Error: sslv3 alert handshake failure (1040) - Client Tunnel can't connect to Tunnel Server

book

Article ID: 209953

calendar_today

Updated On:

Products

DX Infrastructure Management CA Unified Infrastructure Management for z Systems CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM) NIMSOFT PROBES

Issue/Introduction

We built a new hub server and enabled the tunneling to connect to back to the tunnel server. Created entry, disabled IP validation, disabled common name check, imported the certificate to client tunnel, Also we are able to telnet from Hub server (client tunnel) to Tunnel server on port TCP 48003. But, we are unable to make the connection to the main tunnel server. Further, While checking the logs on the tunnel client server, I got the following error.

Mar  5 15:27:19:088 [4836] hub: TSESS could not connect to tunnel xx.xx.xx.xx:48003 (336032784) 
Mar  5 15:27:19:088 [4836] hub: CTRL  connection error: sslv3 alert handshake failure (1040) 

Mar  5 15:36:52:081 [3780] hub: TSESS could not connect to tunnel xx.xxx.xx.xx:48003 (336032784) 
Mar  5 15:36:52:081 [3780] hub: CTRL  connection error: sslv3 alert handshake failure (1040) 
Mar  5 15:36:52:081 [3780] hub: CTRL  could not connect to server xx.xxx.xx.xxx/48003

Environment

Release : 9.0.2

Component : UIM OPERATOR CONSOLE - ALARM VIEWER

hub 7.97

Resolution

tunnel client error:

Mar  5 19:08:25:721 [5568] hub: SSL state (connect): SSLv2/v3 write client hello A
Mar  5 19:08:25:768 [1920] hub: SSL alert (read): fatal: handshake failure
Mar  5 19:08:25:768 [1920] hub: ssl_connect - SSL_connect error (1) on new SSL connection
Mar  5 19:08:25:768 [1920] hub: SSL_connect error occured
Mar  5 19:08:25:768 [1920] hub:    [1] error:0x14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Mar  5 19:08:25:768 [1920] hub: TSESS could not connect to tunnel 10.xxx.xx.xx:48003 (336032784)
Mar  5 19:08:25:768 [1920] hub: CTRL  connection error: sslv3 alert handshake failure (1040)
Mar  5 19:08:25:768 [1920] hub: CTRL  could not connect to server 10.xxx.xx.xx/48003

Based on the hub.cfg, the tunnel Server has its security setting set to LOW:

<server>
      active = yes
      port = 48003
      password = 2mN6OthXXXXXXCxbnIAK9A==
      cipher = LOW:!ADH
      commonName = 10.xxx.10.xxx
      notAfter = 1683191430
   </server>

In hub v7.97, please change the Security Setting level from "Low" to something else.

This setting exists in the Tunnel Server-side hub.

The problem should not occur if you are using "None", "Medium", "High" or a custom cipher such as "RC4-SHA"

NOTE: You don't need to re-create new tunnel certificates along with the [Security Setting] change.

 

Additional Information

Allow/open TCP/port 48003 from the client TO the server.