Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
I am having an issue with the following error that is baffling us, SSL routines:ssl3_read_bytes:sslv3 alert handshake failure. We are running SSL Forward Proxy service. This error is presented on the Juniper Forward Proxy log and at the remote server (example jpg.nyctmc.org). The remote server has sslv3 disabled according to vendor and testing seems to validate that also from ssllabs.com report. The error occurs on the SSL-I segment (https://www.screencast.com/t/iIgyKufxGYy) to the remote server. This does not happen to all traffic, only certain remote secured servers like the example listed earlier. The forward proxy works fine with the few exceptions. I am not sure if this has anything to do with sslv3 or that is just a generic error. SSLv3 has been deprecated 2023-04-06_15-40-17
Anyone have any inputs on the error on SSL Forward Proxy?Log from SRX1500 Proxy:
Appliance: Juniper SRX1500JunOS: 21.2R3-S2.9 (https://www.screencast.com/t/kNu3xLWZz2iI)Cluster: YesService: SSL Forward Proxy (https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-ssl-proxy.html)
Remote Server certificate: Not SNIRemote Server SSLv3: DisabledJuniper SSLv3: Disabled via shell on httpd and also ran - unset ssl sslv3 CEC Juniper Community
Cipher Suites: Both end has compatible latest cipher suites
SSL3 deprecated see -> SSL Proxy | Junos OS | Juniper Networks
After many packet captures and investigations into this handshake issue. We have deduced to the JUNOS ssl proxy not matching Supported Named Groups. We are referring to the Elliptical Curves Key Exchange for NIST sep256r1/P-256, secp384r1/P-384, etc.Below is the snapshot of the ssllabs section for target server. It supports ONLY secp384r1.https://www.screencast.com/t/uP54kDBqkBelow is a snapshot of hello packet capture from Juniper SSL Forward Proxy. Juniper is only advertising secp256r1 as supported.https://www.screencast.com/t/7kBvsLCcBelow is a screnshot of article talking about the exact issue using TLS1.3 , I assume it applies to TLS1.2 that our system is speaking.
Sorry, Removing duplicate post