Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
Re: Why would SSLHandshake() return paramErr with TLS 1.2?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why would SSLHandshake() return paramErr with TLS 1.2?



This is very likely an issue with negotiating particular EC ciphersuites. (Google prefers EC with TLS 1.2.)

We expect the fix will go into a post-10.8.3 update. (12581303)

As for Safari/CFNetwork, I believe they just retry with a lower TLS version.

-k

On Mar 18 2013 08:49 PM, Nick Zitzmann wrote:
> I've found that, when I try to configure Secure Transport under OS X 10.8.3 to perform a handshake on the server "google.com" port 443 (note: there's no www there), SSLHandshake() returns error -50 (paramErr). More information:
>
> 1. I'm aware that it could return paramErr if the SSLContextRef is null, but it isn't. I already created the context using SSLCreateContext() and it's being passed correctly to SSLHandshake().
>
> 2. I'm also aware that it could return paramErr if the protocol versions were misconfigured, but that's not what's happening, either. I already set SSL 3.0 as the minimum protocol using SSLSetProtocolVersionMin(), and the maximum protocol (see below) using SSLSetProtocolVersionMax().
>
> 3. The read and write I/O functions are being called during the handshake and are not returning any errors.
>
> 4. This **only** happens when attempting to handshake using TLS 1.2. If I call SSLHandshake() after calling SSLSetProtocolVersionMax() with either TLS 1.1, TLS 1.0, or SSL 3.0, then it works as expected.
>
> 4. When I try to connect to "https://google.com/"; in Safari, it works as expected. Clearly CFNetwork is doing something differently, but what? I thought Safari/CFNetwork used TLS 1.2 when it was available.
>
> What's going on here? What other things could cause SSLHandshake() to return paramErr? How do I handshake with this site using TLS 1.2?
>
> Nick Zitzmann
> <http://www.chronosnet.com/>
>
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

References: 
 >Why would SSLHandshake() return paramErr with TLS 1.2? (From: Nick Zitzmann <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2011 Apple Inc. All rights reserved.