[CalendarServer-users] SSL Ciphers

m at ainc.be
Mon Mar 10 18:40:23 PDT 2014


I tried bot ssl3 and tls1 for s_client and both failed. Depending on 
what SSLMethod I use in caldavd.plist, s_client will return "alert 
handshake failure:s3_pkt.c:1256:SSL alert number 40" when used with a 
flag lower than or equal to the server's setting, and if used with 
something higher (i.e. tls1_2), I receive "SSL3_GET_RECORD:wrong version 
number:s3_pkt.c:337:". I usually get these errors when no certificate is 
available but the certificates are fully accessible (they are being used 
fine by postfix and dovecot) and caldavd has access. It would be useful 
if the logs showed something but unfortunately both the access and error 
logs for caldavd are showing nothing.

------ Original Message ------
From: "Andre LaBranche" <dre at apple.com>
To: m at ainc.be
Cc: "calendarserver-users at lists.macosforge.org list" 
<calendarserver-users at lists.macosforge.org>
Sent: 10/03/2014 7:03:15 PM
Subject: Re: [CalendarServer-users] SSL Ciphers

>On Mar 10, 2014, at 2:30 PM, m at ainc.be wrote:
>>  Thank you for the reply. I also tried with different -cipher flags 
>>but no joy. Here is the output:
>>  CONNECTED(00000003)
>>  140316387088016:error:14077410:SSL 
>>routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
>List cc re-added.
>I don't immediately know the problem here, but it could be an SSL / TLS 
>version mismatch. Some suggestions:
>1) Try adding -ssl3 or -tls1 after s_client in the openssl command.
>2) Try the various options for SSLMethod in caldavd.plist. Possible 
>general, TLS > SSL3 > SSL2 in terms of safety. Backwards compatibility 
>is the typical constraint.
>3) In firefox, hit about:config, void your warranty, search for 
>security.ssl, and then verify that there is at least one point of 
>intersection between the enabled ciphers and the output of "openssl 
>ciphers ALL" (or whatever you've got configured in SSLCiphers - see 
>"man ciphers" for more on the cipher groups and how they are defined). 
>In looking at the about:config stuff for the current version of 
>Firefox, I'm only seeing references to ssl3, so my guess is that it 
>requires the server to allow ssl3 (which it totally should).
>4) Enjoy a tasty beverage. Nobody really enjoys debugging SSL issues... 

More information about the calendarserver-users mailing list