Main > Stakeholder Proposals
[Worker] Deploy and maintain independent BitShares infrastructure
blockchainprojectsbv:
The final report has been published now.
Best Regards,
Stefan Schießl
Blockchain Projects BV
blockchainprojectsbv:
A final report will be added soon to conclude this worker.
Best Regards,
Stefan Schießl
Blockchain Projects BV
xeroc:
Apparently, our SSL settings have been to narrow to support the cli-wallet.
We've redeployed EU node with the above settings and are currently testing.
Once successful, we will redeploy the other loadbalancers too. Thanks for the feedback @Alex
sschiessl:
Also from telegram
Alex M - clockwork:
RESULT!
A+ Rating on ssllabs + haproxy + load balancer + working with cli_wallet
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets
i made a mistake btw ..cli-wallet reporting max version SSL 3.1 is TLS1.0 not TLS1.1
it appears to not work only under IE8 on windows XP , Java6 and android 2.3.7 (lack of SNI)
the above config i mean
@xeroc & @sschiessl seeing as infrastructure nodes suffer from the same issue (cli-wallet dies with handshake failed) I suggest you use the above config in your haproxy setup
abit:
Below is from Telegram channel, by clockworkgr
If get this error when connecting with cli_wallet:
0 exception: unspecified
TLS handshake failed
{"message":"TLS handshake failed"}
asio websocket.cpp:487 operator()
It's perhaps due to cli_wallet sends a very small list of supported ciphers....if haproxy has those set it will fail with handshake failure due to not being able to negotiate a matching cipher
E.G. for nginx, this won't work:
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-
----------- update ----------
by @clockworkgr:
I debugged the issue on my node running haproxy yesterday
hopefully it's the same reason
using ssldump during handshaking I noted 2 things
a) cli_wallet submits a Client Hello with a max supported SSL version of 3.1
that's TLS1.1
(my node had TLS 1.2 forced...so handshaking failed)
after I set it to allow TLS 1.1
b) I Noted that the ciphers supported by cli_wallet were not the ones in my allowed ciphers list in haproxy config
also failing handshake
cli_wallet's supported cipher list according to ssldump is the following:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DH_RSA_WITH_AES_256_CBC_SHA
TLS_DH_DSS_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DH_RSA_WITH_AES_128_CBC_SHA
TLS_DH_DSS_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
you'll have to find what literals those correspond to in your nginx config and make sure at least one of them exists
Navigation
[0] Message Index
[#] Next page
Go to full version