You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Garrison, Jim (ETW)" <Ji...@nike.com> on 2012/06/12 20:27:29 UTC
[users@httpd] TLS 1.2 handshake problem?
I am trying unsuccessfully to get Subversion to connect over HTTPS to an Apache server that is configured with
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
The behavior I'm seeing is that the client sends the initial CLIENT HELLO, and Apache does not respond:
Client Server
-------syn---------->
<------ack-----------
---CLIENT HELLO----->
<------ack-----------
[60 second pause]
<------rst-----------
The CLIENT HELLO is TLSv1.0, containing TLSv1.2 handshake protocol. Is this not supported by Apache?
The CLIENT HELLO as decoded by Wireshark is:
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 337
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 333
Version: TLS 1.2 (0x0303)
Random
gmt_unix_time: Jun 12, 2012 11:11:31.000000000 Pacific Daylight Time
random_bytes: aec93d5fa312325bec744389f47e96cc8b4580adc8d2488f...
Session ID Length: 0
Cipher Suites Length: 158
Cipher Suites (79 suites)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA (0xc022)
Cipher Suite: TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA (0xc021)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
Cipher Suite: TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA (0xc01c)
Cipher Suite: TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA (0xc01b)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA (0xc01f)
Cipher Suite: TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA (0xc01e)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)
Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)
Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)
Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Compression Methods Length: 2
Compression Methods (2 methods)
Compression Method: DEFLATE (1)
Compression Method: null (0)
Extensions Length: 133
Extension: server_name
Type: server_name (0x0000)
Length: 18
Data (18 bytes)
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 4
EC point formats Length: 3
Elliptic curves point formats (3)
EC point format: uncompressed (0)
EC point format: ansiX962_compressed_prime (1)
EC point format: ansiX962_compressed_char2 (2)
Extension: elliptic_curves
Type: elliptic_curves (0x000a)
Length: 52
Elliptic Curves Length: 50
Elliptic curves (25 curves)
Elliptic curve: sect571r1 (0x000e)
Elliptic curve: sect571k1 (0x000d)
Elliptic curve: secp521r1 (0x0019)
Elliptic curve: sect409k1 (0x000b)
Elliptic curve: sect409r1 (0x000c)
Elliptic curve: secp384r1 (0x0018)
Elliptic curve: sect283k1 (0x0009)
Elliptic curve: sect283r1 (0x000a)
Elliptic curve: secp256k1 (0x0016)
Elliptic curve: secp256r1 (0x0017)
Elliptic curve: sect239k1 (0x0008)
Elliptic curve: sect233k1 (0x0006)
Elliptic curve: sect233r1 (0x0007)
Elliptic curve: secp224k1 (0x0014)
Elliptic curve: secp224r1 (0x0015)
Elliptic curve: sect193r1 (0x0004)
Elliptic curve: sect193r2 (0x0005)
Elliptic curve: secp192k1 (0x0012)
Elliptic curve: secp192r1 (0x0013)
Elliptic curve: sect163k1 (0x0001)
Elliptic curve: sect163r1 (0x0002)
Elliptic curve: sect163r2 (0x0003)
Elliptic curve: secp160k1 (0x000f)
Elliptic curve: secp160r1 (0x0010)
Elliptic curve: secp160r2 (0x0011)
Extension: SessionTicket TLS
Type: SessionTicket TLS (0x0023)
Length: 0
Data (0 bytes)
Extension: signature_algorithms
Type: signature_algorithms (0x000d)
Length: 34
Data (34 bytes)
Extension: Unknown 15
Type: Unknown (0x000f)
Length: 1
Data (1 byte)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] TLS 1.2 handshake problem?
Posted by "Garrison, Jim (ETW)" <Ji...@nike.com>.
>From: aparna Puram [mailto:aparnapuram@gmail.com]
>Sent: Tuesday, June 12, 2012 12:16 PM
>To: users@httpd.apache.org
>Subject: Re: [users@httpd] TLS 1.2 handshake problem?
>
>What is the version of openssl being used?
The subversion client is 1.7.5, which uses OpenSSL 1.0.1c
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] TLS 1.2 handshake problem?
Posted by aparna Puram <ap...@gmail.com>.
What is the version of openssl being used?
On Wed, Jun 13, 2012 at 12:29 AM, Garrison, Jim (ETW) <Jim.Garrison@nike.com
> wrote:
> The problem appears to be the TLSv1.2 handshake. Here are the cases:
>
>
> * openssl s_client -connect gbit:443
>
> This sends a TLSv1.2 handshake inside a TLSv1.0 CLIENT HELLO, and Apache
> fails to respond.
>
> * openssl s_client -connect gbit:443 -tls1
>
> This sends a TLSV1.0 handshake inside a TLSV1.0 CLIENT HELLO. Apache
> accepts the connection
>
> Is this a problem in OpenSSL?
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
RE: [users@httpd] TLS 1.2 handshake problem?
Posted by "Garrison, Jim (ETW)" <Ji...@nike.com>.
The problem appears to be the TLSv1.2 handshake. Here are the cases:
* openssl s_client -connect gbit:443
This sends a TLSv1.2 handshake inside a TLSv1.0 CLIENT HELLO, and Apache fails to respond.
* openssl s_client -connect gbit:443 -tls1
This sends a TLSV1.0 handshake inside a TLSV1.0 CLIENT HELLO. Apache accepts the connection
Is this a problem in OpenSSL?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] TLS 1.2 handshake problem?
Posted by aparna Puram <ap...@gmail.com>.
Hi,
Sometimes from the huge list of supported cipher suites, It will be hard
for us to select the exact cipher.
If you are working on solaris, You can use the following command to check
the exact cipher and protocol being used by the client.
/opt/csw/bin/openssl s_client -connect clinethostname:443 -debug
Following output will be displayed.
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Then you can add this protocol and cipher to your sslciphersuite. It will
enable the connection betwwen your webserver and the client.
On Tue, Jun 12, 2012 at 11:57 PM, Garrison, Jim (ETW) <Jim.Garrison@nike.com
> wrote:
> I am trying unsuccessfully to get Subversion to connect over HTTPS to an
> Apache server that is configured with
>
> SSLProtocol -ALL +SSLv3 +TLSv1
> SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
>
> The behavior I'm seeing is that the client sends the initial CLIENT HELLO,
> and Apache does not respond:
>
> Client Server
> -------syn---------->
> <------ack-----------
> ---CLIENT HELLO----->
> <------ack-----------
> [60 second pause]
> <------rst-----------
>
> The CLIENT HELLO is TLSv1.0, containing TLSv1.2 handshake protocol. Is
> this not supported by Apache?
>
> The CLIENT HELLO as decoded by Wireshark is:
>
> Secure Sockets Layer
> SSL Record Layer: Handshake Protocol: Client Hello
> Content Type: Handshake (22)
> Version: TLS 1.0 (0x0301)
> Length: 337
> Handshake Protocol: Client Hello
> Handshake Type: Client Hello (1)
> Length: 333
> Version: TLS 1.2 (0x0303)
> Random
> gmt_unix_time: Jun 12, 2012 11:11:31.000000000 Pacific
> Daylight Time
> random_bytes:
> aec93d5fa312325bec744389f47e96cc8b4580adc8d2488f...
> Session ID Length: 0
> Cipher Suites Length: 158
> Cipher Suites (79 suites)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> (0xc02c)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> (0xc024)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
> Cipher Suite: TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA (0xc022)
> Cipher Suite: TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA (0xc021)
> Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
> Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
> Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
> Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
> Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
> Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)
> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
> (0xc02e)
> Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)
> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> (0xc026)
> Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
> Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
> Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
> Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
> Cipher Suite: TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA (0xc01c)
> Cipher Suite: TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA (0xc01b)
> Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
> Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
> Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
> Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
> Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> (0xc02b)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> (0xc023)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
> Cipher Suite: TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA (0xc01f)
> Cipher Suite: TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA (0xc01e)
> Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
> Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
> Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
> Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)
> Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099)
> Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
> Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
> Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
> (0xc02d)
> Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
> (0xc025)
> Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
> Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
> Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
> Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)
> Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
> Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
> Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
> Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
> Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
> Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
> Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
> Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
> Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
> Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)
> Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)
> Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
> Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
> Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
> Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
> Compression Methods Length: 2
> Compression Methods (2 methods)
> Compression Method: DEFLATE (1)
> Compression Method: null (0)
> Extensions Length: 133
> Extension: server_name
> Type: server_name (0x0000)
> Length: 18
> Data (18 bytes)
> Extension: ec_point_formats
> Type: ec_point_formats (0x000b)
> Length: 4
> EC point formats Length: 3
> Elliptic curves point formats (3)
> EC point format: uncompressed (0)
> EC point format: ansiX962_compressed_prime (1)
> EC point format: ansiX962_compressed_char2 (2)
> Extension: elliptic_curves
> Type: elliptic_curves (0x000a)
> Length: 52
> Elliptic Curves Length: 50
> Elliptic curves (25 curves)
> Elliptic curve: sect571r1 (0x000e)
> Elliptic curve: sect571k1 (0x000d)
> Elliptic curve: secp521r1 (0x0019)
> Elliptic curve: sect409k1 (0x000b)
> Elliptic curve: sect409r1 (0x000c)
> Elliptic curve: secp384r1 (0x0018)
> Elliptic curve: sect283k1 (0x0009)
> Elliptic curve: sect283r1 (0x000a)
> Elliptic curve: secp256k1 (0x0016)
> Elliptic curve: secp256r1 (0x0017)
> Elliptic curve: sect239k1 (0x0008)
> Elliptic curve: sect233k1 (0x0006)
> Elliptic curve: sect233r1 (0x0007)
> Elliptic curve: secp224k1 (0x0014)
> Elliptic curve: secp224r1 (0x0015)
> Elliptic curve: sect193r1 (0x0004)
> Elliptic curve: sect193r2 (0x0005)
> Elliptic curve: secp192k1 (0x0012)
> Elliptic curve: secp192r1 (0x0013)
> Elliptic curve: sect163k1 (0x0001)
> Elliptic curve: sect163r1 (0x0002)
> Elliptic curve: sect163r2 (0x0003)
> Elliptic curve: secp160k1 (0x000f)
> Elliptic curve: secp160r1 (0x0010)
> Elliptic curve: secp160r2 (0x0011)
> Extension: SessionTicket TLS
> Type: SessionTicket TLS (0x0023)
> Length: 0
> Data (0 bytes)
> Extension: signature_algorithms
> Type: signature_algorithms (0x000d)
> Length: 34
> Data (34 bytes)
> Extension: Unknown 15
> Type: Unknown (0x000f)
> Length: 1
> Data (1 byte)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] TLS 1.2 handshake problem?
Posted by aparna Puram <ap...@gmail.com>.
Check this blog..
http://blog.taddong.com/2011/10/tlssled-v12.html
This might help you to find out if the openssl version that you have
supports the TLSV1.2
On Wed, Jun 13, 2012 at 1:42 AM, Garrison, Jim (ETW)
<Ji...@nike.com>wrote:
> > -----Original Message-----
> > From: Eric Covener [mailto:covener@gmail.com]
> > Sent: Tuesday, June 12, 2012 12:53 PM
> > To: users@httpd.apache.org
> > Subject: Re: [users@httpd] TLS 1.2 handshake problem?
> >
> > Extension: SessionTicket TLS
> > Type: SessionTicket TLS (0x0023)
> > Length: 0
> > Data (0 bytes)
> >
> > I've seen this cause trouble on java-based servers, since it is the first
> > extension that's 0 byte and servers can over-read and block.
> >
> > In openssl s_client, you can separately disable tls session tickets..
> >
> > Does your request go through a java-based proxy?
>
> I don't believe so. However, if I force TLSv1.0 handshake the packet still
> contains the same SessionTicket, but connects successfully, so that can't
> be the problem.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
RE: [users@httpd] TLS 1.2 handshake problem?
Posted by "Garrison, Jim (ETW)" <Ji...@nike.com>.
> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com]
> Sent: Tuesday, June 12, 2012 12:53 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] TLS 1.2 handshake problem?
>
> Extension: SessionTicket TLS
> Type: SessionTicket TLS (0x0023)
> Length: 0
> Data (0 bytes)
>
> I've seen this cause trouble on java-based servers, since it is the first
> extension that's 0 byte and servers can over-read and block.
>
> In openssl s_client, you can separately disable tls session tickets..
>
> Does your request go through a java-based proxy?
I don't believe so. However, if I force TLSv1.0 handshake the packet still contains the same SessionTicket, but connects successfully, so that can't be the problem.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] TLS 1.2 handshake problem?
Posted by Eric Covener <co...@gmail.com>.
Extension: SessionTicket TLS
Type: SessionTicket TLS (0x0023)
Length: 0
Data (0 bytes)
I've seen this cause trouble on java-based servers, since it is the
first extension that's 0 byte and servers can over-read and block.
In openssl s_client, you can separately disable tls session tickets..
Does your request go through a java-based proxy?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org