Checking the SSL/TLS handshake & encryption
If the client is attempting to make an HTTPS connection, but the attempt fails after the connection has been initiated, during negotiation, the problem may be with SSL/TLS. Symptoms may include error messages such as:
• ssl_error_no_cypher_overlap
(Mozilla Firefox 9.0.1)
• Error 113 (net::ERROR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.
(Google Chrome 16.0.912.75 m)
Expected SSL/TLS behavior varies by SSL inspection vs. SSL offloading (see
“Offloading vs. inspection”):
• SSL inspection — True transparent proxy, offline protection mode and transparent inspection mode only.
The handshake is between the client and the web server. If the connection cannot be established, verify that the browser supports one of the key exchanges, encryption algorithms, and authentication (hashes) suggested by the web server. Server-side, you must also verify that your web server supports enough cipher suites that all required clients can connect.
If you are not sure which cipher suites are currently supported, you can use SSL tools such as
OpenSSL to discover support. For example, you could use this client-side command to know whether the web server or FortiWeb supports strong (
HIGH) encryption:
openssl s_client -connect example.com:443 -cipher HIGH
or supports deprecated or old versions such as SSL 2.0:
openssl s_client -ssl2 -connect example.com:443
| If your web servers are required to comply with PCI DSS, you should make sure that your web servers do not allow weak encryption. For example, if your web servers accept SSL 2.0 or MD5 hashes, you may fail your PCI DSS audit. |