Intermittent SSL Handshake Errors
Lukas Tribus
luky-37 at hotmail.com
Tue Feb 3 20:41:03 UTC 2015
> I just finished running an experiment that has shed some light on the issue.
> It has not yet been solved though.
>
> I setup another nginx server with the same configuration with an upstream
> app that always responds with HTTP 200. I included JS on each page load in
> production to make a single request to this server.
>
> I ran tcpdump on the test server and what I found was very interesting.
> Client connections producing the above "inappropriate fallback" on the test
> server all appear to do some form of the following:
>
> (Client and Server successfully complete 3-way handshake)
> Client: Client Hello TLSv1.2
> Server: RST
> Client: ACK
> Server: RST
> (Client and Server successfully complete 3-way handshake)
> Client: Client Hello TLSv1.1
> Server: RST
> Client: ACK
> Server: RST
> (Client and Server successfully complete 3-way handshake)
> Client: Client Hello TLSv1.0
> Server: Encrypted Alert (Content Type: Alert (21))
> (Client sends RST, which the server acknowledges, and the connection ends)
Can you reliably reproduce this with specific client software or networks? Can
you upload a pcap file this failed handshake somewhere for further inspection?
More information about the nginx
mailing list