Issue in ssl negociation
mdounin at mdounin.ru
Wed Dec 7 15:14:58 UTC 2011
On Wed, Dec 07, 2011 at 09:07:59AM -0500, brunoa wrote:
> Hi Maxim,
> Thanks for your help. I will investigate this and let you know. If the
> issue is on the mobile operator network, I will be pretty much stuck
Most likely it is (make sure to check your network though).
If for some reason you need to be as compatible as possible with
such broken networks, you may want to disable path mtu discovery
in your OS.
> Or maybe I will have to decrease the MTU on my server.
> I just checked: all the packets from the trace are sent with the "Don't
> fragment" bit set, and an IP size of 1500 (1516 ethernet).
> What surprises me though, is that the issue arises sporadically. A
> mobile phone will have 1 request out of 4 failing (without changing of
> IP address)....
This may indicate different network paths, with some of them
filtering ICMP frag-needed packets, and others don't (or at least
doing MSS clamp). Alternatively, blackhole detection might come
and magically fix things.
More information about the nginx