Re: [openssl-users] Troubleshooting SSL connections
What kind of stateful packet inspection are the NATs doing? Can you run packet captures on each network that's being translated? -Kyle H On Thu, Nov 2, 2017 at 4:23 PM, Paul Greenewrote: > Yes. I've made captures on both - the production client that I manage and > the test client I have at home. > On the production client, the conversation lasts only 8 packets - the > initial 3 way handshake, my client sends a PUSH packet, gets an ACK from the > upstream, and then the upstream sends a FIN packet and closes the > connection. The actual error message you see from the commandline is what I > posted above. > On the test client, after the PUSH packet is sent to the upstream server, it > starts a conversation, and they continue the conversation until I did a > CTRL-C. > > Paul > > On Thu, Nov 2, 2017 at 11:00 AM, Salz, Rich via openssl-users > wrote: >> >> Have you thought of putting a packet-capture on, say, the client side and >> then viewing it? >> >> >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Troubleshooting SSL connections
Yes. I've made captures on both - the production client that I manage and the test client I have at home. On the production client, the conversation lasts only 8 packets - the initial 3 way handshake, my client sends a PUSH packet, gets an ACK from the upstream, and then the upstream sends a FIN packet and closes the connection. The actual error message you see from the commandline is what I posted above. On the test client, after the PUSH packet is sent to the upstream server, it starts a conversation, and they continue the conversation until I did a CTRL-C. Paul On Thu, Nov 2, 2017 at 11:00 AM, Salz, Rich via openssl-users < openssl-users@openssl.org> wrote: > Have you thought of putting a packet-capture on, say, the client side and > then viewing it? > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Troubleshooting SSL connections
Have you thought of putting a packet-capture on, say, the client side and then viewing it? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Troubleshooting SSL connections
Hello All, I've got two servers that need to communicate with each other using SSL. The applications that are supposed to talk to each other are custom in house applications. When I try to connect to the upstream server, you can see the initial connection established - "Connecting to "address>":8443 ... connected" Then you get "Initiating SSL handshake. SSL handshake failed. Closed fd 3. Unable to establish SSL connection" The network path between the two servers is rather convoluted - the IP address of my server gets NATed at least twice, it passes through a couple of different firewalls, proxy servers, and load balancers. The upstream server is on a public IP address, but the path to get there is an internal network that doesn't hit the public internet directly. As a test with the application administrator, I cloned my server and moved the cloned copy (vmware servers) to a public IP address and attempted the connection from there, and it worked without an issue. The connection was established and it started polling the upstream server the way it was supposed to. That should indicate that there isn't an issue with either the server I'm managing or the upstream server, and the problem must be somewhere in the network in between. (the upstream server has been up and running for at least a year, so I'm pretty sure there is no issue with their server itself) There's three different tech support groups that I have to deal with to troubleshoot this issue. They all have monitored the traffic and seen the initial connection being established, so they believe there is nothing on their side blocking the traffic, but no one can determine why the SSL connection keeps failing. But something, somewhere in that network path is messing with the network stream when it comes to processing the SSL packets. Sorry this post is rather convoluted and long winded - what I'm hoping is that someone might suggest what might be happening here that is messing with the connections (because this is an openssl list and the problem is related to failing ssl connections). I don't manage or have control over any of the network devices in between, so all I can do is suggest something "out of the box" that they might not have thought of before. Thanks, Paul -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users