Welcome! Log In Create A New Profile

Advanced

Re: Intermittent SSL Handshake Errors

February 03, 2015 01:18PM
I just finished running an experiment that has shed some light on the issue. It has not yet been solved though.

I setup another nginx server with the same configuration with an upstream app that always responds with HTTP 200. I included JS on each page load in production to make a single request to this server.

I ran tcpdump on the test server and what I found was very interesting. Client connections producing the above "inappropriate fallback" on the test server all appear to do some form of the following:

(Client and Server successfully complete 3-way handshake)
Client: Client Hello TLSv1.2
Server: RST
Client: ACK
Server: RST
(Client and Server successfully complete 3-way handshake)
Client: Client Hello TLSv1.1
Server: RST
Client: ACK
Server: RST
(Client and Server successfully complete 3-way handshake)
Client: Client Hello TLSv1.0
Server: Encrypted Alert (Content Type: Alert (21))
(Client sends RST, which the server acknowledges, and the connection ends)

I don't know what the alert is, but I can only assume it's related to TLS_FALLBACK_SCSV since the client closes the connection right after.

What's interesting here is that there is little consistency to these RSTs. Sometimes a client downgrades to TSLv1.1 before getting the Encrypted Alert (Content Type: Alert(21)). Sometimes a client tries the same version over and over again, each time getting an RST from the server, and eventually gives up. Later many of these IP addresses are observed establishing successful connections.

Am I correct to assume Nginx is sending these RST packets?
Subject Author Posted

Intermittent SSL Handshake Errors

Eric R. January 31, 2015 01:06PM

Re: Intermittent SSL Handshake Errors

Richard Stanway January 31, 2015 02:04PM

Re: Intermittent SSL Handshake Errors

Etienne Champetier January 31, 2015 03:26PM

Re: Intermittent SSL Handshake Errors

ericr February 02, 2015 02:56PM

Re: Intermittent SSL Handshake Errors

tempspace February 02, 2015 03:26PM

Re: Intermittent SSL Handshake Errors

ericr February 03, 2015 01:18PM

Re: Intermittent SSL Handshake Errors

tempspace February 03, 2015 02:04PM

Re: Intermittent SSL Handshake Errors

ericr February 03, 2015 09:42PM

Re: Intermittent SSL Handshake Errors

tempspace February 03, 2015 09:48PM

RE: Intermittent SSL Handshake Errors

Lukas Tribus February 03, 2015 03:42PM

Re: RE: Intermittent SSL Handshake Errors

ericr February 06, 2015 01:49PM

RE: Intermittent SSL Handshake Errors

Lukas Tribus February 06, 2015 06:32PM

Re: Intermittent SSL Handshake Errors

ankneo March 20, 2015 01:57PM

Re: Intermittent SSL Handshake Errors

tempspace March 20, 2015 02:15PM

Re: Intermittent SSL Handshake Errors

ankneo March 26, 2015 02:41PM

Re: Intermittent SSL Handshake Errors

ywarnier April 18, 2015 05:31PM

Re: Intermittent SSL Handshake Errors

DrMickeyLauer May 08, 2015 10:49AM

Re: Intermittent SSL Handshake Errors

Maxim Dounin March 21, 2015 10:54AM

Re: Intermittent SSL Handshake Errors

tempspace March 21, 2015 11:50AM

Re: Intermittent SSL Handshake Errors

tempspace March 21, 2015 11:59AM

Re: Intermittent SSL Handshake Errors

Maxim Dounin March 21, 2015 09:14PM

Re: Intermittent SSL Handshake Errors

flechamobile July 12, 2015 12:33PM

Re: Intermittent SSL Handshake Errors

B.R. July 12, 2015 01:40PM

Re: Intermittent SSL Handshake Errors

flechamobile January 15, 2016 06:36PM

Re: Intermittent SSL Handshake Errors

flechamobile January 15, 2016 06:41PM

Re: Intermittent SSL Handshake Errors

piyushmalhotra February 11, 2016 01:26PM

Re: Intermittent SSL Handshake Errors

tempspace July 14, 2015 09:58PM

Re: Intermittent SSL Handshake Errors

Maxim Dounin July 15, 2015 12:10PM

Re: Intermittent SSL Handshake Errors

piyushmalhotra January 11, 2016 02:13PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 105
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready