Handshake failed (-12272)

Ethan Blanton elb at pidgin.im
Fri Oct 31 10:46:18 EDT 2014

Thomas, Brian J spake unto us the following wisdom:
> Unfortunately, my company is blocking access to certain sites that may
> help, so I'm coming here.  What does error code -12272 mean?  Does it
> point to one particular aspect, like mismatched algorithms or keys
> that won't work?  Does everything run over port 5222 or are there
> other ports involved?

Yes, this means that Pidgin and the server are not able to
successfully negotiate an SSL connection.  I'm not sure exactly what
this code means (I saw two different meanings for -12272 online; one
of them didn't make sense, the other was that the server and client
didn't have any ciphers in common -- but I didn't consult the source),
but we did make our SSL negotiation somewhat stricter, as well as
improve certificate checking in 2.10.10.  It is possible that your
server is using an unsafe cipher combination and/or a malformed
certificate that is now being caught by Pidgin, but was ignored
previously.  It's also possible that we've made things a bit more

An OpenSSL s_client trace of connection might tell us more:

    openssl s_client -connect <hostname>:5222 -starttls xmpp

You may also have to provide system-local configurations such as
-CApath or -CAfile; if it is negotiating SSL v1, v2, or v3 then this
is possible related, and rerun with -no_ssl2 -no_ssl3.

Note that this trace will contain information about your server's
certificate, which you may not want to share on a public mailing list.
It will not be security-sensitive information, but it will include
hostname, organization, etc.


More information about the Support mailing list