TLS handshake error with Windows XP
295 views
Skip to first unread message
alexander smishlajev
Nov 6, 2014, 9:33:39 AM11/6/14
to prosod...@googlegroups.com
Hello!
I have recently moved my XMPP server from ejabberd running on FreeBSD to Prosody v0.9.6 running on CentOS Linux v6.5.
After this move, one of the clients is unable to connect with either TLS or SSL. Here is data exchanged for TLS handshake:
[13:34:38 2CB8] (00000000:0) Data sent
00000000: 16 03 01 00-48 01 00 00-44 03 01 54-5B 4E BE 6C ....H...D..T[Nl
00000010: 09 0C EB 4F-5A 30 7C D7-7C 25 B4 D0-65 54 AA 02 ..OZ0||%eT.
00000020: 87 9F 1E 16-35 94 7D F1-68 3B 41 00-00 16 00 04 ..5}h;A.....
00000030: 00 05 00 0A-00 09 00 64-00 62 00 03-00 06 00 13 .......d.b......
00000040: 00 12 00 63-01 00 00 05-FF 01 00 01-00 ...c........
[13:34:38 2CB8] (00000000:0) Data received
00000000: 15 03 01 00-02 02 28 ......(
[13:34:38 2CB8] SSL connection failure (80090326 473)
The client uses Windows XP.
Is there anything that can be done to enable secure connections from such client?
Sincerely yours,
alex.
I have recently moved my XMPP server from ejabberd running on FreeBSD to Prosody v0.9.6 running on CentOS Linux v6.5.
After this move, one of the clients is unable to connect with either TLS or SSL. Here is data exchanged for TLS handshake:
[13:34:38 2CB8] (00000000:0) Data sent
00000000: 16 03 01 00-48 01 00 00-44 03 01 54-5B 4E BE 6C ....H...D..T[Nl
00000010: 09 0C EB 4F-5A 30 7C D7-7C 25 B4 D0-65 54 AA 02 ..OZ0||%eT.
00000020: 87 9F 1E 16-35 94 7D F1-68 3B 41 00-00 16 00 04 ..5}h;A.....
00000030: 00 05 00 0A-00 09 00 64-00 62 00 03-00 06 00 13 .......d.b......
00000040: 00 12 00 63-01 00 00 05-FF 01 00 01-00 ...c........
[13:34:38 2CB8] (00000000:0) Data received
00000000: 15 03 01 00-02 02 28 ......(
[13:34:38 2CB8] SSL connection failure (80090326 473)
The client uses Windows XP.
Is there anything that can be done to enable secure connections from such client?
Sincerely yours,
alex.
Thijs Alkemade
Nov 13, 2014, 9:18:25 AM11/13/14
to prosod...@googlegroups.com
This is that ClientHello message decoded:
16 type: handshake
0301 version 3.1 (TLS 1.0)
0048 0x48 byte packet
01 type: client hello
000044 0x44 byte length
0301 version 3.1 (TLS 1.0)
545B4EBE unix timestamp (10:34:38 UTC, Thursday, November 6, 2014)
6C090CEB4F5A307CD77C25B4D06554AA02879F1E1635947DF1683B41 Random
00 session id (empty)
0016 cipher suite length (22 bytes)
0004 RC4-MD5
0005 RC4-SHA
000A DES-CBC3-SHA
0009 DES-CBC-SHA
0064 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
0062 TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
0003 EXP-RC4-MD5
0006 EXP-RC2-CBC-MD5
0013 EDH-DSS-DES-CBC3-SHA
0012 EDH-DSS-DES-CBC-SHA
0063 TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
01 compression methods length
00 null
0005 5 byte extension
FF01000100 no renegotiation info
Basically, all of these ciphers are horrible and none of them should be used for encryption anymore. You really should look for a more modern client and OS.
Regards,
Thijs
Matthew Wild
Nov 13, 2014, 9:21:56 AM11/13/14
to Prosody IM Users Group
Hi Alex,
Firstly - sorry for the delay in processing your post (and also to
everyone else who was affected). Posts from new members have to be
manually approved, and somehow I wasn't being notified!
On 6 November 2014 14:33, alexander smishlajev <smish...@gmail.com> wrote:
> Hello!
>
> I have recently moved my XMPP server from ejabberd running on FreeBSD to
> Prosody v0.9.6 running on CentOS Linux v6.5.
and ciphers that Prosody will offer. I'm afraid Windows XP is simply
not secure any more.
It should be possible to use another client however that uses
OpenSSL/GnuTLS/etc. instead of the built-in Windows SSL library. I'm
not 100% which clients do this on Windows, but I think Psi and Gajim
should be ok.
But really they just need to upgrade their whole operating system!
Regards,
Matthew
Firstly - sorry for the delay in processing your post (and also to
everyone else who was affected). Posts from new members have to be
manually approved, and somehow I wasn't being notified!
On 6 November 2014 14:33, alexander smishlajev <smish...@gmail.com> wrote:
> Hello!
>
> I have recently moved my XMPP server from ejabberd running on FreeBSD to
> Prosody v0.9.6 running on CentOS Linux v6.5.
> The client uses Windows XP.
>
> Is there anything that can be done to enable secure connections from such
> client?
This is very likely because of our recent changes to the SSL versions
>
> Is there anything that can be done to enable secure connections from such
> client?
and ciphers that Prosody will offer. I'm afraid Windows XP is simply
not secure any more.
It should be possible to use another client however that uses
OpenSSL/GnuTLS/etc. instead of the built-in Windows SSL library. I'm
not 100% which clients do this on Windows, but I think Psi and Gajim
should be ok.
But really they just need to upgrade their whole operating system!
Regards,
Matthew
Reply all
Reply to author
Forward
0 new messages