https://community.extremenetworks.com/t5/extremecontrol/extreme-control-tls-alert/m-p/95848#M391 <P>Hello,</P><P>Rather than wasting time troubleshooting the below error I wondered if the Extreme Control Engine will reject older encryption protocols such as SSL V3.0?</P><P>Old Windows XP with 802.1x PEAP:</P><P>Event:</P><P>eap_peap: TLS Alert write:fatal:handshake failure eap_peap: Failed in __FUNCTION__ (SSL_read): error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher eap_peap: System call (I/O) error (-1) eap_peap: TLS receive handshake failed during operation</P><P>Thanks,</P><P>Rob</P> Mon, 15 May 2023 09:09:32 GMT RobertD1 2023-05-15T09:09:32Z https://community.extremenetworks.com/t5/extremecontrol/extreme-control-tls-alert/m-p/95848#M391 <P>Hello,</P><P>Rather than wasting time troubleshooting the below error I wondered if the Extreme Control Engine will reject older encryption protocols such as SSL V3.0?</P><P>Old Windows XP with 802.1x PEAP:</P><P>Event:</P><P>eap_peap: TLS Alert write:fatal:handshake failure eap_peap: Failed in __FUNCTION__ (SSL_read): error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher eap_peap: System call (I/O) error (-1) eap_peap: TLS receive handshake failed during operation</P><P>Thanks,</P><P>Rob</P> Mon, 15 May 2023 09:09:32 GMT https://community.extremenetworks.com/t5/extremecontrol/extreme-control-tls-alert/m-p/95848#M391 RobertD1 2023-05-15T09:09:32Z https://community.extremenetworks.com/t5/extremecontrol/extreme-control-tls-alert/m-p/95850#M392 <P>Hello Robert,</P><P>This is likely the case.&nbsp;<BR /><A href="https://extremeportal.force.com/ExtrArticleDetail?an=000066220" target="_blank">https://extremeportal.force.com/ExtrArticleDetail?an=000066220</A><BR /><BR />I will need to get this article modified. You can test the appliance property in the article, but I believe at this point these ciphers have been completely deprecated and are not available for use at all.&nbsp;</P><P>Thanks<BR />-Ryan</P> Mon, 15 May 2023 12:12:48 GMT https://community.extremenetworks.com/t5/extremecontrol/extreme-control-tls-alert/m-p/95850#M392 Ryan_Yacobucci 2023-05-15T12:12:48Z https://community.extremenetworks.com/t5/extremecontrol/extreme-control-tls-alert/m-p/95851#M393 <P>Correct. Control will reject any SSLv3 based encipherment. It will also reject a core list of now defunct / legacy ciphers from older clients as listed in GTAC KB&nbsp;@&nbsp;<A href="https://extremeportal.force.com/ExtrArticleDetail?an=000100637" target="_blank">https://extremeportal.force.com/ExtrArticleDetail?an=000100637</A>.</P><P>&nbsp;</P> Mon, 15 May 2023 12:13:04 GMT https://community.extremenetworks.com/t5/extremecontrol/extreme-control-tls-alert/m-p/95851#M393 Robert_Haynes 2023-05-15T12:13:04Z https://community.extremenetworks.com/t5/extremecontrol/extreme-control-tls-alert/m-p/95852#M394 <P>A more recent article:&nbsp;</P><P><A href="https://extremeportal.force.com/ExtrArticleDetail?an=000100637" target="_blank">https://extremeportal.force.com/ExtrArticleDetail?an=000100637</A></P><P>Thanks<BR />-Ryan</P> Mon, 15 May 2023 12:14:17 GMT https://community.extremenetworks.com/t5/extremecontrol/extreme-control-tls-alert/m-p/95852#M394 Ryan_Yacobucci 2023-05-15T12:14:17Z https://community.extremenetworks.com/t5/extremecontrol/extreme-control-tls-alert/m-p/95853#M395 <P>... take a trace of the PEAP connection to expose the ciphers the client is requesting and compare against what is set as seen in the NSJBoss.properties 'tomcat.ciphers' entry.</P> Mon, 15 May 2023 12:15:49 GMT https://community.extremenetworks.com/t5/extremecontrol/extreme-control-tls-alert/m-p/95853#M395 Robert_Haynes 2023-05-15T12:15:49Z https://community.extremenetworks.com/t5/extremecontrol/extreme-control-tls-alert/m-p/95856#M396 <P>Thanks Robert!</P><P>Based on your response it does look like the issue is that neither the client or server can agree on a cipher to use after taking a capture of the client hello.</P><P>Trace shows client hello...</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RobertD1_0-1684158924144.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6513i67B7D78F8DA324C1/image-size/medium?v=v2&amp;px=400" role="button" title="RobertD1_0-1684158924144.png" alt="RobertD1_0-1684158924144.png" /></span></P><P>The enterasys.tomcat.ciphers list:</P><P>enterasys.tomcat.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 15 May 2023 14:00:05 GMT https://community.extremenetworks.com/t5/extremecontrol/extreme-control-tls-alert/m-p/95856#M396 RobertD1 2023-05-15T14:00:05Z https://community.extremenetworks.com/t5/extremecontrol/extreme-control-tls-alert/m-p/95863#M397 <P>Thank you for the trace. The client cipher list presented is wholly deprecated at this point, a collection of RC4 (cryptographically weak), CBC (Beast/Poodle Attacks) and defunct EXPORT ciphers. OpenSSL long ago deprecated these ciphers which our Control appliance uses.</P> Tue, 16 May 2023 12:13:23 GMT https://community.extremenetworks.com/t5/extremecontrol/extreme-control-tls-alert/m-p/95863#M397 Robert_Haynes 2023-05-16T12:13:23Z