Am 10.11.2014 um 16:23 schrieb Viktor Dukhovni: > On Mon, Nov 10, 2014 at 09:28:17AM +0100, Lars Heide wrote: > >>> Was there a prior connection shortly before that where the handshake >>> failed for some other reason? >> >> No, there is no prior connection according to our logs, which is >> strange, now that you mention it. > > A possible cause is that the initial connection failed to complete, > and that's why the fallback might have taken place. Was the problem > consistent or a "one-of"?
We don't get much mail from that source only 2 mails in the last month, both with the same error. I could find no other occasions. > >>>> They use Kerio Connect 8.4.0 RC 1. According to Wikipedia (couldn't find >>>> any version information on their website): >>>> >>>> 8.3.4 OpenSSL library upgraded to version 1.0.1j to prevent MITM >>>> protocol downgrade to insecure SSL 3.0 protocol >>> >>> Perhaps 1.0.1j sometimes sends SCSV when it should not, I'll look >>> into it when I get a chance. > > I'll may yet look into this later, but it should be very difficult > for that kind of bug to happen, the SCSV is supposed to be turned > on under application control, OpenSSL cannot unilaterally determine > that some prior connection failed and downgraded settings are in > use as a result. Since this should not ever be turned autonomously > by the library, it should never happen "by accident". Possibly a buggy implementation on the server side then. It's still a "RC 1" if I read the banner correctly. ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------
