online banking with BB&T
John Ralls
jralls at ceridwen.us
Mon Apr 13 23:22:12 EDT 2015
> On Apr 13, 2015, at 11:58 AM, Chris Hoefler <hoeflerb at gmail.com> wrote:
>
> Hi,
>
> I'm trying to use OFXDirectConnect to download transaction data from BB&T.
> When I set up the account through Tools|Online Banking Setup, I follow the
> wizard prompts until it tries to make an initial handshake with the server.
> It stops with this error message,
>
> 11:45:24 Retrieving SSL certificate
> 11:45:24 Connecting to server...
> 11:45:24 Using old SSL preparation code.
> 11:45:24 TLS Handshake Error: -12 (A TLS fatal alert has been received.)
> 11:45:25 Retrying to connect (SSLv3)
> 11:45:25 Using old SSL preparation code.
> 11:45:25 TLS Handshake Error: -12 (A TLS fatal alert has been received.)
> 11:45:25 Could not connect to server
> 11:45:25 Could not connect to server, giving up (-66)
> 11:45:25 Operation finished, you can now close this window.
>
> The ssldump output tells me that this is a protocol version problem,
>
> New TCP connection #14: *** <-> eftx.bbt.com(443)
> 14 1 0.1925 (0.1925) C>S Handshake
> ClientHello
> Version 3.0
> cipher suites
> SSL_DHE_RSA_WITH_AES_128_CBC_SHA
> SSL_DHE_RSA_WITH_AES_256_CBC_SHA
> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> SSL_DHE_DSS_WITH_AES_128_CBC_SHA
> SSL_DHE_DSS_WITH_AES_256_CBC_SHA
> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
> SSL_RSA_WITH_AES_128_CBC_SHA
> SSL_RSA_WITH_AES_256_CBC_SHA
> SSL_RSA_WITH_3DES_EDE_CBC_SHA
> SSL_RSA_WITH_RC4_128_SHA
> SSL_RSA_WITH_RC4_128_MD5
> Unknown value 0xff
> compression methods
> NULL
> 14 2 0.2444 (0.0518) S>C Alert
> level fatal
> value protocol_version
>
> The BB&T server doesn't support TLS 1.1 or 1.2, so this might be causing
> the problem. Any known solutions? Or, does anybody have BB&T working for
> them? Here is some SSL info from ssllabs,
>
> https://www.ssllabs.com/ssltest/analyze.html?d=eftx.bbt.com
>
> I am using GnuCash 2.6.6 with libaqbanking 5.3.5beta-2 and libaqofxconnect
> on Ubuntu 14.04.
The SSL Labs probe shows that BB&T supports TLS 1.0 only. https://www.openssl.org/docs/ssl/SSL_CONF_cmd.html includes -no_tls_1, which disables TLS-1.0. You could look for that in your SSL config and unset it if you find it, but it would probably be wiser to not use OFXConnect with a bank that is so clueless about security. Were I in your position I'd find a different bank; if they're willing to be 9 years out of date (http://en.wikipedia.org/wiki/Transport_Layer_Security) on OFXConnect security it's unlikely that they take any other kind of security seriously either.
Regards,
John Ralls
More information about the gnucash-user
mailing list