Re: [openssl-users] Troubleshooting SSL connections

[Kyle Hamilton]

What kind of stateful packet inspection are the NATs doing?

Can you run packet captures on each network that's being translated?

-Kyle H

On Thu, Nov 2, 2017 at 4:23 PM, Paul Greene  wrote:
> Yes. I've made captures on both - the production client that I manage and
> the test client I have at home.
> On the production client, the conversation lasts only 8 packets - the
> initial 3 way handshake, my client sends a PUSH packet, gets an ACK from the
> upstream, and then the upstream sends a FIN packet and closes the
> connection. The actual error message you see from the commandline is what I
> posted above.
> On the test client, after the PUSH packet is sent to the upstream server, it
> starts a conversation, and they continue the conversation until I did a
> CTRL-C.
>
> Paul
>
> On Thu, Nov 2, 2017 at 11:00 AM, Salz, Rich via openssl-users
>  wrote:
>>
>> Have you thought of putting a packet-capture on, say, the client side and
>> then viewing it?
>>
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Troubleshooting SSL connections

[Paul Greene]

Yes. I've made captures on both - the production client that I manage and
the test client I have at home.
On the production client, the conversation lasts only 8 packets - the
initial 3 way handshake, my client sends a PUSH packet, gets an ACK from
the upstream, and then the upstream sends a FIN packet and closes the
connection. The actual error message you see from the commandline is what I
posted above.
On the test client, after the PUSH packet is sent to the upstream server,
it starts a conversation, and they continue the conversation until I did a
CTRL-C.

Paul

On Thu, Nov 2, 2017 at 11:00 AM, Salz, Rich via openssl-users <
openssl-users@openssl.org> wrote:

> Have you thought of putting a packet-capture on, say, the client side and
> then viewing it?
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Troubleshooting SSL connections

[Salz, Rich via openssl-users]

Have you thought of putting a packet-capture on, say, the client side and then 
viewing it?
 

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Troubleshooting SSL connections

[Paul Greene]

Hello All,

I've got two servers that need to communicate with each other using SSL. 
The applications that are supposed to talk to each other are custom in 
house applications.


When I try to connect to the upstream server, you can see the initial 
connection established - "Connecting to "address>":8443 ... connected"


Then you get "Initiating SSL handshake. SSL handshake failed. Closed fd 
3. Unable to establish SSL connection"


The network path between the two servers is rather convoluted - the IP 
address of my server gets NATed at least twice, it passes through a 
couple of different firewalls, proxy servers, and load balancers. The 
upstream server is on a public IP address, but the path to get there is 
an internal network that doesn't hit the public internet directly.


As a test with the application administrator, I cloned my server and 
moved the cloned copy (vmware servers) to a public IP address and 
attempted the connection from there, and it worked without an issue. The 
connection was established and it started polling the upstream server 
the way it was supposed to. That should indicate that there isn't an 
issue with either the server I'm managing or the upstream server, and 
the problem must be somewhere in the network in between. (the upstream 
server has been up and running for at least a year, so I'm pretty sure 
there is no issue with their server itself)


There's three different tech support groups that I have to deal with to 
troubleshoot this issue. They all have monitored the traffic and seen 
the initial connection being established, so they believe there is 
nothing on their side blocking the traffic, but no one can determine why 
the SSL connection keeps failing. But something, somewhere in that 
network path is messing with the network stream when it comes to 
processing the SSL packets.


Sorry this post is rather convoluted and long winded - what I'm hoping 
is that someone might suggest what might be happening here that is 
messing with the connections (because this is an openssl list and the 
problem is related to failing ssl connections). I don't manage or have 
control over any of the network devices in between, so all I can do is 
suggest something "out of the box" that they might not have thought of 
before.


Thanks,

Paul

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users