Welcome! Log In Create A New Profile

Issue in ssl negociation

Forum List Message List New Topic Print View

brunoa

December 07, 2011 05:33AM

Registered: 12 years ago
Posts: 4

Hello,

This is my first POST, so please forgive me if I used the wrong mailing-list...

I am using nginx v0.7.65 on Debian squeeze. I have a sporadic issue occuring on requests coming from Android mobile phones, concerning ssl negociation.

After receiving "Client Hello" from the phone, nginx sends 2 packets: "Server Hello" and a 1st fragment on the "Certificate, Server Hello Done" (line 7 in the trace below). Then, it waits for the Ack of the "Server hello" and never sends the 2nd fragment of the "Certificate, Server Hello Done". It retransmitts the "Server Hello", but the client is stuck waiting for the second fragment of the certificate.

And the Android device, I have a 1minute timeout which expires and throws the error "no peer certificate" (see the FIN,Ack, line 12).

Immediately after, nginx sends the second fragment of the "Certificate, Server Hello Done" message (line 13).

My questions are: is nginx fragmenting packets on purpose ? Is there a way to disable this and let IP layer do the fragmentation ?

Could upgrading to 0.7.69 help ?

Here is a summary of the network trace. I can provide the full trace if required.
No. Time Source Destination Protocol Length Info
1 2011-12-05 23:06:51 92.90.19.29 94.143.115.73 TCP 76 37352 > https [SYN] Seq=0 Win=64240 Len=0
2 2011-12-05 23:06:51 94.143.115.73 92.90.19.29 TCP 76 https > 37352 [SYN, ACK] Seq=0 Ack=1 Win=5792
3 2011-12-05 23:06:52 92.90.19.29 94.143.115.73 TCP 68 37352 > https [ACK] Seq=1 Ack=1 Win=64240
4 2011-12-05 23:06:52 92.90.19.29 94.143.115.73 TLSv1 148 Client Hello
5 2011-12-05 23:06:52 94.143.115.73 92.90.19.29 TCP 68 https > 37352 [ACK] Seq=1 Ack=81 Win=6144
6 2011-12-05 23:06:52 94.143.115.73 92.90.19.29 TLSv1 1516 Server Hello
7 2011-12-05 23:06:52 94.143.115.73 92.90.19.29 TCP 1516 [TCP segment of a reassembled PDU]
8 2011-12-05 23:06:56 94.143.115.73 92.90.19.29 TLSv1 1516 [TCP Retransmission] Server Hello
9 2011-12-05 23:07:02 94.143.115.73 92.90.19.29 TLSv1 1516 [TCP Retransmission] Server Hello
10 2011-12-05 23:07:14 94.143.115.73 92.90.19.29 TLSv1 1516 [TCP Retransmission] Server Hello
11 2011-12-05 23:07:39 94.143.115.73 92.90.19.29 TLSv1 1516 [TCP Retransmission] Server Hello
12 2011-12-05 23:07:52 92.90.19.29 94.143.115.73 TCP 68 37352 > https [FIN, ACK] Seq=81 Ack=1 =64240
13 2011-12-05 23:07:52 94.143.115.73 92.90.19.29 TLSv1 1007 Ignored Unknown Record
14 2011-12-05 23:07:52 92.90.19.29 94.143.115.73 TCP 56 37352 > https [RST] Seq=82 Win=0 Len=0

The result in ssl-access.log is a line like this:
92.90.19.29 - - [05/Dec/2011:23:07:51 +0100] "-" 400 0 "-" "-"

My nginx config:
server {

listen 94.143.115.73:443;

server_name www.myinwebo.com myinwebo.com;
ssl on;
ssl_certificate <path to my cert>;
ssl_certificate_key <path to my key>;

ssl_ciphers ALL:!ADH:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

<and then the location configs>
}

Reply Quote

RSS

Subject	Author	Posted
Issue in ssl negociation	brunoa	December 07, 2011 05:33AM
Re: Issue in ssl negociation	Maxim Dounin	December 07, 2011 06:58AM
Re: Issue in ssl negociation	brunoa	December 07, 2011 09:07AM
Re: Issue in ssl negociation	Maxim Dounin	December 07, 2011 10:16AM
Re: Issue in ssl negociation	brunoa	December 07, 2011 07:02PM