solve “sslv3 alert handshake failure” error

Our IM team reported they’re unable to download images through https servers, our https client is written in C++ with boost.asio, boost.asio is using openssl for ssl/tls.

First of all, I tried to start the client with DEBUG build, the error was “sslv3 alert handshake failure”. I tried different openssl options in client, however, the same. Besides, all options combined got the same response from the server side, observed by wireshark.

Second, I checked the packet sent from IE and our client based on openssl. some extensions inside CLIENTHELLO were suspicious.

A: Extension: renegotiation_info

B: Extension: server_name

C: Extension: status_request

I checked openssl source, looks like it doesn’t support extension A, while it does support A and C.

Before writing our test code, the most simple way to verify is to use openssl.exe to send request.

The first try, but failed:

openssl s_client -tls1_2 –connect OUR_HTTPS_DOMAIN:443

and next, it worked:

openssl s_client -tls1_2 –connect OUR_HTTPS_DOMAIN:443 -status -servername OUR_HTTPS_DOMAIN

This means the https server requires SNI(https://en.wikipedia.org/wiki/Server_Name_Indication) extensioin now.

It’s easy to solve this after we have located the cause: set host name after creating ssl stream object.

ssl_socket_.reset(new boost::asio::ssl::stream<boost::asio::ip::tcp::socket>(*ioservice_,*ssl_context_));

SSL_set_tlsext_host_name(ssl_socket_->native_handle(),host_.c_str());

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s