Hi, Nelson!
My comments are inline.
Nelson B. Bolyard wrote:
Alexey Kobozev wrote:
Hello, All!
I've got a quite strange problem connecting Mozilla though HTTPS
protocol too my own web server. The server written using RSA's SSLC
library, which is based on SSLeay (very similar to OpenSSL).
There are at least 3 possible explanations here, including:
1. A bug in mozilla
2. A bug in your web server, or
3. A bug in the tools used to try to analyze the network traffic.
At a minimum, we need to know the exact version of mozilla you are using.
1.0? 1.1? 1.2a? 1.2b? A nightly build? etc.
I've tested it with all the Mozilla releases from 1.0 to 1.2b.
Currently I'm using 1.2a
It would be most expeditious if we could try this ourselves by contacting
your server. Is your server available on the Internet? If so, please
send the URL, either here in this newsgroup, or email to me. Unless we
can reproduce the problem, we're mostly just guessing what it might be.
Unfortunately, my server is running in the internal network and can't
be accessible from outside.
The description for this problem is following:
First SSL/TLS handshake is passing OK and Mozilla gets the first web
page perfectly. This page contains the frameset and Mozilla suppose to
request all the frames HTMLs, but it opens a connection to server and
doesn't send anything,
I wonder why it is opening a new connection to the server. It should
reuse the old connection. Does your server perhaps not implement http
keep alive? or implement it incorrectly, saying that it does, when it
doesn't do keepalive?
The server is quite simple and doesn't support keep-alive at all. In the
response, server always sends "Content-length" attribute and Mozilla
honestly sends SSL close alert after receiving the "Content-length"
octets.
server wait's for timeout (30s) and closes the
connection. Than Mozilla opens another connection and so on. Sometimes
handshake passes again and browser gets some document (frame source or
picture) and it happens rarely. Looks like it waits for something, but
if I'm sending something there - no reaction.
When Mozilla (SSL/TLS client) connects to the server it MUST send the
ClientHello message in order to start the handshake, but it doesn't
happen - it just wait's for something.
What tool are you using to analyze this stuff?
Are you using traces from your server program?
Are you using a program like tcpdump?
Are you using a program like ssldump or ssltap?
I'd like to see the output of ssldump or ssltap on this phenomenon.
Of course I'm using my own logs, but there is no any specific errors
or misunderstandings between server and Mozilla. Also I've used ssltap
and here I've attached the ssltap output. There you can see the first
successful connection with closure alerts at the end and the next timed
out connection.
As I understand all my explanations aren't sufficient enough and if
this won't tell anything, I'll try to make a little simplest server
using SSLC and send it to you.
Thanks.
D:\Development\Certificates>ssltap -s -x -l -p 1111 localhost:1431
Looking up "localhost"...
Proxy socket ready and listening
Connection #1 [Thu Oct 24 11:01:28 2002]
Connected to localhost:1431
--> [
alloclen = 54 bytes
(54 bytes of 54)
[Thu Oct 24 11:01:28 2002] [ssl2] ClientHelloV2 {
version = {0x03, 0x00}
cipher-specs-length = 27 (0x1b)
sid-length = 0 (0x00)
challenge-length = 16 (0x10)
cipher-suites = {
(0x000004) SSL3/RSA/RC4-128/MD5
(0x00feff) ????/????????/?????????/???
(0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
(0x00fefe) ????/????????/?????????/???
(0x000009) SSL3/RSA/DES56-CBC/SHA
(0x000064) TLS/RSA_EXPORT1024/RC4-56/SHA
(0x000062) TLS/RSA_EXPORT1024/DES56_CBC/SHA
(0x000003) SSL3/RSA/RC4-40/MD5
(0x000006) SSL3/RSA/RC2CBC40/MD5
}
session-id = { }
challenge = { 0xd8bd 0x152e 0xd54a 0x3794 0x0f90 0x847f 0x5c8c 0x735f
}
}
]
<-- [
(1184 bytes of 42, with 1137 left over)
SSLRecord { [Thu Oct 24 11:01:28 2002]
0: 16 03 00 00 2a |....*
type = 22 (handshake)
version = { 3,0 }
length = 42 (0x2a)
handshake {
0: 02 00 00 26 |...&
type = 2 (server_hello)
length = 38 (0x000026)
ServerHello {
server_version = {3, 0}
random = {...}
0: 00 00 00 00 3d b7 b6 e8 b8 3a 43 a4 dc 73 08 6a | ....=....:C..s.j
10: dd 35 cf 40 0b 6d 45 92 b8 f9 6e f6 9a 9c 75 1f | .5.@.mE..�n�..u.
session ID = {
length = 0
contents = {..}
}
cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
}
}
}
(1184 bytes of 1123, with 9 left over)
SSLRecord { [Thu Oct 24 11:01:28 2002]
0: 16 03 00 04 63 |....c
type = 22 (handshake)
version = { 3,0 }
length = 1123 (0x463)
handshake {
0: 0b 00 04 5f |..._
type = 11 (certificate)
length = 1119 (0x00045f)
CertificateChain {
chainlength = 1116 (0x045c)
Certificate {
size = 565 (0x0235)
data = { saved in file 'cert.001' }
}
Certificate {
size = 545 (0x0221)
data = { saved in file 'cert.002' }
}
}
}
}
(1184 bytes of 4)
SSLRecord { [Thu Oct 24 11:01:28 2002]
0: 16 03 00 00 04 |.....
type = 22 (handshake)
version = { 3,0 }
length = 4 (0x4)
handshake {
0: 0e 00 00 00 |....
type = 14 (server_hello_done)
length = 0 (0x000000)
}
}
]
--> [
(204 bytes of 132, with 67 left over)
SSLRecord { [Thu Oct 24 11:01:28 2002]
0: 16 03 00 00 84 |.....
type = 22 (handshake)
version = { 3,0 }
length = 132 (0x84)
handshake {
0: 10 00 00 80 |....
type = 16 (client_key_exchange)
length = 128 (0x000080)
ClientKeyExchange {
message = {...}
}
}
}
(204 bytes of 1, with 61 left over)
SSLRecord { [Thu Oct 24 11:01:28 2002]
0: 14 03 00 00 01 |.....
type = 20 (change_cipher_spec)
version = { 3,0 }
length = 1 (0x1)
0: 01 |.
}
(204 bytes of 56)
SSLRecord { [Thu Oct 24 11:01:28 2002]
0: 16 03 00 00 38 |....8
type = 22 (handshake)
version = { 3,0 }
length = 56 (0x38)
< encrypted >
}
]
<-- [
(67 bytes of 1, with 61 left over)
SSLRecord { [Thu Oct 24 11:01:28 2002]
0: 14 03 00 00 01 |.....
type = 20 (change_cipher_spec)
version = { 3,0 }
length = 1 (0x1)
0: 01 |.
}
(67 bytes of 56)
SSLRecord { [Thu Oct 24 11:01:28 2002]
0: 16 03 00 00 38 |....8
type = 22 (handshake)
version = { 3,0 }
length = 56 (0x38)
< encrypted >
}
]
--> [
(457 bytes of 452)
SSLRecord { [Thu Oct 24 11:01:28 2002]
0: 17 03 00 01 c4 |.....
type = 23 (application_data)
version = { 3,0 }
length = 452 (0x1c4)
< encrypted >
}
]
<-- [
(106 bytes of 101)
SSLRecord { [Thu Oct 24 11:01:28 2002]
0: 17 03 00 00 65 |....e
type = 23 (application_data)
version = { 3,0 }
length = 101 (0x65)
< encrypted >
}
]
<-- [
(1030 bytes of 1025)
SSLRecord { [Thu Oct 24 11:01:28 2002]
0: 17 03 00 04 01 |.....
type = 23 (application_data)
version = { 3,0 }
length = 1025 (0x401)
< encrypted >
}
]
--> [
(23 bytes of 18)
SSLRecord { [Thu Oct 24 11:01:28 2002]
0: 15 03 00 00 12 |.....
type = 21 (alert)
version = { 3,0 }
length = 18 (0x12)
< encrypted >
}
]
<-- [
(23 bytes of 18)
SSLRecord { [Thu Oct 24 11:01:28 2002]
0: 15 03 00 00 12 |.....
type = 21 (alert)
version = { 3,0 }
length = 18 (0x12)
< encrypted >
}
]
Error -5961: TCP connection reset by peer.: Client socket read failed.
Connection 1 Complete [Thu Oct 24 11:01:28 2002]
Connection #2 [Thu Oct 24 11:01:28 2002]
Connected to localhost:1431
Read EOF on Server socket. [Thu Oct 24 11:01:35 2002]
