On Sat, Jan 05, 2013 at 11:03:26AM +0000, Steve Flitcroft wrote:
> I am experiencing a strange issue where sporadically hitting a link in a
> browser will immediately return a 324 Error:Empty Response (chrome) or
> connection reset (FF).
> This happens roughly 5% of the time. I spoke to bedis in the irc forum who
> was helpful but the advice he asked me to follow did not resolve or make
> the situation better. He asked me to post the issue here.
Indeed he's right, reporting issues on the ML is much better than on the
IRC for two reasons :
- they're indexed and archived, so people encountering the same issue
later will find the solution ;
- very commonly, bug reporters are not the only ones to face a problem
and by reporting here, you encourage other people to manifest themselves
sometimes with useful complementary information.
> When I use nginx as the terminator we do not receive this issue, however I
> need to use haproxy for the better websocket support.
>
> In the haproxy log file I see the following
>
> 72.172.71.141:42272 [05/Jan/2013:01:28:30.475] ssl-in/1: SSL handshake failure
> 72.172.71.141:42273 [05/Jan/2013:01:28:30.503] ssl-in/1: SSL handshake failure
> 72.172.71.141:42313 [05/Jan/2013:01:28:30.971] ssl-in/1: SSL handshake failure
OK so something is definitely going wrong here.
> Current haproxy config (apologies if it is a mess but we have swapped and
> changed various things trying to work it out)
no problem.
(...)
> frontend ssl-in
> bind *:443 ssl crt /opt/local/certs/ivendi.pem no-tlsv11
> no-tlsv12
Does the problem disappear when you remove the no-tlsv11/12 options above ?
By using these options, you force the browser to use TLSv1.0 or SSLv3 only.
Maybe you are not doing the exact same thing in your nginx setup.
If the problem continues without these options, could you please provide a
network capture (eg: from your client in order to limit the traffic). Please
use tcpdump -s0 -w $file.cap to ensure that you capture full packets. We'll
see there if something if unexpected in the handshake (browser forcing to
use TLSv1.1, or any such thing).
There is nothing apparently wrong in the rest of your config, despite your
warning, it was not such a mess :-)
Regards,
Willy
