handshake failure(40) and TLS_EMPTY_RENEGOTIATION_INFO_SCSV

南楼画角 提交于 2019-12-12 09:49:27

问题


A client installed on jBOSS is trying to access a secured website configured on DataPower xi50v6.0.0.2 appliance. The connection is getting failed at SSL handshake.

I have taken a packet capture at DataPower and observed that SSL Handshake is failing with the Description:Handshake failure(40).

However, at the Client Hello step, I have observed that, only one Cipher Suite is specified which is : TLS_EMPTY_RENEGOTIATION_INFO_SCSV. The TLS protocol used ( as per packet capture) is TLS1.1. Can this Cipher Suite be a problem? In the DataPower system logs I can see below error: Request processing failed: Connection terminated before request headers read because of the connection error occurs

Update: The client application is running on jBOSS7.I have asked our jBOSS administrator to check the configuration at jBOSS end. I somehow got the access to server where jBOSS instance is installed and checked domain.xml where the ssl is configured. Where exactly in domain.xml, ths configuration related to cipher suites can be found?


回答1:


I have observed that, only one Cipher Suite is specified which is : TLS_EMPTY_RENEGOTIATION_INFO_SCSV

This is no real cipher. If no other ciphers are specified then the client does not offer any ciphers at all which means that no shared ciphers can be found and thus the handshake will fail. It looks like the client is buggy. Reason might be a failed attempt to fight POODLE attack by disabling all SSL3.0 ciphers, which in effect disables all ciphers for TLS1 1.0 and TLS 1.1.



来源:https://stackoverflow.com/questions/26867096/handshake-failure40-and-tls-empty-renegotiation-info-scsv

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!