Hello Andrei,
On Mon, Jul 08, 2013 at 09:16:23AM +0300, Andrei Marinescu wrote:
> Hello Willy,
>
> Thank you for your answer! I've attached a dump with two requests from
> the same ip. First one failed with Connection closed during SSL
> handshake, the second one failed with Timeout during SSL handshake.
>
> I've translated the .cap file with tcpdump -qns 0 -X -r file.cap >
> translated.cap in order to make the dump readable and extract the two
> requests. If the original dump is needed, let me know and I'll attach it
> a.s.a.p.
That would definitely help, in order to pass it via ssldump. Or you can
do it yourself as well. What I'm seeing anyway (-q wasn't the most helpful
option here :-)) is that the client closes first. The sequence looks like
this :
client SYN server
port 58713 -----------------------> :443
SYN/ACK
<-----------------------
ACK
----------------------->
PSH: TLSv1 client hello with SNI
----------------------->
PSH: TLSv1 server hello
<-----------------------
FIN: client decides to close
----------------------->
FIN: server acknowledges and closes
<-----------------------
RST: client had already closed
----------------------->
So in short, the client disagrees with what the server proposed. Either
it's because of the algorithms in use, or because something is missing.
For example, I'm not seeing any certificate presented by the server, so
it looks like session resumption.
Ssldump would tell us what algorithms were negociated in each direction.
You can also try with tshark/wireshark I think.
Best regards,
Willy
