OpenSSL handshake failure

centos5 openssl linux

10,861

The incompatibility that you ran into is this:

The version of OpenSSL on RHEL5 (and its derivatives) doesn't advertise support for TLS at all. It only does SSLv3 and SSLv2.

The version of OpenSSL on RHEL6 (and its derivatives) supports TLS all the way up to TLSv1.2. It also does SSLv3, but it wants to negotiate TLS.

They should still be able to negotiate a session, as there is a (small) list of common ciphers to both of them, but depending on what you have selected for cipher settings on the server (e.g. to mitigate BEAST, eliminate low-security ciphers, etc.) there may not be any common ciphers that the client and server can use to communicate.

The cipher suites for the server would be set in <Connector ciphers= in your Tomcat server.xml or in Apache's SSLCipherSuite if you have it sitting behind Apache. The client would use whatever it was configured to use, or DEFAULT otherwise.

The resolution is to check the cipher suites on the server, e.g. with openssl ciphers -v STRING where STRING is whatever you configured on the server, and repeating the same on the client, and then adjusting one or both until a cipher suite is available that both will negotiate.

10,861

Matt Bear

Data Security Specialist/Network Administrator I am relativly inexpierenced, and got thrown into a network admin role. Basically, "We cant afford a admin, so you do it." It's an awesome opportunity, but I have to teach myself how to do it, and I've learned more in the last couple months then I thought possible. (AD deployment, ADFS, SSO, Cisco, DNS, linux, VPN, next is Direct Access deployment, CCNA and CISSP). So if its not possible, or is somthing that I should know. I am learning, so dont rip into me too bad. I'm trying to follow best practices, and am completly open to advice, information, and I wont get mad when I get a slap upside the head and am told "DONT DO THAT!!!"

Updated on September 18, 2022

Comments

Matt Bear almost 2 years
We were recently forced to migrate our production cloud servers from GoDaddy to Azure because GoDaddy is ending thier cloud server service.

One of our servers was a CentOS 5.7 running a JasperReports Bitnami stack. During the migration process I upgrade all servers to the most recent distribution, and rebuilt Jasper from the Azure Bitnami Jasper image on Ubuntu 12.04LTS

A have the SSL Certificate installed on the JasperServer and working correctly

All the new servers are performing beautifully, now heres where the problem comes in.

We also have a dedicated CentOS 5.8 virtual server on GoDaddy which is staying there(for now), there are a collection of sites on said server which serve up reports from Jasper via Soap.

However it is getting handshake failures when attempting to connect
```
#openssl s_client -connect newjasperserver.com:443
CONNECTED(00000003)
9092:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:583:
```
and:
```
#openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
```
the new server is running:
```
#openssl version
OpenSSL 1.0.1c 10 May 2012
```
Now after a lot of research, it appears that there is an incompatibility between OpenSSL < 0.9.8k and OpenSSL 1.0.1.

The options I've identified are:
1. Migrate the server to a CentOS 6.4 server on Azure (Ideal, but politically difficult, dont ask why)
2. Upgrade the server in-place(Unsupported, and I don't want to try it on a production server)
3. Wipe the server and rebuild it with 6.4(possibility, though if I do that, I will force option 1)
4. Remove OpenSSL from the server and install a newer version (once again, something I'm not comfortable with on a production server)
5. Install a second instance of OpenSSL (my #2 option, but I'm unsure how to proceed)
6. Install an alternative to OpenSSL (havent even begun to look into this)
7. Disable enforced encryption on the Jasper Server and allow connection via http (this is looking like my best temporary fix until I can force that server to be migrated to Azure)
Are there any options I have missed? Is there a way on the Jasper side to allow connections from the older OpenSSL?
- Admin about 11 years
  
  Have you tried to enable SSLv2 on the jasper server to see if that will help?
- Admin about 11 years
  
  Yes, I have tried, its using SSLv3
- Admin about 11 years
  
  My final solution was to build a new fully updated Ubuntu server on azure and migrating the rest of the sites over.
Matt Bear over 10 years

makes sense, if I remember correctly I was actually heading down that path. We ended up migrating and updating the server though so I will never know if this would of fixed it.