Maxim Dounin
March 21, 2015 10:54AM
Hello!

On Fri, Mar 20, 2015 at 02:15:42PM -0400, tempspace wrote:

> I had to start looking at this issue again now that yet another openssl
> security issue. Now that I know I can go back to a working setup just by
> downgrading SSL, I am able to gather more information.
>
> This morning, I updated the libssl libraries and restarted nginx, and the
> errors started flooding back. This time, I took a packet capture to see what
> was happening and what I could correlate. I run a set of servers that
> handle API requests from a mobile phone application, and every single client
> that produced this error was running iOS.
>
> In the packet capture, we offer the same cipher that the clients always use
> without a problem, but for some reason, some of our iPhone clients have
> issues (not all.) I have been unable to discern a pattern, but it's always
> iPhones and doesn't seem to have anything to do with the device model or the
> OS version. I haven't found a single Android instance of the IP's that show
> up in our error logs, and we have slightly more Android devices than iOS
> devices.
>
> We get the Client Hello which has a list of 37 potential ciphers for TLS
> 1.2. We send the server hello and offer the normal cipher. The client,
> instead of continuing on, immediately sends a FIN, ACK. It then tries to
> connect again over TLS 1.0, gives the client hello, we send the ACK and
> almost immediately, WE send a FIN, ACK to the client.

So it looks like th fallback prevention part looks like it should -
the inappropriate fallback is prevented. The question now is why
fallback happens at all, that is - why the client sends a FIN. It
might be some specific cipher which causes the problem - you may
try switching ssl_prefer_server_ciphers to off (the default) to
see if it helps, and/or playing with ciphers supported (again,
default will be a good starting point).

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Intermittent SSL Handshake Errors

Eric R. January 31, 2015 01:06PM

Re: Intermittent SSL Handshake Errors

Richard Stanway January 31, 2015 02:04PM

Re: Intermittent SSL Handshake Errors

Etienne Champetier January 31, 2015 03:26PM

Re: Intermittent SSL Handshake Errors

ericr February 02, 2015 02:56PM

Re: Intermittent SSL Handshake Errors

tempspace February 02, 2015 03:26PM

Re: Intermittent SSL Handshake Errors

ericr February 03, 2015 01:18PM

Re: Intermittent SSL Handshake Errors

tempspace February 03, 2015 02:04PM

Re: Intermittent SSL Handshake Errors

ericr February 03, 2015 09:42PM

Re: Intermittent SSL Handshake Errors

tempspace February 03, 2015 09:48PM

RE: Intermittent SSL Handshake Errors

Lukas Tribus February 03, 2015 03:42PM

Re: RE: Intermittent SSL Handshake Errors

ericr February 06, 2015 01:49PM

RE: Intermittent SSL Handshake Errors

Lukas Tribus February 06, 2015 06:32PM

Re: Intermittent SSL Handshake Errors

ankneo March 20, 2015 01:57PM

Re: Intermittent SSL Handshake Errors

tempspace March 20, 2015 02:15PM

Re: Intermittent SSL Handshake Errors

ankneo March 26, 2015 02:41PM

Re: Intermittent SSL Handshake Errors

ywarnier April 18, 2015 05:31PM

Re: Intermittent SSL Handshake Errors

DrMickeyLauer May 08, 2015 10:49AM

Re: Intermittent SSL Handshake Errors

Maxim Dounin March 21, 2015 10:54AM

Re: Intermittent SSL Handshake Errors

tempspace March 21, 2015 11:50AM

Re: Intermittent SSL Handshake Errors

tempspace March 21, 2015 11:59AM

Re: Intermittent SSL Handshake Errors

Maxim Dounin March 21, 2015 09:14PM

Re: Intermittent SSL Handshake Errors

flechamobile July 12, 2015 12:33PM

Re: Intermittent SSL Handshake Errors

B.R. July 12, 2015 01:40PM

Re: Intermittent SSL Handshake Errors

flechamobile January 15, 2016 06:36PM

Re: Intermittent SSL Handshake Errors

flechamobile January 15, 2016 06:41PM

Re: Intermittent SSL Handshake Errors

piyushmalhotra February 11, 2016 01:26PM

Re: Intermittent SSL Handshake Errors

tempspace July 14, 2015 09:58PM

Re: Intermittent SSL Handshake Errors

Maxim Dounin July 15, 2015 12:10PM

Re: Intermittent SSL Handshake Errors

piyushmalhotra January 11, 2016 02:13PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 102
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready