Flaky intermediate CA not being served up on the failed handshakes.
From: Steve Gallivan
Sent: Monday, June 01, 2009 5:51 PM
To: openssl-users@openssl.org
Subject: SSL Handshake question
Hello,
I apologize if this is an obvious NOOB question - my Google-Fu is not up to
snuff on this one:
We're running OpenSSL 0.9.8j 07 Jan 2009 and Server version: Apache/2.0.63 on
a Sunfire 280R running Solaris 9.
Clients are having intermittent problems successfully completing the SSL
Handshake.
Running a trace on the wire revealed that the successful handshakes looked like
this:
Client -> Server: Client Hello
Server -> Client: Server Hello
Server -> Client: Certificate
Client -> Server: Client Key Exchange
And so on, all good.
On the failures the exchange looks like this:
Client -> Server: Client Hello
Server -> Client: Server Hello, Certificate, Server Hello Done
Client -> Server: Fatal, Description: Certificate Unknown
In running repeated tests using a java test client, we have many successful
handshakes ( we close the socket after each one ) and then we'll hit a series
of several failed ones, say 4-10 in a row, then it's all good again.
I'm trying to understand why the server would answer some requests with a
"Server Hello, Certificate, Server Hello Done" all wrapped up in one packet (
the ones that are failing ), where most of the time it splits that out over
several packets. The test "Client Hello" requests seem identical.
Any insights would be much appreciated.
Thanks,
Steve
