Fatal Alert received: Handshake Failure

Document ID : KB000046215
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue:  

 

We are connecting to a customer server attempting to forward the transaction from the Layer 7 Gateway and get the following error: 
Problem routing to https://server.com/. Error msg: Unable to obtain HTTP response from https://server.com: Fatal Alert received: Handshake Failure. 

 

Cause:

 

After reviewing a tcpdump we can see that the handshake failure was coming after a Client Hello to the server. Checking the allowed ciphers on the server and comparing them to the ciphers in Policy Manager we were able to determine that there was a mismatch.

 

Resolution:

 

Changing the cipher suites the endpoint server used to match the ones configured in policy manager resolved the problem.

Cipher suites are configured in Policy Manager under Manage Listen Ports -> Properties -> SSl/TLS Settings

 

Additional Information:

 

The Client Hello command lets the server know the following:

·         The version of SSL that the client is trying to use for negotiating with the server

·         Some random bytes generated by the client that will be used next to generate a master key for encryption.

·         list of encryption algorithms called cipher suites. The client tells the server which cipher suites it understands.

·         list of compression algorithms supported by the client. If one of them is selected by the server the algorithm will be used to compress each message.

·         Optionally: A list of extensions that can be used to improve the security of the handshake. These extensions are not part of the protocol itself but, if the server understands the extensions, they will be used.

client_hello.PNG

Here is a linux test script that can be run to test the cipher suites being used by a server: 

 

#!/usr/bin/env bash

 

# OpenSSL requires the port number.

SERVER=SERVER_IP:443

DELAY=1

ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')

 

echo Obtaining cipher list from $(openssl version).

 

for cipher in ${ciphers[@]}

do

echo -n Testing $cipher...

result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)

if error:" ; then

  error=$(echo -n $result | cut -d':' -f6)

  echo NO \($error\)

else

  if | "$result" =~ "Cipher    :" ; then

    echo YES

  else

    echo UNKNOWN RESPONSE

    echo $result

  fi

fi

sleep $DELAY

done