This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Extreme Control TLS Alert

Extreme Control TLS Alert

Go to solution
RobertD1
Contributor II

‎05-15-2023 02:09 AM

Hello,

Rather than wasting time troubleshooting the below error I wondered if the Extreme Control Engine will reject older encryption protocols such as SSL V3.0?

Old Windows XP with 802.1x PEAP:

Event:

eap_peap: TLS Alert write:fatal:handshake failure eap_peap: Failed in __FUNCTION__ (SSL_read): error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher eap_peap: System call (I/O) error (-1) eap_peap: TLS receive handshake failed during operation

Thanks,

Rob

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Robert_Haynes
Extreme Employee

‎05-15-2023 05:13 AM

Correct. Control will reject any SSLv3 based encipherment. It will also reject a core list of now defunct / legacy ciphers from older clients as listed in GTAC KB @ https://extremeportal.force.com/ExtrArticleDetail?an=000100637.

 

View solution in original post

6 REPLIES 6

Go to solution
Ryan_Yacobucci
Extreme Employee

‎05-15-2023 05:14 AM

A more recent article: 

https://extremeportal.force.com/ExtrArticleDetail?an=000100637

Thanks
-Ryan

0 Kudos

Go to solution
Robert_Haynes
Extreme Employee

‎05-15-2023 05:13 AM

Correct. Control will reject any SSLv3 based encipherment. It will also reject a core list of now defunct / legacy ciphers from older clients as listed in GTAC KB @ https://extremeportal.force.com/ExtrArticleDetail?an=000100637.

 

Go to solution
RobertD1
Contributor II
In response to Robert_Haynes

‎05-15-2023 07:00 AM

Thanks Robert!

Based on your response it does look like the issue is that neither the client or server can agree on a cipher to use after taking a capture of the client hello.

Trace shows client hello...

 

RobertD1_0-1684158924144.png

The enterasys.tomcat.ciphers list:

enterasys.tomcat.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256

 

 

0 Kudos

Go to solution
Robert_Haynes
Extreme Employee
In response to RobertD1

‎05-16-2023 05:13 AM

Thank you for the trace. The client cipher list presented is wholly deprecated at this point, a collection of RC4 (cryptographically weak), CBC (Beast/Poodle Attacks) and defunct EXPORT ciphers. OpenSSL long ago deprecated these ciphers which our Control appliance uses.

0 Kudos
GTM-P2G8KFN