Hi Andrei, > I've attached the original cap file and the ssldump for this specific > request.
I only see a single session of that IP in the cap file. What we can see from the dump is: - the client provides both a TLS session ticket and a session ID - the server acknowledges the session ID - the server sends a "Change Cipher Spec" message [1] - the client disconnects I don't think this is enough information to draw a conclusion. A wild guess could be that the client gets upset about the Change Cipher Spec message, but that is really a very wild guess. We would need to see the session before and after this one, to be able to put them in context. Any additional informations about the User-Agent would certainly also help. Btw, can you clearly reproduce this, or is this a random session failed on your prodution box? Regards, Lukas [1] http://de.wikipedia.org/wiki/Transport_Layer_Security#TLS_Change_Cipher_Spec_Protocol
<<attachment: compose-unknown-contact.jpg>>