Welcome! Log In Create A New Profile

Advanced

Re: Intermittent SSL Handshake Errors

Maxim Dounin
July 15, 2015 12:10PM
Hello!

On Tue, Jul 14, 2015 at 09:58:52PM -0400, tempspace wrote:

> Here's what we've learned so far:
>
> The issue is related to a new security feature that blocks TLS Fallback,
> which is a client that connects with one version of TLS, then tries to
> downgrade the connection and connect with a lower TLS version.. It was a
> feature made in light of the Poodle SSL vulnerability in order to keep SSL
> secure. The problem is that many networking libraries still exhibit this
> behavior of downgrading TLS versions on purpose, which OpenSSL then blocks
> the connection.
>
> Specificially, the NSURLConnection class on iOS exhibits this behavior.
> NSURLSession, the latest iteration of this client, does not. The problem is,
> if you want to support iOS 6 still, you HAVE to use NSURLConnection. We
> decided to end support for iOS 6 because of this. NSURLConnection is also
> completely depracated in iOS 9, so if you want to support iOS 9, you'll have
> to upgrade your client library anyway.
>
> On Android, the same thing happened, but not as often and between different
> TLS versions. Switching to Square's Retrofit client for SSL purposes has
> worked really well for us.
>
> So, the real fix is to make sure you update your clients. If you're on a
> Debian wheezy box, you can make your own openssl package with the latest
> version, but with TLS_FALLBACK_SCSV support removed by following the
> directions below. Note, this is not recommended from a security perspective,
> but if your environment is broken, you need to do what you need to do. As
> long as SSL v3 is disabled, there's no big, active vulnerability in the wild
> that takes advantage of fallback at the moment.
>
> Setup dquilt as shown on
> https://www.debian.org/doc/manuals/maint-guide/modify.en.html
>
> Building Package:
> apt-get update ; apt-get source libssl1.0.0
> cd openssl-1.0.1e
> dquilt pop Support-TLS_FALLBACK_SCSV
> dquilt delete Support-TLS_FALLBACK_SCSV
> dpkg-source --commit
> dpkg-buildpackage
>
> The debian packages will be one directory back. Make sure to install the
> libssl packages you created, not just openssl, and nginx will need a restart
> to use the new library, not just a reload.
>
> I hope this helps someone, we spent a good amount of time on this.

Thanks for the info, appreciated.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Intermittent SSL Handshake Errors

Eric R. January 31, 2015 01:06PM

Re: Intermittent SSL Handshake Errors

Richard Stanway January 31, 2015 02:04PM

Re: Intermittent SSL Handshake Errors

Etienne Champetier January 31, 2015 03:26PM

Re: Intermittent SSL Handshake Errors

ericr February 02, 2015 02:56PM

Re: Intermittent SSL Handshake Errors

tempspace February 02, 2015 03:26PM

Re: Intermittent SSL Handshake Errors

ericr February 03, 2015 01:18PM

Re: Intermittent SSL Handshake Errors

tempspace February 03, 2015 02:04PM

Re: Intermittent SSL Handshake Errors

ericr February 03, 2015 09:42PM

Re: Intermittent SSL Handshake Errors

tempspace February 03, 2015 09:48PM

RE: Intermittent SSL Handshake Errors

Lukas Tribus February 03, 2015 03:42PM

Re: RE: Intermittent SSL Handshake Errors

ericr February 06, 2015 01:49PM

RE: Intermittent SSL Handshake Errors

Lukas Tribus February 06, 2015 06:32PM

Re: Intermittent SSL Handshake Errors

ankneo March 20, 2015 01:57PM

Re: Intermittent SSL Handshake Errors

tempspace March 20, 2015 02:15PM

Re: Intermittent SSL Handshake Errors

ankneo March 26, 2015 02:41PM

Re: Intermittent SSL Handshake Errors

ywarnier April 18, 2015 05:31PM

Re: Intermittent SSL Handshake Errors

DrMickeyLauer May 08, 2015 10:49AM

Re: Intermittent SSL Handshake Errors

Maxim Dounin March 21, 2015 10:54AM

Re: Intermittent SSL Handshake Errors

tempspace March 21, 2015 11:50AM

Re: Intermittent SSL Handshake Errors

tempspace March 21, 2015 11:59AM

Re: Intermittent SSL Handshake Errors

Maxim Dounin March 21, 2015 09:14PM

Re: Intermittent SSL Handshake Errors

flechamobile July 12, 2015 12:33PM

Re: Intermittent SSL Handshake Errors

B.R. July 12, 2015 01:40PM

Re: Intermittent SSL Handshake Errors

flechamobile January 15, 2016 06:36PM

Re: Intermittent SSL Handshake Errors

flechamobile January 15, 2016 06:41PM

Re: Intermittent SSL Handshake Errors

piyushmalhotra February 11, 2016 01:26PM

Re: Intermittent SSL Handshake Errors

tempspace July 14, 2015 09:58PM

Re: Intermittent SSL Handshake Errors

Maxim Dounin July 15, 2015 12:10PM

Re: Intermittent SSL Handshake Errors

piyushmalhotra January 11, 2016 02:13PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 73
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready