Intermittent SSL Handshake Errors

Lukas Tribus luky-37 at hotmail.com
Tue Feb 3 20:41:03 UTC 2015


> I just finished running an experiment that has shed some light on the issue.
> It has not yet been solved though.
>
> I setup another nginx server with the same configuration with an upstream
> app that always responds with HTTP 200. I included JS on each page load in
> production to make a single request to this server.
>
> I ran tcpdump on the test server and what I found was very interesting.
> Client connections producing the above "inappropriate fallback" on the test
> server all appear to do some form of the following:
>
> (Client and Server successfully complete 3-way handshake)
> Client: Client Hello TLSv1.2
> Server: RST
> Client: ACK
> Server: RST
> (Client and Server successfully complete 3-way handshake)
> Client: Client Hello TLSv1.1
> Server: RST
> Client: ACK
> Server: RST
> (Client and Server successfully complete 3-way handshake)
> Client: Client Hello TLSv1.0
> Server: Encrypted Alert (Content Type: Alert (21))
> (Client sends RST, which the server acknowledges, and the connection ends)

Can you reliably reproduce this with specific client software or networks? Can
you upload a pcap file this failed handshake somewhere for further inspection?


 		 	   		  


More information about the nginx mailing list