SRX

 View Only
last person joined: 18 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SSL Forward Proxy: ssl3_read_bytes:sslv3 alert handshake failure

    Posted 04-19-2023 12:29


    I am having an issue with the following error that is baffling us, SSL routines:ssl3_read_bytes:sslv3 alert handshake failure. We are running SSL Forward Proxy service. This error is presented on the Juniper Forward Proxy log and at the remote server (example jpg.nyctmc.org). The remote server has sslv3 disabled according to vendor and testing seems to validate that also from ssllabs.com report. The error occurs on the SSL-I segment (https://www.screencast.com/t/iIgyKufxGYy) to the remote server. 
    This does not happen to all traffic, only certain remote secured servers like the example listed earlier. The forward proxy works fine with the few exceptions. I am not sure if this has anything to do with sslv3 or that is just a generic error. SSLv3 has been deprecated 2023-04-06_15-40-17

     Anyone have any inputs on the error on SSL Forward Proxy?

    Log from SRX1500 Proxy:



    Appliance: Juniper SRX1500
    JunOS: 21.2R3-S2.9 (https://www.screencast.com/t/kNu3xLWZz2iI)
    Cluster: Yes
    Service: SSL Forward Proxy (https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-ssl-proxy.html)

    Remote Server certificate: Not SNI
    Remote Server SSLv3: Disabled
    Juniper SSLv3: Disabled via shell on httpd and also ran - unset ssl sslv3
        CEC Juniper Community

    Cipher Suites: Both end has compatible latest cipher suites

        



    ------------------------------
    Frank Cheung
    ------------------------------


  • 2.  RE: SSL Forward Proxy: ssl3_read_bytes:sslv3 alert handshake failure

    This message was posted by a user wishing to remain anonymous
    Posted 04-20-2023 13:08
    This message was posted by a user wishing to remain anonymous

    SSL3 deprecated see -> SSL Proxy | Junos OS | Juniper Networks




  • 3.  RE: SSL Forward Proxy: ssl3_read_bytes:sslv3 alert handshake failure

    Posted 05-13-2023 14:45

    After many packet captures and investigations into this handshake issue. We have deduced to the JUNOS ssl proxy not matching Supported Named Groups. We are referring to the Elliptical Curves Key Exchange for NIST sep256r1/P-256, secp384r1/P-384, etc.

    Below is the snapshot of the ssllabs  section for target server. It supports ONLY secp384r1.
    https://www.screencast.com/t/uP54kDBqk

    Below is a snapshot of hello packet capture from Juniper SSL Forward Proxy.  Juniper is only advertising secp256r1 as supported.
    https://www.screencast.com/t/7kBvsLCc

    Below is a screnshot of article talking about the exact issue using TLS1.3 , I assume it applies to TLS1.2 that our system is speaking.


    So my question ultimately for the community is whether JUNOS 21.2R3-S2.9 supports SECP384r1/P-384 Elliptical Curve. Does any JunOS higher than 21.r2-s2.9 support it for SSL Forward Proxy? 






    ------------------------------
    Frank Cheung
    ------------------------------



  • 4.  RE: SSL Forward Proxy: ssl3_read_bytes:sslv3 alert handshake failure

    Posted 05-13-2023 14:46
    Edited by Frank Cheung 05-13-2023 14:47

    Sorry, Removing duplicate post