cancel
Showing results for 
Search instead for 
Did you mean: 

Extreme Control TLS Alert

Extreme Control TLS Alert

RobertD1
Contributor II

Hello,

Rather than wasting time troubleshooting the below error I wondered if the Extreme Control Engine will reject older encryption protocols such as SSL V3.0?

Old Windows XP with 802.1x PEAP:

Event:

eap_peap: TLS Alert write:fatal:handshake failure eap_peap: Failed in __FUNCTION__ (SSL_read): error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher eap_peap: System call (I/O) error (-1) eap_peap: TLS receive handshake failed during operation

Thanks,

Rob

1 ACCEPTED SOLUTION

Robert_Haynes
Extreme Employee

Correct. Control will reject any SSLv3 based encipherment. It will also reject a core list of now defunct / legacy ciphers from older clients as listed in GTAC KB @ https://extremeportal.force.com/ExtrArticleDetail?an=000100637.

 

View solution in original post

6 REPLIES 6

Ryan_Yacobucci
Extreme Employee

Robert_Haynes
Extreme Employee

Correct. Control will reject any SSLv3 based encipherment. It will also reject a core list of now defunct / legacy ciphers from older clients as listed in GTAC KB @ https://extremeportal.force.com/ExtrArticleDetail?an=000100637.

 

Thanks Robert!

Based on your response it does look like the issue is that neither the client or server can agree on a cipher to use after taking a capture of the client hello.

Trace shows client hello...

 

RobertD1_0-1684158924144.png

The enterasys.tomcat.ciphers list:

enterasys.tomcat.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256

 

 

Thank you for the trace. The client cipher list presented is wholly deprecated at this point, a collection of RC4 (cryptographically weak), CBC (Beast/Poodle Attacks) and defunct EXPORT ciphers. OpenSSL long ago deprecated these ciphers which our Control appliance uses.

GTM-P2G8KFN