Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MaxGutberletRM
Explorer

Trouble with the MACs after hardening Cypers/TLS/SSL

Jump to solution

Hello community,

as part of PCI certification we have lately hardened our FW and removed a couple of legacy things - including e.g. support for SSLv3.

Now I have a couple of MACs who can no longer connect to the VPN - track.log looks like this:

 

[ 688 0x201c99e00][31 Aug 16:16:38][talkssl] talkssl::client_handler: start ssl negotaition

[ 688 0x201c99e00][31 Aug 16:16:38][talkssl] talkssl::client_handler: start openSSL negotaition

[ 688 0x201c99e00][31 Aug 16:16:38][] ckpSSL_PrepareConnection: verify mode: 0

[ 688 0x201c99e00][31 Aug 16:16:38][] My SSL Ciphers:

[ 688 0x201c99e00][31 Aug 16:16:38][] Cipher List:

[ 688 0x201c99e00][31 Aug 16:16:38][] 0: AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

[ 688 0x201c99e00][31 Aug 16:16:38][] 1: AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1

[ 688 0x201c99e00][31 Aug 16:16:38][] 2: RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5

[ 688 0x201c99e00][31 Aug 16:16:38][talkssl] talkssl::client_handler: Returning OK!!!

[ 688 0x201c99e00][31 Aug 16:16:38][proxy_wrapper] ProxyWrapper::CloseProxyConn: Starting ...

[ 688 0x201c99e00][31 Aug 16:16:38][proxy_wrapper] ProxyWrapper::CancelConnect: Starting ...

[ 688 0x201c99e00][31 Aug 16:16:38][proxy_wrapper] ProxyWrapper::CancelConnect: Proxy connection is in init state. Cannot cancel connection

[ 688 0x201c99e00][31 Aug 16:16:38][] ckpSSL_NegotiateStep: current state = before/connect initialization

[ 688 0x201c99e00][31 Aug 16:16:38][] ckpSSL_NegotiateStep: should retry.

[ 688 0x201c99e00][31 Aug 16:16:38][] ckpSSL_NegotiateStep: current state = SSLv2/v3 read server hello A

[ 688 0x201c99e00][31 Aug 16:16:38][] SSL e stack

[ 688 0x201c99e00][31 Aug 16:16:38][] 688:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:757

Now the obvious question: why is the MAC Client only trying to connect using SSLv3 ? Surely Is this a left over from previous configs ? We tried deinstall/install but no success.

My cypher list is now:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Any help appreciated.

Regards

MG

 

 

0 Kudos
1 Solution

Accepted Solutions
_Alex_
Advisor

Try by adding back TLS_RSA_WITH_AES_128_CBC_SHA to comply with the minimum specifications of the TLS 1.2 RFC.

I had an issue where MAC's wouldn't connect and this solved it.

As your logs show, the MAC client is expecting at least these suites:

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5

But it should do with the AES ones.

View solution in original post

(1)
3 Replies
PhoneBoy
Admin
Admin

What precise client is connecting?
What precise version of it?

0 Kudos
_Alex_
Advisor

Try by adding back TLS_RSA_WITH_AES_128_CBC_SHA to comply with the minimum specifications of the TLS 1.2 RFC.

I had an issue where MAC's wouldn't connect and this solved it.

As your logs show, the MAC client is expecting at least these suites:

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5

But it should do with the AES ones.

View solution in original post

(1)
MaxGutberletRM
Explorer

This ! I re-enabled the AES-256  ciphers and it worked How do we turn this into a feature Request "MAC Client should be able to connect without RSA based cipher algorithms" ?

0 Kudos