Aktionstabelle SSL connect error / Handshake failure

Forum zu aktuellen Geräten der LANCOM Router/Gateway Serie

Moderator: Lancom-Systems Moderatoren

Antworten
HotSpott
Beiträge: 27
Registriert: 24 Aug 2014, 12:38

Aktionstabelle SSL connect error / Handshake failure

Beitrag von HotSpott »

Hallo miteinander,

ich versuche gerade einen neuen https-Eintrag in die Aktionstabelle aufzunehmen (Lancom 1781AW, 10.20.0298RU2). Nachdem das absolut nicht funktionieren wollte, habe ich einen ConnAct-Trace gestartet und finde dort die folgende Fehlermeldung:

Code: Alles auswählen

ConnAct: Action result is "SSL connect error: Handshake failure"
Den gleichen https-Abruf kann ich aber problemlos im Browser oder per wget machen. Wo könnte die Ursache liegen?

Vielleicht die CA? Die Gegenseite hat ein Zertifikat der "DFN-Verein Global Issuing CA", Root-CA ist "T-TeleSec GlobalRoot Class 2". Wo sehe ich denn, welchen CA das Lancom für https-Abrufe in der Aktionstabelle vertraut?

Viele Grüße,
HotSpott
Benutzeravatar
alf29
Moderator
Moderator
Beiträge: 6205
Registriert: 07 Nov 2004, 19:33
Wohnort: Aachen
Kontaktdaten:

Re: Aktionstabelle SSL connect error / Handshake failure

Beitrag von alf29 »

Moin,

lasse einen TLS-Trace laufen, während diese Aktion ausgeführt wird. Es gibt haufenweise andere Gründe, warum der TLS-Handshake scheitern kann.

Viele Grüße

Alfred
“There is no death, there is just a change of our cosmic address."
-- Edgar Froese, 1944 - 2015
HotSpott
Beiträge: 27
Registriert: 24 Aug 2014, 12:38

Re: Aktionstabelle SSL connect error / Handshake failure

Beitrag von HotSpott »

Hallo Alfred,

Danke für die schnelle Antwort. Das habe ich gleich mal gemacht, sieht so aus:

Code: Alles auswählen

[TLS] 2019/01/31 08:46:22,367  Devicetime: 2019/01/31 08:46:22,008
Creating connection 329 with peer xxx.xxx.xxx.xxx:443 for requester 'HTTP-Main':

[TLS] 2019/01/31 08:46:22,367  Devicetime: 2019/01/31 08:46:22,008
Sending Client Hello on connection 329:
-> adding server host name extension to client hello
-> adding renegotiation_info extension to client hello
-> all fine, receive Server Hello

[TLS] 2019/01/31 08:46:22,367  Devicetime: 2019/01/31 08:46:22,050
Receiving Server Hello on connection 329:
-> protocol version is TLSv1
-> server refuses session resumption
-> select cipher:
 -> check cipher TLS_RSA_WITH_AES_128_CBC_SHA
 -> non-PFS suite but PFS preferred, possible candidate
-> selected cipher suite is TLS_RSA_WITH_AES_128_CBC_SHA
-> parsing TLS extensions
-> all fine, receive Certificate(s)

[TLS] 2019/01/31 08:46:22,477  Devicetime: 2019/01/31 08:46:22,132
Preparing records to send on connection 329:
-> not in application state, bailing out

[TLS] 2019/01/31 08:46:22,477  Devicetime: 2019/01/31 08:46:22,131
Closing connection 329 (Handshake failure):
--> application state not reached (ClientRcvCertificate)
--> sending failure to requester

[CONNACT] 2019/01/31 08:46:22,477  Devicetime: 2019/01/31 08:46:22,133
ConnAct: Action result received for event xxx/xxx/ESTABLISH
ConnAct: Action result is "SSL connect error: Handshake failure"
Kannst du dem etwas nützliches entnehmen?

Viele Grüße,
HotSpott
Benutzeravatar
alf29
Moderator
Moderator
Beiträge: 6205
Registriert: 07 Nov 2004, 19:33
Wohnort: Aachen
Kontaktdaten:

Re: Aktionstabelle SSL connect error / Handshake failure

Beitrag von alf29 »

Moin,
Kannst du dem etwas nützliches entnehmen?
Daß dieser Server von seinen Krypto-Parametern her recht angestaubt ist (TLS 1.0, kein PFS) - oder hast Du das in Deiner SSL-Konfig auf dem LANCOM so eingeschränkt? Es kommt ein Server Hello, aber anstatt danach das Zertifikat zu schicken, scheint der Server die Verbindung zu schließen. Kannst Du mir bitte die Adresse dieses Servers nennen, in Deinem Trace hast Du die ja leider ausge-x-t?

Viele Grüße

Alfred
“There is no death, there is just a change of our cosmic address."
-- Edgar Froese, 1944 - 2015
HotSpott
Beiträge: 27
Registriert: 24 Aug 2014, 12:38

Re: Aktionstabelle SSL connect error / Handshake failure

Beitrag von HotSpott »

Ja, das alleine ist ja nicht wirklich "geheim". Der Server ist sapucc.in.tum.de (ein SAP-System der TU München). Am Lancom habe ich bezüglich SSL nichts verkonfiguriert (zumindest nicht, dass ich wüsste...).

Viele Grüße,
HotSpott
Benutzeravatar
alf29
Moderator
Moderator
Beiträge: 6205
Registriert: 07 Nov 2004, 19:33
Wohnort: Aachen
Kontaktdaten:

Re: Aktionstabelle SSL connect error / Handshake failure

Beitrag von alf29 »

Moin,

ich habe mir das mal angeschaut und die Antwort lautet im Moment leider: geht nicht. Dieser Server schickt eine monströs lange Zertifikatsliste (ca 19 KByte), die nicht in einen TLS-Record (maximal 16K) hineinpaßt, und der TLS-Stack im LCOS unterstützt aktuell keine über mehrere Records hinweg fragmentierten Handshake-Nachrichten.

Auch wenn das eigentlich im TLS-Protokoll vorgesehen ist, habe ich so etwas in den 15...20 Jahren, die ich den TLS-Stack im LCOS betreue, noch nicht gesehen. Ich werde das intern als Task eintragen, aber eine schnelle Lösung (im Sinne von ein paar Tagen) wird es dafür leider nicht geben.

Viele Grüße

Alfred
“There is no death, there is just a change of our cosmic address."
-- Edgar Froese, 1944 - 2015
HotSpott
Beiträge: 27
Registriert: 24 Aug 2014, 12:38

Re: Aktionstabelle SSL connect error / Handshake failure

Beitrag von HotSpott »

Oh mann, warum passiert immer mir so etwas? Die Welt ist ungerecht! :roll:

Aber vielen Dank für deine hervorragende Hilfe, das hätte ich selbst natürlich niemals herausgefunden.

Viele Grüße,
HotSpott
Benutzeravatar
alf29
Moderator
Moderator
Beiträge: 6205
Registriert: 07 Nov 2004, 19:33
Wohnort: Aachen
Kontaktdaten:

Re: Aktionstabelle SSL connect error / Handshake failure

Beitrag von alf29 »

Moin,

ich habe ein wenig an dem Thema gearbeitet und ich denke, mit dem nächsten RU wird's funktionieren. Dieser Server überträgt übrigens eine absurde Menge an Subject Alternative Names in seinem Zertifikat mit, deshalb ist das so groß.

Viele Grüße

Alfred

Code: Alles auswählen

[TLS] 2019/02/04 13:12:55,784
Receiving Certificate(s) on connection 111:
-> read certificate of C=DE, ST=Bayern, L=Muenchen, O=Technische Universitaet Muenchen, OU=Fakultaet fuer Informatik, CN=sapucc.in.tum.de (16338 bytes)
-> read certificate of C=DE, O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU=DFN-PKI, CN=DFN-Verein Global Issuing CA (1456 bytes)
-> read certificate of C=DE, O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU=DFN-PKI, CN=DFN-Verein Certification Authority 2 (1302 bytes)
-> Certificate (alternate) subject names:
[CN]  sapucc.in.tum.de
[DNS] contracts.sapucc.in.tum.de
[DNS] dt.sapucc.in.tum.de
[DNS] emea.sapucc.in.tum.de
[DNS] h00.sapucc.in.tum.de
[DNS] h00sds.sapucc.in.tum.de
[DNS] h01.sapucc.in.tum.de
[DNS] h01sds.sapucc.in.tum.de
[DNS] h02.sapucc.in.tum.de
[DNS] h02sds.sapucc.in.tum.de
[DNS] h03.sapucc.in.tum.de
[DNS] h03sds.sapucc.in.tum.de
[DNS] h04.sapucc.in.tum.de
[DNS] h04sds.sapucc.in.tum.de
[DNS] h05.sapucc.in.tum.de
[DNS] h05sds.sapucc.in.tum.de
[DNS] h06.sapucc.in.tum.de
[DNS] h06sds.sapucc.in.tum.de
[DNS] h07.sapucc.in.tum.de
[DNS] h07sds.sapucc.in.tum.de
[DNS] h08.sapucc.in.tum.de
[DNS] h08sds.sapucc.in.tum.de
[DNS] h09.sapucc.in.tum.de
[DNS] h09sds.sapucc.in.tum.de
[DNS] h10.sapucc.in.tum.de
[DNS] h10sds.sapucc.in.tum.de
[DNS] h11.sapucc.in.tum.de
[DNS] h11sds.sapucc.in.tum.de
[DNS] h12.sapucc.in.tum.de
[DNS] h12sds.sapucc.in.tum.de
[DNS] h13.sapucc.in.tum.de
[DNS] h13sds.sapucc.in.tum.de
[DNS] h14.sapucc.in.tum.de
[DNS] h14sds.sapucc.in.tum.de
[DNS] h15.sapucc.in.tum.de
[DNS] h15sds.sapucc.in.tum.de
[DNS] h16.sapucc.in.tum.de
[DNS] h16sds.sapucc.in.tum.de
[DNS] h17.sapucc.in.tum.de
[DNS] h17sds.sapucc.in.tum.de
[DNS] h18.sapucc.in.tum.de
[DNS] h18sds.sapucc.in.tum.de
[DNS] h19.sapucc.in.tum.de
[DNS] h19sds.sapucc.in.tum.de
[DNS] h20.sapucc.in.tum.de
[DNS] h20sds.sapucc.in.tum.de
[DNS] h21.sapucc.in.tum.de
[DNS] h21sds.sapucc.in.tum.de
[DNS] h22.sapucc.in.tum.de
[DNS] h22sds.sapucc.in.tum.de
[DNS] h23.sapucc.in.tum.de
[DNS] h23sds.sapucc.in.tum.de
[DNS] h24.sapucc.in.tum.de
[DNS] h24sds.sapucc.in.tum.de
[DNS] h25.sapucc.in.tum.de
[DNS] h25sds.sapucc.in.tum.de
[DNS] h26.sapucc.in.tum.de
[DNS] h26sds.sapucc.in.tum.de
[DNS] h27.sapucc.in.tum.de
[DNS] h27sds.sapucc.in.tum.de
[DNS] h28.sapucc.in.tum.de
[DNS] h28sds.sapucc.in.tum.de
[DNS] h29.sapucc.in.tum.de
[DNS] h29sds.sapucc.in.tum.de
[DNS] h30.sapucc.in.tum.de
[DNS] h30sds.sapucc.in.tum.de
[DNS] h31.sapucc.in.tum.de
[DNS] h31sds.sapucc.in.tum.de
[DNS] h32.sapucc.in.tum.de
[DNS] h32sds.sapucc.in.tum.de
[DNS] h33.sapucc.in.tum.de
[DNS] h33sds.sapucc.in.tum.de
[DNS] h34.sapucc.in.tum.de
[DNS] h34sds.sapucc.in.tum.de
[DNS] h35.sapucc.in.tum.de
[DNS] h35sds.sapucc.in.tum.de
[DNS] h36.sapucc.in.tum.de
[DNS] h36sds.sapucc.in.tum.de
[DNS] h37.sapucc.in.tum.de
[DNS] h37sds.sapucc.in.tum.de
[DNS] h38.sapucc.in.tum.de
[DNS] h38sds.sapucc.in.tum.de
[DNS] h39.sapucc.in.tum.de
[DNS] h39sds.sapucc.in.tum.de
[DNS] h40.sapucc.in.tum.de
[DNS] h40sds.sapucc.in.tum.de
[DNS] h41.sapucc.in.tum.de
[DNS] h41sds.sapucc.in.tum.de
[DNS] h42.sapucc.in.tum.de
[DNS] h42sds.sapucc.in.tum.de
[DNS] h43.sapucc.in.tum.de
[DNS] h43sds.sapucc.in.tum.de
[DNS] h44.sapucc.in.tum.de
[DNS] h44sds.sapucc.in.tum.de
[DNS] h45.sapucc.in.tum.de
[DNS] h45sds.sapucc.in.tum.de
[DNS] h46.sapucc.in.tum.de
[DNS] h46sds.sapucc.in.tum.de
[DNS] h47.sapucc.in.tum.de
[DNS] h47sds.sapucc.in.tum.de
[DNS] h48.sapucc.in.tum.de
[DNS] h48sds.sapucc.in.tum.de
[DNS] h49.sapucc.in.tum.de
[DNS] h49sds.sapucc.in.tum.de
[DNS] h50.sapucc.in.tum.de
[DNS] h50sds.sapucc.in.tum.de
[DNS] h51.sapucc.in.tum.de
[DNS] h51sds.sapucc.in.tum.de
[DNS] h52.sapucc.in.tum.de
[DNS] h52sds.sapucc.in.tum.de
[DNS] h53.sapucc.in.tum.de
[DNS] h53sds.sapucc.in.tum.de
[DNS] h54.sapucc.in.tum.de
[DNS] h54sds.sapucc.in.tum.de
[DNS] h55.sapucc.in.tum.de
[DNS] h55sds.sapucc.in.tum.de
[DNS] h56.sapucc.in.tum.de
[DNS] h56sds.sapucc.in.tum.de
[DNS] h57.sapucc.in.tum.de
[DNS] h57sds.sapucc.in.tum.de
[DNS] h58.sapucc.in.tum.de
[DNS] h58sds.sapucc.in.tum.de
[DNS] h59.sapucc.in.tum.de
[DNS] h59sds.sapucc.in.tum.de
[DNS] h60.sapucc.in.tum.de
[DNS] h60sds.sapucc.in.tum.de
[DNS] h61.sapucc.in.tum.de
[DNS] h61sds.sapucc.in.tum.de
[DNS] h62.sapucc.in.tum.de
[DNS] h62sds.sapucc.in.tum.de
[DNS] h63.sapucc.in.tum.de
[DNS] h63sds.sapucc.in.tum.de
[DNS] h64.sapucc.in.tum.de
[DNS] h64sds.sapucc.in.tum.de
[DNS] h65.sapucc.in.tum.de
[DNS] h65sds.sapucc.in.tum.de
[DNS] h66.sapucc.in.tum.de
[DNS] h66sds.sapucc.in.tum.de
[DNS] h67.sapucc.in.tum.de
[DNS] h67sds.sapucc.in.tum.de
[DNS] h68.sapucc.in.tum.de
[DNS] h68sds.sapucc.in.tum.de
[DNS] h69.sapucc.in.tum.de
[DNS] h69sds.sapucc.in.tum.de
[DNS] h70.sapucc.in.tum.de
[DNS] h70sds.sapucc.in.tum.de
[DNS] h71.sapucc.in.tum.de
[DNS] h71sds.sapucc.in.tum.de
[DNS] h72.sapucc.in.tum.de
[DNS] h72sds.sapucc.in.tum.de
[DNS] h73.sapucc.in.tum.de
[DNS] h73sds.sapucc.in.tum.de
[DNS] h74.sapucc.in.tum.de
[DNS] h74sds.sapucc.in.tum.de
[DNS] h75.sapucc.in.tum.de
[DNS] h75sds.sapucc.in.tum.de
[DNS] h76.sapucc.in.tum.de
[DNS] h76sds.sapucc.in.tum.de
[DNS] h77.sapucc.in.tum.de
[DNS] h77sds.sapucc.in.tum.de
[DNS] h78.sapucc.in.tum.de
[DNS] h78sds.sapucc.in.tum.de
[DNS] h79.sapucc.in.tum.de
[DNS] h79sds.sapucc.in.tum.de
[DNS] h80.sapucc.in.tum.de
[DNS] h80sds.sapucc.in.tum.de
[DNS] h81.sapucc.in.tum.de
[DNS] h81sds.sapucc.in.tum.de
[DNS] h82.sapucc.in.tum.de
[DNS] h82sds.sapucc.in.tum.de
[DNS] h83.sapucc.in.tum.de
[DNS] h83sds.sapucc.in.tum.de
[DNS] h84.sapucc.in.tum.de
[DNS] h84sds.sapucc.in.tum.de
[DNS] h85.sapucc.in.tum.de
[DNS] h85sds.sapucc.in.tum.de
[DNS] h86.sapucc.in.tum.de
[DNS] h86sds.sapucc.in.tum.de
[DNS] h87.sapucc.in.tum.de
[DNS] h87sds.sapucc.in.tum.de
[DNS] h88.sapucc.in.tum.de
[DNS] h88sds.sapucc.in.tum.de
[DNS] h89.sapucc.in.tum.de
[DNS] h89sds.sapucc.in.tum.de
[DNS] h90.sapucc.in.tum.de
[DNS] h90sds.sapucc.in.tum.de
[DNS] h91.sapucc.in.tum.de
[DNS] h91sds.sapucc.in.tum.de
[DNS] h92.sapucc.in.tum.de
[DNS] h92sds.sapucc.in.tum.de
[DNS] h93.sapucc.in.tum.de
[DNS] h93sds.sapucc.in.tum.de
[DNS] h94.sapucc.in.tum.de
[DNS] h94sds.sapucc.in.tum.de
[DNS] h95.sapucc.in.tum.de
[DNS] h95sds.sapucc.in.tum.de
[DNS] h96.sapucc.in.tum.de
[DNS] h96sds.sapucc.in.tum.de
[DNS] h97.sapucc.in.tum.de
[DNS] h97sds.sapucc.in.tum.de
[DNS] h98.sapucc.in.tum.de
[DNS] h98sds.sapucc.in.tum.de
[DNS] h99.sapucc.in.tum.de
[DNS] h99sds.sapucc.in.tum.de
[DNS] i00.sapucc.in.tum.de
[DNS] i01.sapucc.in.tum.de
[DNS] i02.sapucc.in.tum.de
[DNS] i03.sapucc.in.tum.de
[DNS] i04.sapucc.in.tum.de
[DNS] i05.sapucc.in.tum.de
[DNS] i06.sapucc.in.tum.de
[DNS] i07.sapucc.in.tum.de
[DNS] i08.sapucc.in.tum.de
[DNS] i09.sapucc.in.tum.de
[DNS] i10.sapucc.in.tum.de
[DNS] i11.sapucc.in.tum.de
[DNS] i12.sapucc.in.tum.de
[DNS] i13.sapucc.in.tum.de
[DNS] i14.sapucc.in.tum.de
[DNS] i15.sapucc.in.tum.de
[DNS] i16.sapucc.in.tum.de
[DNS] i17.sapucc.in.tum.de
[DNS] i18.sapucc.in.tum.de
[DNS] i19.sapucc.in.tum.de
[DNS] i19bi1.sapucc.in.tum.de
[DNS] i19bi2.sapucc.in.tum.de
[DNS] i19odata.sapucc.in.tum.de
[DNS] i19sim.sapucc.in.tum.de
[DNS] i19xml.sapucc.in.tum.de
[DNS] i20.sapucc.in.tum.de
[DNS] i20bi1.sapucc.in.tum.de
[DNS] i20bi2.sapucc.in.tum.de
[DNS] i20odata.sapucc.in.tum.de
[DNS] i20sim.sapucc.in.tum.de
[DNS] i20xml.sapucc.in.tum.de
[DNS] i21.sapucc.in.tum.de
[DNS] i22.sapucc.in.tum.de
[DNS] i23.sapucc.in.tum.de
[DNS] i24.sapucc.in.tum.de
[DNS] i25.sapucc.in.tum.de
[DNS] i26.sapucc.in.tum.de
[DNS] i27.sapucc.in.tum.de
[DNS] i28.sapucc.in.tum.de
[DNS] i29.sapucc.in.tum.de
[DNS] i30.sapucc.in.tum.de
[DNS] i31.sapucc.in.tum.de
[DNS] i32.sapucc.in.tum.de
[DNS] i33.sapucc.in.tum.de
[DNS] i34.sapucc.in.tum.de
[DNS] i35.sapucc.in.tum.de
[DNS] i36.sapucc.in.tum.de
[DNS] i37.sapucc.in.tum.de
[DNS] i38.sapucc.in.tum.de
[DNS] i39.sapucc.in.tum.de
[DNS] i40.sapucc.in.tum.de
[DNS] i41.sapucc.in.tum.de
[DNS] i42.sapucc.in.tum.de
[DNS] i43.sapucc.in.tum.de
[DNS] i44.sapucc.in.tum.de
[DNS] i45.sapucc.in.tum.de
[DNS] i46.sapucc.in.tum.de
[DNS] i47.sapucc.in.tum.de
[DNS] i48.sapucc.in.tum.de
[DNS] i49.sapucc.in.tum.de
[DNS] i50.sapucc.in.tum.de
[DNS] i51.sapucc.in.tum.de
[DNS] i52.sapucc.in.tum.de
[DNS] i53.sapucc.in.tum.de
[DNS] i54.sapucc.in.tum.de
[DNS] i55.sapucc.in.tum.de
[DNS] i56.sapucc.in.tum.de
[DNS] i57.sapucc.in.tum.de
[DNS] i58.sapucc.in.tum.de
[DNS] i59.sapucc.in.tum.de
[DNS] i60.sapucc.in.tum.de
[DNS] i61.sapucc.in.tum.de
[DNS] i62.sapucc.in.tum.de
[DNS] i63.sapucc.in.tum.de
[DNS] i64.sapucc.in.tum.de
[DNS] i65.sapucc.in.tum.de
[DNS] i66.sapucc.in.tum.de
[DNS] i67.sapucc.in.tum.de
[DNS] i68.sapucc.in.tum.de
[DNS] i69.sapucc.in.tum.de
[DNS] i70.sapucc.in.tum.de
[DNS] i71.sapucc.in.tum.de
[DNS] i72.sapucc.in.tum.de
[DNS] i73.sapucc.in.tum.de
[DNS] i74.sapucc.in.tum.de
[DNS] i75.sapucc.in.tum.de
[DNS] i76.sapucc.in.tum.de
[DNS] i77.sapucc.in.tum.de
[DNS] i78.sapucc.in.tum.de
[DNS] i79.sapucc.in.tum.de
[DNS] i80.sapucc.in.tum.de
[DNS] i81.sapucc.in.tum.de
[DNS] i82.sapucc.in.tum.de
[DNS] i83.sapucc.in.tum.de
[DNS] i84.sapucc.in.tum.de
[DNS] i85.sapucc.in.tum.de
[DNS] i86.sapucc.in.tum.de
[DNS] i87.sapucc.in.tum.de
[DNS] i88.sapucc.in.tum.de
[DNS] i89.sapucc.in.tum.de
[DNS] i90.sapucc.in.tum.de
[DNS] i91.sapucc.in.tum.de
[DNS] i92.sapucc.in.tum.de
[DNS] i93.sapucc.in.tum.de
[DNS] i94.sapucc.in.tum.de
[DNS] i95.sapucc.in.tum.de
[DNS] i96.sapucc.in.tum.de
[DNS] i97.sapucc.in.tum.de
[DNS] i98.sapucc.in.tum.de
[DNS] i99.sapucc.in.tum.de
[DNS] j00.sapucc.in.tum.de
[DNS] j01.sapucc.in.tum.de
[DNS] j02.sapucc.in.tum.de
[DNS] j03.sapucc.in.tum.de
[DNS] j04.sapucc.in.tum.de
[DNS] j05.sapucc.in.tum.de
[DNS] j06.sapucc.in.tum.de
[DNS] j07.sapucc.in.tum.de
[DNS] j08.sapucc.in.tum.de
[DNS] j09.sapucc.in.tum.de
[DNS] j10.sapucc.in.tum.de
[DNS] j11.sapucc.in.tum.de
[DNS] j12.sapucc.in.tum.de
[DNS] j13.sapucc.in.tum.de
[DNS] j14.sapucc.in.tum.de
[DNS] j15.sapucc.in.tum.de
[DNS] j16.sapucc.in.tum.de
[DNS] j17.sapucc.in.tum.de
[DNS] j18.sapucc.in.tum.de
[DNS] j19.sapucc.in.tum.de
[DNS] j20.sapucc.in.tum.de
[DNS] j21.sapucc.in.tum.de
[DNS] j22.sapucc.in.tum.de
[DNS] j23.sapucc.in.tum.de
[DNS] j24.sapucc.in.tum.de
[DNS] j25.sapucc.in.tum.de
[DNS] j26.sapucc.in.tum.de
[DNS] j27.sapucc.in.tum.de
[DNS] j28.sapucc.in.tum.de
[DNS] j29.sapucc.in.tum.de
[DNS] j30.sapucc.in.tum.de
[DNS] j31.sapucc.in.tum.de
[DNS] j32.sapucc.in.tum.de
[DNS] j33.sapucc.in.tum.de
[DNS] j34.sapucc.in.tum.de
[DNS] j35.sapucc.in.tum.de
[DNS] j36.sapucc.in.tum.de
[DNS] j37.sapucc.in.tum.de
[DNS] j38.sapucc.in.tum.de
[DNS] j39.sapucc.in.tum.de
[DNS] j40.sapucc.in.tum.de
[DNS] j41.sapucc.in.tum.de
[DNS] j42.sapucc.in.tum.de
[DNS] j43.sapucc.in.tum.de
[DNS] j44.sapucc.in.tum.de
[DNS] j45.sapucc.in.tum.de
[DNS] j46.sapucc.in.tum.de
[DNS] j47.sapucc.in.tum.de
[DNS] j48.sapucc.in.tum.de
[DNS] j49.sapucc.in.tum.de
[DNS] j50.sapucc.in.tum.de
[DNS] j51.sapucc.in.tum.de
[DNS] j52.sapucc.in.tum.de
[DNS] j53.sapucc.in.tum.de
[DNS] j54.sapucc.in.tum.de
[DNS] j55.sapucc.in.tum.de
[DNS] j56.sapucc.in.tum.de
[DNS] j57.sapucc.in.tum.de
[DNS] j58.sapucc.in.tum.de
[DNS] j59.sapucc.in.tum.de
[DNS] j60.sapucc.in.tum.de
[DNS] j61.sapucc.in.tum.de
[DNS] j62.sapucc.in.tum.de
[DNS] j63.sapucc.in.tum.de
[DNS] j64.sapucc.in.tum.de
[DNS] j65.sapucc.in.tum.de
[DNS] j66.sapucc.in.tum.de
[DNS] j67.sapucc.in.tum.de
[DNS] j68.sapucc.in.tum.de
[DNS] j69.sapucc.in.tum.de
[DNS] j70.sapucc.in.tum.de
[DNS] j71.sapucc.in.tum.de
[DNS] j72.sapucc.in.tum.de
[DNS] j73.sapucc.in.tum.de
[DNS] j74.sapucc.in.tum.de
[DNS] j75.sapucc.in.tum.de
[DNS] j76.sapucc.in.tum.de
[DNS] j77.sapucc.in.tum.de
[DNS] j78.sapucc.in.tum.de
[DNS] j79.sapucc.in.tum.de
[DNS] j80.sapucc.in.tum.de
[DNS] j81.sapucc.in.tum.de
[DNS] j82.sapucc.in.tum.de
[DNS] j83.sapucc.in.tum.de
[DNS] j84.sapucc.in.tum.de
[DNS] j85.sapucc.in.tum.de
[DNS] j86.sapucc.in.tum.de
[DNS] j87.sapucc.in.tum.de
[DNS] j88.sapucc.in.tum.de
[DNS] j89.sapucc.in.tum.de
[DNS] j90.sapucc.in.tum.de
[DNS] j91.sapucc.in.tum.de
[DNS] j92.sapucc.in.tum.de
[DNS] j93.sapucc.in.tum.de
[DNS] j94.sapucc.in.tum.de
[DNS] j95.sapucc.in.tum.de
[DNS] j96.sapucc.in.tum.de
[DNS] j97.sapucc.in.tum.de
[DNS] j98.sapucc.in.tum.de
[DNS] j99.sapucc.in.tum.de
[DNS] logon.sapucc.in.tum.de
[DNS] remotelogin.sapucc.in.tum.de
[DNS] s00.sapucc.in.tum.de
[DNS] s01.sapucc.in.tum.de
[DNS] s02.sapucc.in.tum.de
[DNS] s03.sapucc.in.tum.de
[DNS] s04.sapucc.in.tum.de
[DNS] s05.sapucc.in.tum.de
[DNS] s06.sapucc.in.tum.de
[DNS] s07.sapucc.in.tum.de
[DNS] s08.sapucc.in.tum.de
[DNS] s09.sapucc.in.tum.de
[DNS] s10.sapucc.in.tum.de
[DNS] s11.sapucc.in.tum.de
[DNS] s12.sapucc.in.tum.de
[DNS] s13.sapucc.in.tum.de
[DNS] s14.sapucc.in.tum.de
[DNS] s15.sapucc.in.tum.de
[DNS] s16.sapucc.in.tum.de
[DNS] s17.sapucc.in.tum.de
[DNS] s18.sapucc.in.tum.de
[DNS] s19.sapucc.in.tum.de
[DNS] s20.sapucc.in.tum.de
[DNS] s21.sapucc.in.tum.de
[DNS] s22.sapucc.in.tum.de
[DNS] s23.sapucc.in.tum.de
[DNS] s24.sapucc.in.tum.de
[DNS] s25.sapucc.in.tum.de
[DNS] s26.sapucc.in.tum.de
[DNS] s27.sapucc.in.tum.de
[DNS] s28.sapucc.in.tum.de
[DNS] s29.sapucc.in.tum.de
[DNS] s30.sapucc.in.tum.de
[DNS] s31.sapucc.in.tum.de
[DNS] s32.sapucc.in.tum.de
[DNS] s33.sapucc.in.tum.de
[DNS] s34.sapucc.in.tum.de
[DNS] s35.sapucc.in.tum.de
[DNS] s36.sapucc.in.tum.de
[DNS] s37.sapucc.in.tum.de
[DNS] s38.sapucc.in.tum.de
[DNS] s39.sapucc.in.tum.de
[DNS] s40.sapucc.in.tum.de
[DNS] s41.sapucc.in.tum.de
[DNS] s42.sapucc.in.tum.de
[DNS] s43.sapucc.in.tum.de
[DNS] s44.sapucc.in.tum.de
[DNS] s45.sapucc.in.tum.de
[DNS] s46.sapucc.in.tum.de
[DNS] s47.sapucc.in.tum.de
[DNS] s48.sapucc.in.tum.de
[DNS] s49.sapucc.in.tum.de
[DNS] s50.sapucc.in.tum.de
[DNS] s51.sapucc.in.tum.de
[DNS] s52.sapucc.in.tum.de
[DNS] s53.sapucc.in.tum.de
[DNS] s54.sapucc.in.tum.de
[DNS] s55.sapucc.in.tum.de
[DNS] s56.sapucc.in.tum.de
[DNS] s57.sapucc.in.tum.de
[DNS] s58.sapucc.in.tum.de
[DNS] s59.sapucc.in.tum.de
[DNS] s60.sapucc.in.tum.de
[DNS] s61.sapucc.in.tum.de
[DNS] s62.sapucc.in.tum.de
[DNS] s63.sapucc.in.tum.de
[DNS] s64.sapucc.in.tum.de
[DNS] s65.sapucc.in.tum.de
[DNS] s66.sapucc.in.tum.de
[DNS] s67.sapucc.in.tum.de
[DNS] s68.sapucc.in.tum.de
[DNS] s69.sapucc.in.tum.de
[DNS] s70.sapucc.in.tum.de
[DNS] s71.sapucc.in.tum.de
[DNS] s72.sapucc.in.tum.de
[DNS] s73.sapucc.in.tum.de
[DNS] s74.sapucc.in.tum.de
[DNS] s75.sapucc.in.tum.de
[DNS] s76.sapucc.in.tum.de
[DNS] s77.sapucc.in.tum.de
[DNS] s78.sapucc.in.tum.de
[DNS] s79.sapucc.in.tum.de
[DNS] s80.sapucc.in.tum.de
[DNS] s81.sapucc.in.tum.de
[DNS] s82.sapucc.in.tum.de
[DNS] s83.sapucc.in.tum.de
[DNS] s84.sapucc.in.tum.de
[DNS] s85.sapucc.in.tum.de
[DNS] s86.sapucc.in.tum.de
[DNS] s87.sapucc.in.tum.de
[DNS] s88.sapucc.in.tum.de
[DNS] s89.sapucc.in.tum.de
[DNS] s90.sapucc.in.tum.de
[DNS] s91.sapucc.in.tum.de
[DNS] s92.sapucc.in.tum.de
[DNS] s93.sapucc.in.tum.de
[DNS] s94.sapucc.in.tum.de
[DNS] s95.sapucc.in.tum.de
[DNS] s96.sapucc.in.tum.de
[DNS] s97.sapucc.in.tum.de
[DNS] s98.sapucc.in.tum.de
[DNS] s99.sapucc.in.tum.de
[DNS] sapucc.in.tum.de
[DNS] selfservice.sapucc.in.tum.de
[DNS] servicedesk.sapucc.in.tum.de
[DNS] ticket.sapucc.in.tum.de
[DNS] ts410.sapucc.in.tum.de
[DNS] ucchana00.sapucc.in.tum.de
[DNS] ucchana01.sapucc.in.tum.de
[DNS] ucchana02.sapucc.in.tum.de
[DNS] ucchana03.sapucc.in.tum.de
[DNS] ucchana04.sapucc.in.tum.de
[DNS] ucchana05.sapucc.in.tum.de
[DNS] ucchana06.sapucc.in.tum.de
[DNS] ucchana07.sapucc.in.tum.de
[DNS] ucchana08.sapucc.in.tum.de
[DNS] ucchana09.sapucc.in.tum.de
[DNS] ucchana10.sapucc.in.tum.de
[DNS] ucchana11.sapucc.in.tum.de
[DNS] ucchana12.sapucc.in.tum.de
[DNS] ucchana13.sapucc.in.tum.de
[DNS] ucchana14.sapucc.in.tum.de
[DNS] ucchana15.sapucc.in.tum.de
[DNS] ucchana16.sapucc.in.tum.de
[DNS] ucchana17.sapucc.in.tum.de
[DNS] ucchana18.sapucc.in.tum.de
[DNS] ucchana19.sapucc.in.tum.de
[DNS] ucchana20.sapucc.in.tum.de
[DNS] ucchana21.sapucc.in.tum.de
[DNS] ucchana22.sapucc.in.tum.de
[DNS] ucchana23.sapucc.in.tum.de
[DNS] ucchana24.sapucc.in.tum.de
[DNS] ucchana25.sapucc.in.tum.de
[DNS] ucchana26.sapucc.in.tum.de
[DNS] ucchana27.sapucc.in.tum.de
[DNS] ucchana28.sapucc.in.tum.de
[DNS] ucchana29.sapucc.in.tum.de
[DNS] ucchana30.sapucc.in.tum.de
[DNS] ucchana31.sapucc.in.tum.de
[DNS] ucchana32.sapucc.in.tum.de
[DNS] ucchana33.sapucc.in.tum.de
[DNS] ucchana34.sapucc.in.tum.de
[DNS] ucchana35.sapucc.in.tum.de
[DNS] ucchana36.sapucc.in.tum.de
[DNS] ucchana37.sapucc.in.tum.de
[DNS] ucchana38.sapucc.in.tum.de
[DNS] ucchana39.sapucc.in.tum.de
[DNS] ucchana40.sapucc.in.tum.de
[DNS] ucchana41.sapucc.in.tum.de
[DNS] ucchana42.sapucc.in.tum.de
[DNS] ucchana43.sapucc.in.tum.de
[DNS] ucchana44.sapucc.in.tum.de
[DNS] ucchana45.sapucc.in.tum.de
[DNS] ucchana46.sapucc.in.tum.de
[DNS] ucchana47.sapucc.in.tum.de
[DNS] ucchana48.sapucc.in.tum.de
[DNS] ucchana49.sapucc.in.tum.de
[DNS] ucchana50.sapucc.in.tum.de
[DNS] ucchana51.sapucc.in.tum.de
[DNS] ucchana52.sapucc.in.tum.de
[DNS] ucchana53.sapucc.in.tum.de
[DNS] ucchana54.sapucc.in.tum.de
[DNS] ucchana55.sapucc.in.tum.de
[DNS] ucchana56.sapucc.in.tum.de
[DNS] ucchana57.sapucc.in.tum.de
[DNS] ucchana58.sapucc.in.tum.de
[DNS] ucchana59.sapucc.in.tum.de
[DNS] ucchana60.sapucc.in.tum.de
[DNS] ucchana61.sapucc.in.tum.de
[DNS] ucchana62.sapucc.in.tum.de
[DNS] ucchana63.sapucc.in.tum.de
[DNS] ucchana64.sapucc.in.tum.de
[DNS] ucchana65.sapucc.in.tum.de
[DNS] ucchana66.sapucc.in.tum.de
[DNS] ucchana67.sapucc.in.tum.de
[DNS] ucchana68.sapucc.in.tum.de
[DNS] ucchana69.sapucc.in.tum.de
[DNS] ucchana70.sapucc.in.tum.de
[DNS] ucchana71.sapucc.in.tum.de
[DNS] ucchana72.sapucc.in.tum.de
[DNS] ucchana73.sapucc.in.tum.de
[DNS] ucchana74.sapucc.in.tum.de
[DNS] ucchana75.sapucc.in.tum.de
[DNS] ucchana76.sapucc.in.tum.de
[DNS] ucchana77.sapucc.in.tum.de
[DNS] ucchana78.sapucc.in.tum.de
[DNS] ucchana79.sapucc.in.tum.de
[DNS] ucchana80.sapucc.in.tum.de
[DNS] ucchana81.sapucc.in.tum.de
[DNS] ucchana82.sapucc.in.tum.de
[DNS] ucchana83.sapucc.in.tum.de
[DNS] ucchana84.sapucc.in.tum.de
[DNS] ucchana85.sapucc.in.tum.de
[DNS] ucchana86.sapucc.in.tum.de
[DNS] ucchana87.sapucc.in.tum.de
[DNS] ucchana88.sapucc.in.tum.de
[DNS] ucchana89.sapucc.in.tum.de
[DNS] ucchana90.sapucc.in.tum.de
[DNS] ucchana91.sapucc.in.tum.de
[DNS] ucchana92.sapucc.in.tum.de
[DNS] ucchana93.sapucc.in.tum.de
[DNS] ucchana94.sapucc.in.tum.de
[DNS] ucchana95.sapucc.in.tum.de
[DNS] ucchana96.sapucc.in.tum.de
[DNS] ucchana97.sapucc.in.tum.de
[DNS] ucchana98.sapucc.in.tum.de
[DNS] ucchana99.sapucc.in.tum.de
[DNS] uccsim01.sapucc.in.tum.de
[DNS] uccsim0105.sapucc.in.tum.de
[DNS] uccsim02.sapucc.in.tum.de
[DNS] uccsim03.sapucc.in.tum.de
[DNS] uccsim04.sapucc.in.tum.de
[DNS] uccsim05.sapucc.in.tum.de
[DNS] z40-hana.sapucc.in.tum.de
“There is no death, there is just a change of our cosmic address."
-- Edgar Froese, 1944 - 2015
HotSpott
Beiträge: 27
Registriert: 24 Aug 2014, 12:38

Re: Aktionstabelle SSL connect error / Handshake failure

Beitrag von HotSpott »

Hallo Alfred,

vielen herzlichen Dank für die schnelle Reaktion, das ist ja hervorragend! Die Namensliste ist in der Tat unglaublich. Da hätte man mal über eine Lösung mit Wildcard-Zertifikat nachdenken sollen...

Viele Grüße,
HotSpott
Frank Siedler
Beiträge: 9
Registriert: 07 Jun 2020, 17:43

Re: Aktionstabelle SSL connect error / Handshake failure

Beitrag von Frank Siedler »

Hallo,

ich habe jetzt ebenfalls dieses Problem seit einer Woche, daß mittels https nicht mehr die dyndns.strato.com Webseite erreicht werden kann. Es kommt der Fehler:

SSL connect error: Handshake failure

Wenn ich jedoch http verwende geht es.
Mache ich den Aufruf der dyndns.strato.com Seite über einen Webbrowser, dann geht es auch.

Ich vermute, der Lancom Router verwendet ein altes TLS Protokoll und Strato hat auf SSL umgestellt?!

Oder kann man für diese https Übertragung im Lancom Router Einstellungen vornehmen?

Die neueste Router firmware für meinen Lancom 1781VA habe ich geladen: 10.50.0091RC1 (04.05.2021)

Viele Grüße, Frank
Frank Siedler
Beiträge: 9
Registriert: 07 Jun 2020, 17:43

Re: Aktionstabelle SSL connect error / Handshake failure

Beitrag von Frank Siedler »

Sooo :D

Jetzt habe ich das Problem gefunden.

Es lag daran, dass der Lancom Parameter
/Setup/WAN/SSL-for-Action-Table/Versions

Kein SSLv3 beinhaltet hat.

Ich habe jetzt mittels

set /Setup/WAN/SSL-for-Action-Table/Versions 25

Den Parameter auf SSLv3, TLSv1.2, TLSv1.3
gesetzt.

jetzt funktioniert auch wieder die Actions-Table mit https

Vermutlich hat ein firmware Update für den Lancom Router diesen Parameter geschrottet ... ? ...

Viele Grüße, Frank
5624
Beiträge: 865
Registriert: 14 Mär 2012, 12:36

Re: Aktionstabelle SSL connect error / Handshake failure

Beitrag von 5624 »

SSLv3 ist absichtlich raus, weil es veraltet ist. Ebenso wie TLS 1.0 und TLS 1.1. Ist durch ein Firmwareupdate gekommen und wurde auch kommuniziert. Diese Änderung war beabsichtigt.

Bei einer Sicherheitsprüfung würde ein aktives SSLv3 sogar als Mangel dokumentiert werden.

Schau mal, ob es mit TLS 1.1 und ohne SSLv3 geht. Ist nicht optimal, aber besser als deine jetzige Konfiguration.
LCS NC/WLAN
失败是成功之母
Beiträge: 73
Registriert: 03 Aug 2020, 14:18

Re: Aktionstabelle SSL connect error / Handshake failure

Beitrag von 失败是成功之母 »

Das muss einen anderen Grund haben, denn Dynamic-DNS bei Strato ist über TLS 1.3 erreichbar. Leider habe ich kein Konto bei Strato, um es zu testen. Ich bekam hier mit LCOS 10.50 RC3 und einem Lancom 1781VA (Gerät zurückgesetzt nach dem Firmware-Update) aber immerhin „HTTP protocol error 403“. Das bedeutet, die HTTPs-Verbindung steht. Aber das alles muss nichts heißen: Wenn Strato eine HTTP-Weiterleitung auf eine andere Domain macht, dann erfolgt eine neuer, zweiter TLS-Handshake. Vielleicht ist da was kaputt. Mein Tipp: Einen Ethernet-Port von LAN-1 auf Monitor umstellen (z.B. über WEBconfig → Konfiguration → Schnittstellen → LAN → Ethernet-Ports). Dann kannst Du an diesem Ethernet-Port mittels Wireshark live mitschneiden was genau passiert. Wenn Du auf „dns || tls“ filterst, siehst Du den für Dich relevanten Teil.
Antworten