Re: Vista, SSL and Handshake Failures

Thu, 10 May 2007 22:35:48 -0700 

On Thu, May 10, 2007 at 04:14:34PM -0400, Clayton Boucher wrote:

> Hi All,
> 
>  
> 
> We are having a problem with Telnet/SSL.  The server (IBM UniVerse) uses
> OpenSSL 0.9.7e.  It was upgraded from OpenSSL 0.9.6e, which is where our
> troubles started.
> 
>  
> 
> Under Windows Vista, we are connecting to the server and the SSL
> handshake is failing.  Under Windows XP or using the older version of
> UniVerse, the connection was established correctly.
> 
>  
> 
> Some information that we have been able to discover:
> 
>  
> 
> When connecting to the old version of the server from XP SP2,
> TLS_RSA_WITH_RC4_MD5 is used.
> 
> When connecting to the old version of the server from Vista,
> TLS_RSA_WITH_RC4_SHA is used.
> 
> When connecting to the new version of the server from XP SP2,
> TLS_RSA_WITH_RC4_MD5 is used.
> 
> When connecting to the new version of the server from Vista,
> TLS_RSA_WITH_AES_128_CBC_SHA is used.  This one fails.

Many versions of Microsoft's CryptoAPI also negotiate a broken version
of DES-CBC3, don't know if the problems are related. I explicitly
configure medium grade-ciphers for such systems... (with SMTP STARTTLS).

Often if you let the client (Microsoft software) set the cipher
preferences (OpenSSL default) it will pick ciphers that work. Is the
IBM server overriding the client prefs and choosing its most preferred
cipher? You may want to turn that off...

> One interesting thing is that we have found that by modifying the SSL
> Cipher Order in Vista through the policy editor that we can move the
> order of SSL Cipher choices and that if we move TLS_RSA_WITH_RC4_SHA to
> the top, we can connect with Vista.  This is, however, not a useable
> solution for our customers (since it involves group policy changes,
> rebooting machines, etc...).  To me, this points to Microsoft, but I
> don't know... I'm not knowledgeable enough about SSL and all this stuff.

If Vista gets its cipher choice honoured by the server, then the only
solution is to fix Vista. Perhaps a patch is already available...

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to