Here's a trace of a recent SSL handshake attempt: 1 0.000000 CLIENT_IP -> SERVER_IP TCP 49168 > urd [SYN] Seq=0 Win=8192 Len=0 MSS=1380 WS=2 8192 52 2 0.000010 SERVER_IP -> CLIENT_IP TCP urd > 49168 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=2 5840 52 3 0.000680 CLIENT_IP -> SERVER_IP TCP 49168 > urd [ACK] Seq=1 Ack=1 Win=66240 Len=0 66240 40 4 0.000990 CLIENT_IP -> SERVER_IP SSL Client Hello 66240 209 5 0.001005 SERVER_IP -> CLIENT_IP TCP urd > 49168 [ACK] Seq=1 Ack=170 Win=6912 Len=0 6912 40 6 0.009298 SERVER_IP -> CLIENT_IP TLSv1 Server Hello, 6912 1420 7 0.009313 SERVER_IP -> CLIENT_IP TLSv1 Certificate, Server Key Exchange, Server Hello Done 6912 1356 8 0.010187 CLIENT_IP -> SERVER_IP TCP 49168 > urd [ACK] Seq=170 Ack=2697 Win=66240 Len=0 66240 40 9 0.024244 CLIENT_IP -> SERVER_IP TLSv1 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 66240 174 10 0.025339 SERVER_IP -> CLIENT_IP TLSv1 Change Cipher Spec, Encrypted Handshake Message 7984 99 11 0.225653 SERVER_IP -> CLIENT_IP TLSv1 [TCP Retransmission] Change Cipher Spec, Encrypted Handshake Message 7984 99 12 0.226324 CLIENT_IP -> SERVER_IP TCP 49168 > urd [ACK] Seq=304 Ack=2756 Win=66180 Len=0 SLE=1597629342 SRE=1597629401 66180 52 13 0.627556 SERVER_IP -> CLIENT_IP TLSv1 [TCP Retransmission] Change Cipher Spec, Encrypted Handshake Message 7984 99 14 0.628474 CLIENT_IP -> SERVER_IP TCP [TCP Dup ACK 12#1] 49168 > urd [ACK] Seq=304 Ack=2756 Win=66180 Len=0 SLE=1597629342 SRE=1597629401 66180 52 15 1.431361 SERVER_IP -> CLIENT_IP TLSv1 [TCP Retransmission] Change Cipher Spec, Encrypted Handshake Message 7984 99 16 1.432062 CLIENT_IP -> SERVER_IP TCP [TCP Dup ACK 12#2] 49168 > urd [ACK] Seq=304 Ack=2756 Win=66180 Len=0 SLE=1597629342 SRE=1597629401 66180 52 17 3.039985 SERVER_IP -> CLIENT_IP TLSv1 [TCP Retransmission] Change Cipher Spec, Encrypted Handshake Message 7984 99 18 3.040671 CLIENT_IP -> SERVER_IP TCP [TCP Dup ACK 12#3] 49168 > urd [ACK] Seq=304 Ack=2756 Win=66180 Len=0 SLE=1597629342 SRE=1597629401 66180 52 19 6.255200 SERVER_IP -> CLIENT_IP TLSv1 [TCP Retransmission] Change Cipher Spec, Encrypted Handshake Message 7984 99 20 6.255869 CLIENT_IP -> SERVER_IP TCP [TCP Dup ACK 12#4] 49168 > urd [ACK] Seq=304 Ack=2756 Win=66180 Len=0 SLE=1597629342 SRE=1597629401 66180 52 21 12.686644 SERVER_IP -> CLIENT_IP TLSv1 [TCP Retransmission] Change Cipher Spec, Encrypted Handshake Message 7984 99 22 12.687330 CLIENT_IP -> SERVER_IP TCP [TCP Dup ACK 12#5] 49168 > urd [ACK] Seq=304 Ack=2756 Win=66180 Len=0 SLE=1597629342 SRE=1597629401 66180 52 23 25.548536 SERVER_IP -> CLIENT_IP TLSv1 [TCP Retransmission] Change Cipher Spec, Encrypted Handshake Message 7984 99 24 25.549373 CLIENT_IP -> SERVER_IP TCP [TCP Dup ACK 12#6] 49168 > urd [ACK] Seq=304 Ack=2756 Win=66180 Len=0 SLE=1597629342 SRE=1597629401 66180 52 25 29.280023 CLIENT_IP -> SERVER_IP TLSv1 Encrypted Alert 66180 77 26 29.280040 SERVER_IP -> CLIENT_IP TLSv1 Application Data 7984 157 27 29.280109 CLIENT_IP -> SERVER_IP TCP 49168 > urd [FIN, ACK] Seq=341 Ack=2756 Win=66180 Len=0 66180 40 28 29.280147 SERVER_IP -> CLIENT_IP TCP urd > 49168 [FIN, ACK] Seq=2873 Ack=342 Win=7984 Len=0 7984 40 29 29.280582 CLIENT_IP -> SERVER_IP TCP 49168 > urd [RST, ACK] Seq=342 Ack=2873 Win=0 Len=0 0 40
They seem to get into a retransmit loop right after the client sends the Change Cipher Spec message. If I'm running OpenSSL on the windows box and using s_client with -connect, I can make it punch through by hitting a carriage return. Anyone seen anything similar? cc -- Chris Chen <[email protected]> UNIX Systems Administrator Office of Information Technologies Portland State University _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
