Re: [twsocket] SSL handshake failed at mozilla.org
Did you try the sample application? I took a quick look at the code to figure out SslHandshakeRespMsg. It shows how to restrict which SSL/TLS versions are used, and how errors are reported. There were a lot of SSL changes over the last six months to support the latest protocols. When I connect to my own server, it works with this: SSL Connected OK with TLSv1.2, cipher DHE-RSA-AES256-GCM-SHA384, key exchange DH, encryption AESGCM(256), message authentication AEAD So I would assume it's using TLSv1.2, so why won't it connect with that for https://developer.mozilla.org/en-US/docs/Web/HTML/Element/address? Perhaps I need to disable SSLv3 for that site? I am not SSL expert but I wonder why it can't connect using TLSv1.2 even if SSLv3 is also enabled. I'm curious... perhaps I should now disable SSLv3 by default? I'll have a look at the sample app and hope it will answer some of my questions. Just found this: http://www.theregister.co.uk/2015/06/26/that_shot_you_heard_sslv3_is_now_dead/ It says: Pragmatically, clients MUST NOT send a ClientHello with ClientHello.client_version set to {03,00}. Similarly, servers MUST NOT send a ServerHello with ServerHello.server_version set to {03,00}. Any party receiving a Hello message with the protocol version set to {03,00} MUST respond with a protocol_version alert message and close the connection. So maybe that server is set to dump/close my request. Thanks! Albert -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL handshake failed at mozilla.org
Angus, Did you try the sample application? It shows how to restrict which SSL/TLS versions are used, and how errors are reported. There were a lot of SSL changes over the last six months to support the latest protocols. This seems to have fixed the problem: SslContext-SslOptions=SslContext-SslOptions sslOpt_NO_SSLv2 sslOpt_NO_SSLv3; I suppose I will just leave it and hope it doesn't cause any issues for my customers. If it does then I can add an option to re-enable those obsolete protocols unless someone suggests otherwise? If this isn't a good idea then please let me know. :) Again, thanks for the help! -- Albert Wiersch AI Internet Solutions LLC supp...@htmlvalidator.com https://www.htmlvalidator.com/ -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL handshake failed at mozilla.org
This seems to have fixed the problem: SslContext-SslOptions=SslContext-SslOptions sslOpt_NO_SSLv2 sslOpt_NO_SSLv3; I suppose I will just leave it and hope it doesn't cause any issues for my customers. Most SSL web servers will have disabled SSLv3 to stop the Poodle and Beast exploits, some may disable TLSv1 to stop Beast but this breaks too many older browsers as well. I've just disabled DH ciphers on my Windows 2012 IIS8.5 server to mitigate a DH key exploit caused by Microsoft having the same hardcoded 1024 bit DHParams key on every single server, instead of generating a new key for each server. The ECDHE ciphers are better than DH and DHE alone, and are still supported. This is not a problem with OpenSSL because we can generate and specify our own DHParams keys and even if you use the files bundled with ICS, there are too few users to make it a security risk. We only added DH and ECDH support in V8.15, and there was an ECDH fix in V8.17. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL handshake failed at mozilla.org
Seems to work here with the OverbyteIcsHttpsTst sample, connects with: Hmm... Strange. I'll have to make sure I'm using the right version. how do I try connecting with TLSv1.2? Did you try the sample application? It shows how to restrict which SSL/TLS versions are used, and how errors are reported. There were a lot of SSL changes over the last six months to support the latest protocols. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be