Re: [CalendarServer-users] SSL Ciphers

Mon, 10 Mar 2014 18:42:07 -0700 

Hi,
I tried bot ssl3 and tls1 for s_client and both failed. Depending on what SSLMethod I use in caldavd.plist, s_client will return "alert handshake failure:s3_pkt.c:1256:SSL alert number 40" when used with a flag lower than or equal to the server's setting, and if used with something higher (i.e. tls1_2), I receive "SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:". I usually get these errors when no certificate is available but the certificates are fully accessible (they are being used fine by postfix and dovecot) and caldavd has access. It would be useful if the logs showed something but unfortunately both the access and error logs for caldavd are showing nothing. 



------ Original Message ------
From: "Andre LaBranche" <d...@apple.com>
To: m...@ainc.be

Cc: "calendarserver-users@lists.macosforge.org list" 
<calendarserver-users@lists.macosforge.org>

Sent: 10/03/2014 7:03:15 PM
Subject: Re: [CalendarServer-users] SSL Ciphers



On Mar 10, 2014, at 2:30 PM, m...@ainc.be wrote:


 Thank you for the reply. I also tried with different -cipher flags 
but no joy. Here is the output:


 CONNECTED(00000003)

 140316387088016:error:14077410:SSL 
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
failure:s23_clnt.c:741:


Hi,

List cc re-added.


I don't immediately know the problem here, but it could be an SSL / TLS 
version mismatch. Some suggestions:


1) Try adding -ssl3 or -tls1 after s_client in the openssl command.

2) Try the various options for SSLMethod in caldavd.plist. Possible 
values are: SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD. In 
general, TLS > SSL3 > SSL2 in terms of safety. Backwards compatibility 
is the typical constraint.
3) In firefox, hit about:config, void your warranty, search for 
security.ssl, and then verify that there is at least one point of 
intersection between the enabled ciphers and the output of "openssl 
ciphers ALL" (or whatever you've got configured in SSLCiphers - see 
"man ciphers" for more on the cipher groups and how they are defined). 
In looking at the about:config stuff for the current version of 
Firefox, I'm only seeing references to ssl3, so my guess is that it 
requires the server to allow ssl3 (which it totally should).
4) Enjoy a tasty beverage. Nobody really enjoys debugging SSL issues... 
:)


-dre


_______________________________________________
calendarserver-users mailing list
calendarserver-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/calendarserver-users






















					Reply via email to