cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
KY
Level 8
Report Inappropriate Content
Message 1 of 5
‎01-14-2020 08:06 AM

ssl handshake error - www.charlestonmuseum.org

Jump to solution

https://www.charlestonmuseum.org/

 

 

0 Kudos
Reply
1 Solution

Accepted Solutions
mkutrieba
Employee
Employee
Report Inappropriate Content
Message 3 of 5
‎01-14-2020 08:25 AM

Re: ssl handshake error - www.charlestonmuseum.org

Jump to solution

Hello,

I can reproduce this issue and found the cause + solution.
Cause: certificate chain contains a sha1 signature algorithm which are considered as weak:

#4
Subject The Go Daddy Group, Inc. / Go Daddy Class 2 Certification Authority   In trust store
Fingerprint SHA256: c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4
Pin SHA256: VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=
Valid until Thu, 29 Jun 2034 17:06:20 UTC (expires in 14 years and 5 months)
Key RSA 2048 bits (e 3)
Issuer The Go Daddy Group, Inc. / Go Daddy Class 2 Certification Authority   Self-signed
Signature algorithm SHA1withRSA   Weak, but no impact on root certificate


Source:
https://www.ssllabs.com/ssltest/analyze.html?d=www.charlestonmuseum.org


When using rule "Enable Certificate Verification" under "HTTPS Scanning" > "Handle CONNECT Call", an event "Enable SSL Scanner" with "Default Certificate Verification" is used. This contains an option called "Allow legacy signatures in the handshake".
When I enable this, old/unsafe signature algorithms are allowed and site can be accessed. When I disable the option and delete cache, I get the block again.

 

Solution:
Create a NEW setting which you use in a NEW rule which is placed above the default one. This needs to be limited to affected websites online, so use criteria like "URL.Host equals/is in list <name>" and then trigger this event with NEW created setting which allows old/unsafe signature algorithms.

Important: ALL other websites should run in the default rule/setting!
So you avoid that you allow old signature algorithms for all websites.

Example rule set:
Rule 1: Set Client Context, Continue, Enable SSL Client Context with CA<Default CA>
Rule 2: Enable Certificate Verification for special sites (criteria is like URL.host is in list <list with special websites that use old signature algorithms>, Stop rule set, Enable SSL Scanner<special setting with option enabled>
Rule 3: Enable Certificate Verification, Stop rule set, Enable SSL Scanner<Default certificate verification with option disabled>

Regards,
Marcel Kutrieba
Technical Support Engineer

If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

View solution in original post

0 Kudos
Reply
4 Replies
KY
Level 8
Report Inappropriate Content
Message 2 of 5
‎01-14-2020 08:16 AM

Re: ssl handshake error - www.charlestonmuseum.org

Jump to solution

Host: www.charlestonmuseum.org
Reason: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:SSL error at server handshake:state 26:Application response 500 handshakefailed

 

https://www.ssllabs.com/ssltest/analyze.html?d=www.charlestonmuseum.org

0 Kudos
Reply
mkutrieba
Employee
Employee
Report Inappropriate Content
Message 3 of 5
‎01-14-2020 08:25 AM

Re: ssl handshake error - www.charlestonmuseum.org

Jump to solution

Hello,

I can reproduce this issue and found the cause + solution.
Cause: certificate chain contains a sha1 signature algorithm which are considered as weak:

#4
Subject The Go Daddy Group, Inc. / Go Daddy Class 2 Certification Authority   In trust store
Fingerprint SHA256: c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4
Pin SHA256: VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=
Valid until Thu, 29 Jun 2034 17:06:20 UTC (expires in 14 years and 5 months)
Key RSA 2048 bits (e 3)
Issuer The Go Daddy Group, Inc. / Go Daddy Class 2 Certification Authority   Self-signed
Signature algorithm SHA1withRSA   Weak, but no impact on root certificate


Source:
https://www.ssllabs.com/ssltest/analyze.html?d=www.charlestonmuseum.org


When using rule "Enable Certificate Verification" under "HTTPS Scanning" > "Handle CONNECT Call", an event "Enable SSL Scanner" with "Default Certificate Verification" is used. This contains an option called "Allow legacy signatures in the handshake".
When I enable this, old/unsafe signature algorithms are allowed and site can be accessed. When I disable the option and delete cache, I get the block again.

 

Solution:
Create a NEW setting which you use in a NEW rule which is placed above the default one. This needs to be limited to affected websites online, so use criteria like "URL.Host equals/is in list <name>" and then trigger this event with NEW created setting which allows old/unsafe signature algorithms.

Important: ALL other websites should run in the default rule/setting!
So you avoid that you allow old signature algorithms for all websites.

Example rule set:
Rule 1: Set Client Context, Continue, Enable SSL Client Context with CA<Default CA>
Rule 2: Enable Certificate Verification for special sites (criteria is like URL.host is in list <list with special websites that use old signature algorithms>, Stop rule set, Enable SSL Scanner<special setting with option enabled>
Rule 3: Enable Certificate Verification, Stop rule set, Enable SSL Scanner<Default certificate verification with option disabled>

Regards,
Marcel Kutrieba
Technical Support Engineer

If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
0 Kudos
Reply
KY
Level 8
Report Inappropriate Content
Message 4 of 5
‎01-14-2020 08:46 AM

Re: ssl handshake error - www.charlestonmuseum.org

Jump to solution

Thank you. That helps, because I did not want to enable legacy certs and ciphers.

0 Kudos
Reply
mkutrieba
Employee
Employee
Report Inappropriate Content
Message 5 of 5
‎01-14-2020 10:35 PM

Re: ssl handshake error - www.charlestonmuseum.org

Jump to solution

I understand and that's correct.

Above mentioned method is the common way to achieve this (use extra setting with URL.host criteria or anything similar).

Thanks for marking this post as resolved through accepting my answer as solution!

Regards,
Marcel Kutrieba
Technical Support Engineer

If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC