Issue in ssl negociation

Maxim Dounin mdounin at
Wed Dec 7 15:14:58 UTC 2011


On Wed, Dec 07, 2011 at 09:07:59AM -0500, brunoa wrote:

> Hi Maxim,
> Thanks for your help. I will investigate this and let you know. If the
> issue is on the mobile operator network, I will be pretty much stuck
> :-(

Most likely it is (make sure to check your network though).

If for some reason you need to be as compatible as possible with 
such broken networks, you may want to disable path mtu discovery 
in your OS.

> Or maybe I will have to decrease the MTU on my server.
> I just checked: all the packets from the trace are sent with the "Don't
> fragment" bit set, and an IP size of 1500 (1516 ethernet).
> What surprises me though, is that the issue arises sporadically. A
> mobile phone will have 1 request out of 4 failing (without changing of
> IP address)....

This may indicate different network paths, with some of them 
filtering ICMP frag-needed packets, and others don't (or at least 
doing MSS clamp).  Alternatively, blackhole detection might come 
and magically fix things.

Maxim Dounin

More information about the nginx mailing list