Re: NOSRV/BADREQ from some Java based clients [SSL handshake issue]

Mon, 23 Feb 2015 13:57:20 -0800 

Attached is the information you requested -- and hopefully performed
correctly :)

* no_haproxy.pcap: This is a successful connection + POST to the
original Mochiweb server. Note that here the port is 8443 not 443
(IP=10.3.3.3)
* ha_self_signed.pcap: Failed attempt against HAProxy with a self
signed certificate & key.
* TEST_cert_and_key.pem: The self signed cert/key from above.

The bind line for ha_self_signed.pcap looks like this:
bind *:443 ssl crt /home/bashby/Lukas/TEST_cert_and_key.pem ciphers AES128-SHA

Thanks again to you and everyone here taking the time to look at this!

On Mon, Feb 23, 2015 at 2:01 PM, Lukas Tribus <luky...@hotmail.com> wrote:
> Ok, so as expected, this didn't really change anything, but at least
> we have a config/capture consistency.
>
> Now, it looks like the client decides after the (what appears to be a
> successful) handshake to close the connection by sending a FIN, which
> then triggers the "400 Bad request" from the haproxy side.
>
> Two questions we need address:
> - how does the handshake look like in the legacy config (Mochiweb terminates
>   SSL) when using those old apps/clients?
> - what happens on from a SSL/TLS perspective on the unencrypted layer?
>
>
> So, could you possibly:
> - send us a working SSL/TLS session pcap trace of those clients/app on your
>   current mochiweb service? Perhaps the client is buggy on all but a specific
>   ciphers, although he advertises otherwise. If we replicate the mochiweb SSL
>   handshake as close as possible, we may be able to get it to work, and then 
> we
>   can start pin pointing the issue. For example, we could try to force:
>   TLS_RSA_WITH_RC4_128_MD5 by configuring "RC4-MD5" as cipher string in 
> haproxy.
>
> - recreate the issue with a self-signed key/cert and a non-FS ciphers,
>   and provide us pcap, cert and private key (triple checking none of
>   those thing are confidential)? That way, we see what happens inside the
>   encrypted channel. Since the client doesn't really send any application 
> data,
>   what we are most interested in are encrypted handshake messages.
>
>
> Its pretty clear the Mozilla recommendation doesn't help us in this case, 
> since
> there seems to be a specific implementation bug, so we may as well use non-FS
> ciphers for the troubleshooting session.
>
>
>
> Regards,
>
> Lukas
>
>

Attachment: ha_self_signed.pcap
Description: Binary data

Attachment: no_haproxy.pcap
Description: Binary data

Attachment: TEST_cert_and_key.pem
Description: Binary data

Reply via email to