[CalendarServer-users] SSL Ciphers

Andre LaBranche dre at apple.com
Mon Mar 10 16:03:15 PDT 2014

On Mar 10, 2014, at 2:30 PM, m at ainc.be wrote:

> Thank you for the reply. I also tried with different -cipher flags but no joy. Here is the output:
> CONNECTED(00000003)
> 140316387088016:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741:


List cc re-added.

I don't immediately know the problem here, but it could be an SSL / TLS version mismatch. Some suggestions:

1) Try adding -ssl3 or -tls1 after s_client in the openssl command.
2) Try the various options for SSLMethod in caldavd.plist. Possible values are: SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD. In general, TLS > SSL3 > SSL2 in terms of safety. Backwards compatibility is the typical constraint.
3) In firefox, hit about:config, void your warranty, search for security.ssl, and then verify that there is at least one point of intersection between the enabled ciphers and the output of "openssl ciphers ALL" (or whatever you've got configured in SSLCiphers - see "man ciphers" for more on the cipher groups and how they are defined). In looking at the about:config stuff for the current version of Firefox, I'm only seeing references to ssl3, so my guess is that it requires the server to allow ssl3 (which it totally should).
4) Enjoy a tasty beverage. Nobody really enjoys debugging SSL issues... :)


More information about the calendarserver-users mailing list