• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Cisco 877 ddns updates failing due to unsecure SSLv3

Started by miklinux, May 01, 2016, 02:48:54 PM

Previous topic - Next topic

miklinux

Hello,
I just configured my HE IPv6 tunnel on my home Cisco 877.
Everything is working ok, but I can't get dynamic updates to work, and here's what happens:

May  1 21:40:18.326: HTTPDNSUPD: Call returned Request Aborted, update of my.host.name <=> xx.xx.xx.xx failed
May  1 21:40:18.326: DYNDNSUPD: Another update completed (outstanding=0, total=0)
May  1 21:40:18.330: HTTPDNSUPD: Clearing all session 189 info
May  1 21:40:28.696: DYNDNSUPD: Adding DNS mapping for my.host.name <=> xx.xx.xx.xx
May  1 21:40:28.696: HTTPDNS: Update add called for my.host.name <=> xx.xx.xx.xx
May  1 21:40:28.696: HTTPDNSUPD: Session ID = 0xBE
May  1 21:40:28.696: HTTPDNSUPD: URL = 'https://******:******@ipv4.tunnelbroker.net/nic/updatehostname=******'
May  1 21:40:28.696: HTTPDNSUPD: Sending request
May  1 21:40:28.996: opssl_SetPKIInfo entry
May  1 21:40:29.000: opssl_SetPKIInfo done.
May  1 21:40:29.004: >>> SSL 3.0 Handshake [length 0033], ClientHello
May  1 21:40:29.004:     01 00 00 2F 03 00 57 26 77 CD 0A A1 93 5D 4A 0B
May  1 21:40:29.004:     7D AE 7F DB 37 D6 92 1C 20 8F 5E 58 FA 7E E4 68
May  1 21:40:29.004:     4A F4 21 F8 97 AF 00 00 08 00 04 00 0A 00 05 00
May  1 21:40:29.004:     09 01 00
May  1 21:40:29.004:
May  1 21:40:29.192: <<< SSL 3.0 Alert [length 0002], fatal handshake_failure
May  1 21:40:29.192:     02 28
May  1 21:40:29.192:
May  1 21:40:29.192: 111:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:../../../../cisco.comp/pki_ssl/src/openssl/dist/ssl/s3_pkt.c:1062:SSL alert number 40


My show version:

Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(24)T7, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 28-Feb-12 14:33 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE

Cisco877 uptime is 1 hour, 32 minutes
System returned to ROM by power-on
System restarted at 22:13:25 MEDT Sun May 1 2016
System image file is "flash:c870-advipservicesk9-mz.124-24.T7.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 877 (MPC8272) processor (revision 0x400) with 118784K/12288K bytes of memory.
Processor board ID FHK141773XF
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0x2102


Have you ever experienced such issue? How did you resolve?
I've been googling for hours trying to find a way to disable weak SSL ciphers on IOS, but I haven't been able to find anything.
I also tried to push the HE certificate as described here http://docwiki.cisco.com/wiki/IPv6_with_Tunnel_Broker_Configuration_Example, but it didn't help.

Thanks

troz

Sadly, the only option is a newer IOS.  I have the same problem with 15.1(4)M1. M10 turns off SSLv3.