July 14, 2015 09:58PM
Here's what we've learned so far:

The issue is related to a new security feature that blocks TLS Fallback, which is a client that connects with one version of TLS, then tries to downgrade the connection and connect with a lower TLS version.. It was a feature made in light of the Poodle SSL vulnerability in order to keep SSL secure. The problem is that many networking libraries still exhibit this behavior of downgrading TLS versions on purpose, which OpenSSL then blocks the connection.

Specificially, the NSURLConnection class on iOS exhibits this behavior. NSURLSession, the latest iteration of this client, does not. The problem is, if you want to support iOS 6 still, you HAVE to use NSURLConnection. We decided to end support for iOS 6 because of this. NSURLConnection is also completely depracated in iOS 9, so if you want to support iOS 9, you'll have to upgrade your client library anyway.

On Android, the same thing happened, but not as often and between different TLS versions. Switching to Square's Retrofit client for SSL purposes has worked really well for us.

So, the real fix is to make sure you update your clients. If you're on a Debian wheezy box, you can make your own openssl package with the latest version, but with TLS_FALLBACK_SCSV support removed by following the directions below. Note, this is not recommended from a security perspective, but if your environment is broken, you need to do what you need to do. As long as SSL v3 is disabled, there's no big, active vulnerability in the wild that takes advantage of fallback at the moment.

Setup dquilt as shown on https://www.debian.org/doc/manuals/maint-guide/modify.en.html

Building Package:
apt-get update ; apt-get source libssl1.0.0
cd openssl-1.0.1e
dquilt pop Support-TLS_FALLBACK_SCSV
dquilt delete Support-TLS_FALLBACK_SCSV
dpkg-source --commit
dpkg-buildpackage

The debian packages will be one directory back. Make sure to install the libssl packages you created, not just openssl, and nginx will need a restart to use the new library, not just a reload.

I hope this helps someone, we spent a good amount of time on this.
Subject Author Posted

Intermittent SSL Handshake Errors

Eric R. January 31, 2015 01:06PM

Re: Intermittent SSL Handshake Errors

Richard Stanway January 31, 2015 02:04PM

Re: Intermittent SSL Handshake Errors

Etienne Champetier January 31, 2015 03:26PM

Re: Intermittent SSL Handshake Errors

ericr February 02, 2015 02:56PM

Re: Intermittent SSL Handshake Errors

tempspace February 02, 2015 03:26PM

Re: Intermittent SSL Handshake Errors

ericr February 03, 2015 01:18PM

Re: Intermittent SSL Handshake Errors

tempspace February 03, 2015 02:04PM

Re: Intermittent SSL Handshake Errors

ericr February 03, 2015 09:42PM

Re: Intermittent SSL Handshake Errors

tempspace February 03, 2015 09:48PM

RE: Intermittent SSL Handshake Errors

Lukas Tribus February 03, 2015 03:42PM

Re: RE: Intermittent SSL Handshake Errors

ericr February 06, 2015 01:49PM

RE: Intermittent SSL Handshake Errors

Lukas Tribus February 06, 2015 06:32PM

Re: Intermittent SSL Handshake Errors

ankneo March 20, 2015 01:57PM

Re: Intermittent SSL Handshake Errors

tempspace March 20, 2015 02:15PM

Re: Intermittent SSL Handshake Errors

ankneo March 26, 2015 02:41PM

Re: Intermittent SSL Handshake Errors

ywarnier April 18, 2015 05:31PM

Re: Intermittent SSL Handshake Errors

DrMickeyLauer May 08, 2015 10:49AM

Re: Intermittent SSL Handshake Errors

Maxim Dounin March 21, 2015 10:54AM

Re: Intermittent SSL Handshake Errors

tempspace March 21, 2015 11:50AM

Re: Intermittent SSL Handshake Errors

tempspace March 21, 2015 11:59AM

Re: Intermittent SSL Handshake Errors

Maxim Dounin March 21, 2015 09:14PM

Re: Intermittent SSL Handshake Errors

flechamobile July 12, 2015 12:33PM

Re: Intermittent SSL Handshake Errors

B.R. July 12, 2015 01:40PM

Re: Intermittent SSL Handshake Errors

flechamobile January 15, 2016 06:36PM

Re: Intermittent SSL Handshake Errors

flechamobile January 15, 2016 06:41PM

Re: Intermittent SSL Handshake Errors

piyushmalhotra February 11, 2016 01:26PM

Re: Intermittent SSL Handshake Errors

tempspace July 14, 2015 09:58PM

Re: Intermittent SSL Handshake Errors

Maxim Dounin July 15, 2015 12:10PM

Re: Intermittent SSL Handshake Errors

piyushmalhotra January 11, 2016 02:13PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 260
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready