Forum Discussion
LyonsG_85618
Cirrostratus
If i use DEFAULT:!TLSv1_1:!TLSv1_2 I can't see RC4-MD5 ciphers:
tmm --clientciphers 'DEFAULT:!TLSv1_1:!TLSv1_2'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA
1: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA
2: 47 AES128-SHA 128 SSL3 Native AES SHA RSA
3: 47 AES128-SHA 128 TLS1 Native AES SHA RSA
4: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA
5: 53 AES256-SHA 256 SSL3 Native AES SHA RSA
6: 53 AES256-SHA 256 TLS1 Native AES SHA RSA
7: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA
8: 10 DES-CBC3-SHA 192 SSL3 Native DES SHA RSA
9: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA
10: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA
11: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA
12: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA
13: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA
And still get error in log:
SSL Handshake failed for TCP from 172.31.81.95:65417 to 172.31.100.195:443
If use 'MEDIUM:!TLSv1_1:!TLSv1_2'
tmm --clientciphers 'MEDIUM:!TLSv1_1:!TLSv1_2'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 4 RC4-MD5 128 SSL3 Native RC4 MD5 RSA
1: 4 RC4-MD5 128 TLS1 Native RC4 MD5 RSA
2: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA
3: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA
4: 47 AES128-SHA 128 SSL3 Native AES SHA RSA
5: 47 AES128-SHA 128 TLS1 Native AES SHA RSA
6: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA
7: 51 DHE-RSA-AES128-SHA 128 SSL3 Native AES SHA EDH/RSA
8: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA
9: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA
I can see RC4-MD5 ciphers but get the following in the log:
Jun 10 09:44:48 bipscint2 notice tmm2[13424]: 01260018:5: Connection attempt to insecure SSL server (see RFC5746): 172.31.100.195:443
Jun 10 09:44:48 bipscint2 info tmm2[13424]: 01260013:6: SSL Handshake failed for TCP from 172.31.81.95:65533 to 172.31.100.195:443
Cory_50405
Jun 10, 2014Noctilucent
Just for the sake of proving it'll work, change the cipher string to ALL and see if that works. If it goes, grab an ssldump and see what ciphers the server supports.