Cyberduck Mountain Duck CLI

Opened 3 years ago

Closed 2 years ago

Last modified 2 years ago

#9452 closed defect (fixed)

Unable to negotiate acceptable set of security parameters

Reported by: colinito Owned by: yla
Priority: normal Milestone: 5.0
Component: webdav Version: 4.8.1
Severity: normal Keywords: Inoperability failure, mac
Cc: Architecture: Intel
Platform: Mac OS X 10.11

Description

We've noticed an increase in "inoperability failures" when connecting to secure webdav using P12's generated as part of our 2FA requirement when connecting to our SaaS based web platform. The login process never transfers from the certificate selection to allowing access to the key chain.

We've tracked it by trial/error to a change somewhere between version 4.7.3 (works) and 4.8.1 (failures)

  • Affected Systems: MBP 2.4/Core i5 OSX 10.9.5 & MBP 2.7 Core i5 OSX 10.11.4
  • Working versions: 4.5 - 4.7.3.
  • Non-working version: First non-working version 4.8.1 (4.8.1.19040.zip)
  • Windows machine has worked through all versions up to and including 4.9

Same remote webdav host/path and credentials and P12's used in all tests.

Here are the OpenSSL commands used to create the P12 (if this helps at all...)

openssl req -new -sha256 -newkey rsa:1024 -nodes -out client.req -keyout client.key
openssl x509 -CA client.net_01.crt -CAkey client.net_011.key -CAserial client.net_011.srl -req -in client.req -out client.pem -days 365
openssl pkcs12 -export -in client.pem -inkey client.key -certfile client.crt -name "client" -out client.p12

I did notice that 4.8.1 was the first to have this: [Bugfix] Restore compatibility with OS X 10.7 - 10.9 (Mac) but unsure if that excludes versions 10.9.5 and higher... couldn't find a trac number to research further.

Attachments (2)

Error Messsage Steps.docx (1.1 MB) - added by colinito 3 years ago.
Handshake Failure.png (78.6 KB) - added by dkocher 3 years ago.

Download all attachments as: .zip

Change History (21)

comment:1 Changed 3 years ago by dkocher

  • Milestone set to 4.9.1
  • Status changed from new to assigned

comment:2 Changed 3 years ago by dkocher

  • Summary changed from WebDAV using p12 keystore stopped working after v4.8.1 to Using p12 keystore stopped working after v4.8.1

Can you please post the error message displayed.

comment:3 Changed 3 years ago by dkocher

  • Summary changed from Using p12 keystore stopped working after v4.8.1 to Using p12 keystore stopped working

comment:4 Changed 3 years ago by dkocher

  • Resolution set to worksforme
  • Status changed from assigned to closed

Changed 3 years ago by colinito

comment:5 Changed 3 years ago by colinito

Here are the steps - including identical P12 certs, environments and credentials.

comment:6 Changed 3 years ago by colinito

  • Resolution worksforme deleted
  • Status changed from closed to reopened

Definitely doesn't work across multiple machines. I'd be interested to try the steps that work after version 4.7. Appreciate the time.

comment:7 Changed 3 years ago by dkocher

  • Status changed from reopened to new

comment:8 Changed 3 years ago by dkocher

  • Summary changed from Using p12 keystore stopped working to Unable to negotiate acceptable set of security parameters

Changed 3 years ago by dkocher

comment:9 Changed 3 years ago by dkocher

comment:10 Changed 3 years ago by dkocher

Can you please share the hostname of the server. This will allow us to debug the SSL negotiation.

comment:11 Changed 3 years ago by colinito

Happy to provide, but would rather not do it on a publicly accessable site - shoot me an email? chouser@…

Last edited 3 years ago by colinito (previous) (diff)

comment:12 Changed 3 years ago by dkocher

osaka:~ dkocher$ nmap --script ssl-enum-ciphers -p 443 ----------.demandware.net

Starting Nmap 7.01 ( https://nmap.org ) at 2016-04-19 11:21 CEST
Nmap scan report for ----------.demandware.net (66.179.158.204)
Host is up (0.33s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - D
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Weak certificate signature: SHA1
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - D
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Weak certificate signature: SHA1
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - D
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Weak certificate signature: SHA1
|_  least strength: D

Nmap done: 1 IP address (1 host up) scanned in 18.09 seconds

comment:13 Changed 3 years ago by dkocher

  • Milestone changed from 5.0 to 4.9.1
osaka:~ dkocher$ openssl s_client -connect ----------.demandware.net:443 -servername ----------.demandware.net
CONNECTED(00000003)
depth=0 /C=US/ST=FLORIDA/L=Miramar/O=Elizabeth Arden, Inc./OU=NA/CN=----------.demandware.net/emailAddress=dwsupport_elizabetharden@pfsweb.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=FLORIDA/L=Miramar/O=Elizabeth Arden, Inc./OU=NA/CN=----------.demandware.net/emailAddress=dwsupport_elizabetharden@pfsweb.com
verify return:1
20883:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.40.2/src/ssl/s3_pkt.c:1145:SSL alert number 40
20883:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.40.2/src/ssl/s23_lib.c:185:

comment:14 Changed 3 years ago by dkocher

Looks like a server configuration issue. Chrome.app also complains with The client and server don't support a common SSL protocol version or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure..

comment:15 Changed 3 years ago by dkocher

  • Milestone changed from 4.9.1 to 5.0
  • Owner changed from dkocher to yla

comment:16 Changed 2 years ago by yla

I'm now able to reproduce the issue but the exact reason is not clear yet. We need some more time to investigate.

comment:17 Changed 2 years ago by dkocher

  • Resolution set to fixed
  • Status changed from new to closed

In r20303.

comment:18 Changed 2 years ago by dkocher

#9500 closed as duplicate.

comment:19 Changed 2 years ago by dkocher

Fix use of EC algorithms on Windows in r20451.

Note: See TracTickets for help on using tickets.
swiss made software