[jira] [Commented] (TS-3451) SSL_ERROR_SSL increases moving from 5.0 to 5.2

Tue, 17 Mar 2015 13:29:33 -0700 

    [ 
https://issues.apache.org/jira/browse/TS-3451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14366006#comment-14366006
 ] 

Susan Hinrichs commented on TS-3451:
------------------------------------

Running 5.2 plus the fix from TS-3424 in production with additional debug 
prints to get details of SSL_ERROR_SSL from SSLAccept, I'm seeing a burst of 
1-5 errors about once a minute.

I see mostly the following

* SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback -  This is the most frequent 
message by far in the log.  This seems like a legitimate error.  The server is 
preventing clients from negotiating protocol A and falling back to lower 
protocol B. https://dwradcliffe.com/2014/10/16/testing-tls-fallback.html

* SSL3_GET_CLIENT_HELLO:no shared cipher - The client and server have no 
ciphers in common.  This is quite a believable error. 

* SSL3_GET_CLIENT_HELLO:required cipher missing - This means that on a session 
resume, the client is offering different ciphers than was used when the cipher 
was originally negotiated.  Seems odd.  See a discussion here about having 
android having issues here.  
https://code.google.com/p/android/issues/detail?id=97132

* SSL3_GET_MESSAGE:unexpected message

* SSL3_READ_BYTES:sslv3 alert unexpected message

* SSL3_READ_BYTES:sslv3 alert bad certificate

* SSL3_READ_BYTES:sslv3 alert bad record mac - Perhaps we still have some 
corruption from the handshake?

* SSL3_READ_BYTES:sslv3 alert illegal parameter

* SSL3_READ_BYTES:tlsv1 alert unknown ca

> SSL_ERROR_SSL increases moving from 5.0 to 5.2
> ----------------------------------------------
>
>                 Key: TS-3451
>                 URL: https://issues.apache.org/jira/browse/TS-3451
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>            Reporter: Susan Hinrichs
>            Assignee: Brian Geffon
>
> I'm creating a new bug to track the SSL_ERROR_SSL issues that [~briang] is 
> seeing beyond the handshake buffer errors causing the "decryption failed or 
> bad record mac" messages described in TS-3424.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to