443     52883   443→52883 [ACK] Seq=1 Ack=49 Win=525568 Len=0
      6 2017-07-24 22:38:38.525 yyy.yyy.yyy.yy        xxx.xxx.xxx.xx        98     SSLv3    443     52883   Alert (Level: Fatal, Description: Handshake Failure)

The client's 'Client Hello' packet is as follows:

No.     Time                    Source                Destination           Length Protocol Src Prt Dst Prt Info
      4 2017-07-25 14:58:26.128 xxx.xxx.xxx.xx        xxx.xxx.xxx.xx        180    SSLv2    62572   443     Client Hello

Frame 4: 180 bytes on wire (1440 bits), 92 bytes captured (736 bits) on interface 0
Null/Loopback
Internet Protocol Version 4, Src: xxx.xxx.xxx.xx (xxx.xxx.xxx.xx), Dst: xxx.xxx.xxx.xx (xxx.xxx.xxx.xx)
Transmission Control Protocol, Src Port: 62572 (62572), Dst Port: 443 (443), Seq: 1, Ack: 1, Len: 48
Secure Sockets Layer
    SSLv2 Record Layer: Client Hello
        [Version: SSL 2.0 (0x0002)]
        Length: 46
        Handshake Message Type: Client Hello (1)
        Version: SSL 3.0 (0x0300)
        Cipher Spec Length: 21
        Session ID Length: 0
        Challenge Length: 16
        Cipher Specs (7 specs)
            Cipher Spec: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x00000a)
            Cipher Spec: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x000013)
            Cipher Spec: TLS_RSA_WITH_RC4_128_SHA (0x000005)
            Cipher Spec: TLS_RSA_WITH_RC4_128_MD5 (0x000004)
            Cipher Spec: SSL2_RC4_128_WITH_MD5 (0x010080)
            Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 (0x0700c0)
            Cipher Spec: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x0000ff)
        Challenge

Has anyone else had anything like this?

Todd

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Apache/OpenSSL1.1 sending Fatal, Description: Handshake Failure' packet to WebDAV client

OpenSSL - User mailing list
On 07/27/2017 02:49 PM, Todd Blum wrote:
    SSLv2 Record Layer: Client Hello

SSLv2-compatible ClientHello is pretty old and probably unneeded

        [Version: SSL 2.0 (0x0002)]
        Length: 46
        Handshake Message Type: Client Hello (1)
        Version: SSL 3.0 (0x0300)
        Cipher Spec Length: 21
        Session ID Length: 0
        Challenge Length: 16
        Cipher Specs (7 specs)
            Cipher Spec: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x00000a)
            Cipher Spec: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x000013)
            Cipher Spec: TLS_RSA_WITH_RC4_128_SHA (0x000005)
            Cipher Spec: TLS_RSA_WITH_RC4_128_MD5 (0x000004)
            Cipher Spec: SSL2_RC4_128_WITH_MD5 (0x010080)
            Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 (0x0700c0)
            Cipher Spec: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x0000ff)
        Challenge

All of those are pretty bad ciphers; can you update the client to use better ones?

Otherwise you might have to do something like include @SECLEVEL=0 in the cipher spec on the server to enable the weak ciphers.

-Ben

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Loading...