Hello List, in our setup we use apache 2.4.16 with mod-nss 1.013 and enabled Session Tickets (RFC 5077). The Session Ticket Feature worked with Chrome and Firefox for a while now. The Certificate Database where stored in the filesystem.
Now we moved nearly the same Certificates in a slot of a High Security Module. Since then the Firefox Browser is often complaining about unexpected new Session Tickets. The Error is: SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET I analyzed it with wireshark and I saw that the Server is indeed sending periodical new Session Tickets towards the client what he did not before. Sometimes the Firefox is complaining some times not. The Apache Logs: [Fri Oct 21 14:17:44.083822 2016] [:info] [pid 839] (104)Connection reset by peer: SSL library error -12216 writing data [Fri Oct 21 14:17:44.083954 2016] [:info] [pid 839] SSL Library Error: -12216 Attempt to write encrypted data to underlying socket failed [Fri Oct 21 14:17:44.084430 2016] [:debug] [pid 839] nss_engine_io.c(667): SSL connection destroyed without being closed [Fri Oct 21 14:17:52.972846 2016] [:info] [pid 839] Connection to child 0 established (server xxxx.xxx.xxx.xx:443, client 192.168.1.99) [Fri Oct 21 14:17:53.878877 2016] [:info] [pid 839] (70014)End of file found: SSL input filter read failed. The Chrome Browser behavior is little bit different. When the Server is sending the (second) Session Ticket its complaining with ERR_SSL_VERSION_OR_CIPHER_MISMATCH. And no further TLS Connection is possible anymore. [Fri Oct 21 14:20:57.300227 2016] [:info] [pid 839] SSL input filter read failed. [Fri Oct 21 14:20:57.300391 2016] [:error] [pid 839] SSL Library Error: -12229 SSL peer was not expecting a handshake message it received [Fri Oct 21 14:20:57.301942 2016] [:info] [pid 839] Connection to child 0 closed (server xxxx.xxx.xxx.xx:443, client 192.168.1.99) [Fri Oct 21 14:20:57.302471 2016] [:info] [pid 839] Connection to child 0 established (server xxxx.xxx.xxx.xx:443, client 192.168.1.99) [Fri Oct 21 14:20:57.304934 2016] [:info] [pid 839] SSL input filter read failed. [Fri Oct 21 14:20:57.305066 2016] [:error] [pid 839] SSL Library Error: -12279 Client is using unsupported SSL version [Fri Oct 21 14:20:57.305633 2016] [:info] [pid 839] Connection to child 0 closed (server xxxx.xxx.xxx.xx:443, client 192.168.1.99) [Fri Oct 21 14:20:57.307819 2016] [:info] [pid 839] Connection to child 0 established (server xxxx.xxx.xxx.xx:443, client 192.168.1.99) [Fri Oct 21 14:20:57.310564 2016] [:info] [pid 839] SSL input filter read failed. [Fri Oct 21 14:20:57.310700 2016] [:error] [pid 839] SSL Library Error: -12279 Client is using unsupported SSL version [Fri Oct 21 14:20:57.311263 2016] [:info] [pid 839] Connection to child 0 closed (server xxxx.xxx.xxx.xx:443, client 192.168.1.99) Some ideas how to investigate this issue further? We use TLS 1.2 and Cypher Suite ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha_256 Best regards, Oliver _______________________________________________ Mod_nss-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/mod_nss-list
