Issue in ssl negociation

brunoa nginx-forum at nginx.us
Wed Dec 7 10:33:14 UTC 2011 

Hello,

This is my first POST, so please forgive me if I used the wrong
mailing-list...

I am using nginx v0.7.65 on Debian squeeze. I have a sporadic issue
occuring on requests coming from Android mobile phones, concerning ssl
negociation.

After receiving "Client Hello" from the phone, nginx sends 2 packets:
"Server Hello" and a 1st fragment on the "Certificate, Server Hello
Done" (line 7 in the trace below). Then, it waits for the Ack of the
"Server hello" and never sends the 2nd fragment of the "Certificate,
Server Hello Done". It retransmitts the "Server Hello", but the client
is stuck waiting for the second fragment of the certificate.

And the Android device, I have a 1minute timeout which expires and
throws the error "no peer certificate" (see the FIN,Ack, line 12).

Immediately after, nginx sends the second fragment of the "Certificate,
Server Hello Done" message (line 13).

My questions are: is nginx fragmenting packets on purpose ? Is there a
way to disable this and let IP layer do the fragmentation ?

Could upgrading to 0.7.69 help ? 

Here is a summary of the network trace. I can provide the full trace if
required.
No.     Time                Source                Destination          
Protocol Length Info
 1  2011-12-05 23:06:51 92.90.19.29           94.143.115.73         TCP 
    76     37352 > https [SYN] Seq=0 Win=64240 Len=0 
 2  2011-12-05 23:06:51 94.143.115.73         92.90.19.29           TCP 
    76     https > 37352 [SYN, ACK] Seq=0 Ack=1 Win=5792 
 3  2011-12-05 23:06:52 92.90.19.29           94.143.115.73         TCP 
    68     37352 > https [ACK] Seq=1 Ack=1 Win=64240 
 4  2011-12-05 23:06:52 92.90.19.29           94.143.115.73        
TLSv1    148    Client Hello
 5  2011-12-05 23:06:52 94.143.115.73         92.90.19.29           TCP 
    68     https > 37352 [ACK] Seq=1 Ack=81 Win=6144 
 6  2011-12-05 23:06:52 94.143.115.73         92.90.19.29          
TLSv1    1516   Server Hello
 7  2011-12-05 23:06:52 94.143.115.73         92.90.19.29           TCP 
    1516   [TCP segment of a reassembled PDU]
 8  2011-12-05 23:06:56 94.143.115.73         92.90.19.29          
TLSv1    1516   [TCP Retransmission] Server Hello
 9  2011-12-05 23:07:02 94.143.115.73         92.90.19.29          
TLSv1    1516   [TCP Retransmission] Server Hello
 10 2011-12-05 23:07:14 94.143.115.73         92.90.19.29          
TLSv1    1516   [TCP Retransmission] Server Hello
 11 2011-12-05 23:07:39 94.143.115.73         92.90.19.29          
TLSv1    1516   [TCP Retransmission] Server Hello
 12 2011-12-05 23:07:52 92.90.19.29           94.143.115.73         TCP 
    68     37352 > https [FIN, ACK] Seq=81 Ack=1 =64240 
 13 2011-12-05 23:07:52 94.143.115.73         92.90.19.29          
TLSv1    1007   Ignored Unknown Record
 14 2011-12-05 23:07:52 92.90.19.29           94.143.115.73         TCP 
    56     37352 > https [RST] Seq=82 Win=0 Len=0

The result in ssl-access.log is a line like this:
92.90.19.29 - - [05/Dec/2011:23:07:51 +0100] "-" 400 0 "-" "-"

My nginx config:
server {

    listen       94.143.115.73:443;

    server_name www.myinwebo.com myinwebo.com;
    ssl on;
    ssl_certificate <path to my cert>;
    ssl_certificate_key <path to my key>;

    ssl_ciphers ALL:!ADH:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

<and then the location configs>
}

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,219756,219756#msg-219756

More information about the nginx mailing list