Introduction
TLS handshake fails when cipher suite not supported by both client and server. This guide provides step-by-step diagnosis and resolution.
Symptoms
Typical error output:
bash
TLS Handshake failed: cipher_mismatch
Server ciphers: ECDHE-RSA-AES256-GCM-SHA384
Client supported: AES128-SHA, 3DES
No common cipher suiteCommon Causes
- 1.Firewall or IPS rule configuration incorrect
- 2.Signature or threshold not tuned for environment
- 3.VPN or TLS protocol/cipher mismatch
- 4.Detection engine configuration or signature issue
Step-by-Step Fix
Step 1: Check Current State
bash
# Check firewall status
iptables -L -n -v
# View security logs
tail -f /var/log/security.log
# Check IDS/IPS status
systemctl status suricata snortStep 2: Identify Root Cause
bash
# Check firewall rules
iptables -L -n --line-numbers
# View IDS/IPS alerts
cat /var/log/suricata/fast.log
# Check VPN configuration
ip xfrm stateStep 3: Apply Primary Fix
```bash # Primary fix: Review and adjust rules # List current firewall rules iptables -L -n --line-numbers
# Modify blocking rule iptables -R INPUT 5 -p tcp --dport 80 -s 10.0.0.0/8 -j ACCEPT
# Restart firewall service systemctl restart iptables ```
Step 4: Apply Alternative Fix
```bash # Alternative: Tune detection signatures # Update IDS rules suricata-update
# Tune false positive signature # Edit rules/suricata.rules # Add threshold or modify pattern
# Reload configuration systemctl restart suricata ```
Step 5: Verify the Fix
bash
iptables -L -n
# Verify rule changes
curl -I http://target-server
# Test connectivity after rule adjustmentCommon Pitfalls
- Not testing firewall changes before production
- Setting detection thresholds too aggressive
- Using outdated cipher suites for TLS
- Not tuning IDS signatures for environment
Best Practices
- Always test rules in staging environment
- Keep IDS/IPS signatures updated
- Use strong TLS 1.3 cipher suites
- Monitor security logs continuously
Related Issues
- Firewall Rule Blocking
- IDS False Positive
- VPN Tunnel Failed
- TLS Handshake Error