SSL gurus! This one is for you. Please Help

hcl-bot · October 15, 2009, 8:17am

Need some analysis from an SSL guru. Have SSL configured with valid certificate on port 443. Issues with 99% of http clients trying to connect to the server using SSL. Ran wireshark trace. Info below. Seems to handshake and then stops shortly after.

Server IP 192.168.1.105

Client browser IP 192.168.0.102

No. Time Source Destination Protocol Info

  1 0.000000    Intel_da:92:43        Broadcast             ARP      Who has 192.168.0.55?  Tell 192.168.0.102

Frame 1 (42 bytes on wire, 42 bytes captured)

Ethernet II, Src: Intel_da:92:43 (00:0e:0c:da:92:43), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Address Resolution Protocol (request)

No. Time Source Destination Protocol Info

  2 0.002555    Cisco_29:4d:20        Intel_da:92:43        ARP      192.168.0.55 is at 00:1a:2f:29:4d:20

Frame 2 (60 bytes on wire, 60 bytes captured)

Ethernet II, Src: Cisco_29:4d:20 (00:1a:2f:29:4d:20), Dst: Intel_da:92:43 (00:0e:0c:da:92:43)

Address Resolution Protocol (reply)

No. Time Source Destination Protocol Info

  3 0.002577    192.168.0.102         192.168.1.105         TCP      wafs > https [SYN] Seq=0 Win=65535 Len=0 MSS=1460

Frame 3 (62 bytes on wire, 62 bytes captured)

Ethernet II, Src: Intel_da:92:43 (00:0e:0c:da:92:43), Dst: Cisco_29:4d:20 (00:1a:2f:29:4d:20)

Internet Protocol, Src: 192.168.0.102 (192.168.0.102), Dst: 192.168.1.105 (192.168.1.105)

Transmission Control Protocol, Src Port: wafs (4049), Dst Port: https (443), Seq: 0, Len: 0

Source port: wafs (4049)

Destination port: https (443)

[Stream index: 0]

Sequence number: 0    (relative sequence number)

Header length: 28 bytes

Flags: 0x02 (SYN)

Window size: 65535

Checksum: 0x9222 [validation disabled]

Options: (8 bytes)

No. Time Source Destination Protocol Info

  4 0.004550    192.168.1.105         192.168.0.102         TCP      https > wafs [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460

Frame 4 (62 bytes on wire, 62 bytes captured)

Ethernet II, Src: Cisco_29:4d:20 (00:1a:2f:29:4d:20), Dst: Intel_da:92:43 (00:0e:0c:da:92:43)

Internet Protocol, Src: 192.168.1.105 (192.168.1.105), Dst: 192.168.0.102 (192.168.0.102)

Transmission Control Protocol, Src Port: https (443), Dst Port: wafs (4049), Seq: 0, Ack: 1, Len: 0

Source port: https (443)

Destination port: wafs (4049)

[Stream index: 0]

Sequence number: 0    (relative sequence number)

Acknowledgement number: 1    (relative ack number)

Header length: 28 bytes

Flags: 0x12 (SYN, ACK)

Window size: 16384

Checksum: 0x2a16 [validation disabled]

Options: (8 bytes)

[SEQ/ACK analysis]

No. Time Source Destination Protocol Info

  5 0.004602    192.168.0.102         192.168.1.105         TCP      wafs > https [ACK] Seq=1 Ack=1 Win=65535 Len=0

Frame 5 (54 bytes on wire, 54 bytes captured)

Ethernet II, Src: Intel_da:92:43 (00:0e:0c:da:92:43), Dst: Cisco_29:4d:20 (00:1a:2f:29:4d:20)

Internet Protocol, Src: 192.168.0.102 (192.168.0.102), Dst: 192.168.1.105 (192.168.1.105)

Transmission Control Protocol, Src Port: wafs (4049), Dst Port: https (443), Seq: 1, Ack: 1, Len: 0

Source port: wafs (4049)

Destination port: https (443)

[Stream index: 0]

Sequence number: 1    (relative sequence number)

Acknowledgement number: 1    (relative ack number)

Header length: 20 bytes

Flags: 0x10 (ACK)

Window size: 65535

Checksum: 0x833a [validation disabled]

[SEQ/ACK analysis]

No. Time Source Destination Protocol Info

  6 0.005521    192.168.0.102         192.168.1.105         SSLv3    Client Hello

Frame 6 (140 bytes on wire, 140 bytes captured)

Ethernet II, Src: Intel_da:92:43 (00:0e:0c:da:92:43), Dst: Cisco_29:4d:20 (00:1a:2f:29:4d:20)

Internet Protocol, Src: 192.168.0.102 (192.168.0.102), Dst: 192.168.1.105 (192.168.1.105)

Transmission Control Protocol, Src Port: wafs (4049), Dst Port: https (443), Seq: 1, Ack: 1, Len: 86

Source port: wafs (4049)

Destination port: https (443)

[Stream index: 0]

Sequence number: 1    (relative sequence number)

[Next sequence number: 87    (relative sequence number)]

Acknowledgement number: 1    (relative ack number)

Header length: 20 bytes

Flags: 0x18 (PSH, ACK)

Window size: 65535

Checksum: 0x8390 [validation disabled]

[SEQ/ACK analysis]

Secure Socket Layer

SSLv3 Record Layer: Handshake Protocol: Client Hello

    Content Type: Handshake (22)

    Version: SSL 3.0 (0x0300)

    Length: 81

    Handshake Protocol: Client Hello

No. Time Source Destination Protocol Info

  7 0.016759    192.168.1.105         192.168.0.102         SSLv3    Server Hello

Frame 7 (117 bytes on wire, 117 bytes captured)

Ethernet II, Src: Cisco_29:4d:20 (00:1a:2f:29:4d:20), Dst: Intel_da:92:43 (00:0e:0c:da:92:43)

Internet Protocol, Src: 192.168.1.105 (192.168.1.105), Dst: 192.168.0.102 (192.168.0.102)

Transmission Control Protocol, Src Port: https (443), Dst Port: wafs (4049), Seq: 1, Ack: 87, Len: 63

Source port: https (443)

Destination port: wafs (4049)

[Stream index: 0]

Sequence number: 1    (relative sequence number)

[Next sequence number: 64    (relative sequence number)]

Acknowledgement number: 87    (relative ack number)

Header length: 20 bytes

Flags: 0x18 (PSH, ACK)

Window size: 65449

Checksum: 0xc2f1 [validation disabled]

[SEQ/ACK analysis]

Secure Socket Layer

SSLv3 Record Layer: Handshake Protocol: Server Hello

    Content Type: Handshake (22)

    Version: SSL 3.0 (0x0300)

    Length: 58

    Handshake Protocol: Server Hello

No. Time Source Destination Protocol Info

  8 0.017161    192.168.1.105         192.168.0.102         SSLv3    Change Cipher Spec

Frame 8 (60 bytes on wire, 60 bytes captured)

Ethernet II, Src: Cisco_29:4d:20 (00:1a:2f:29:4d:20), Dst: Intel_da:92:43 (00:0e:0c:da:92:43)

Internet Protocol, Src: 192.168.1.105 (192.168.1.105), Dst: 192.168.0.102 (192.168.0.102)

Transmission Control Protocol, Src Port: https (443), Dst Port: wafs (4049), Seq: 64, Ack: 87, Len: 6

Source port: https (443)

Destination port: wafs (4049)

[Stream index: 0]

Sequence number: 64    (relative sequence number)

[Next sequence number: 70    (relative sequence number)]

Acknowledgement number: 87    (relative ack number)

Header length: 20 bytes

Flags: 0x18 (PSH, ACK)

Window size: 65449

Checksum: 0x8189 [validation disabled]

[SEQ/ACK analysis]

Secure Socket Layer

SSLv3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec

    Content Type: Change Cipher Spec (20)

    Version: SSL 3.0 (0x0300)

    Length: 1

    Change Cipher Spec Message

No. Time Source Destination Protocol Info

  9 0.017192    192.168.0.102         192.168.1.105         TCP      wafs > https [ACK] Seq=87 Ack=70 Win=65466 Len=0

Frame 9 (54 bytes on wire, 54 bytes captured)

Ethernet II, Src: Intel_da:92:43 (00:0e:0c:da:92:43), Dst: Cisco_29:4d:20 (00:1a:2f:29:4d:20)

Internet Protocol, Src: 192.168.0.102 (192.168.0.102), Dst: 192.168.1.105 (192.168.1.105)

Transmission Control Protocol, Src Port: wafs (4049), Dst Port: https (443), Seq: 87, Ack: 70, Len: 0

Source port: wafs (4049)

Destination port: https (443)

[Stream index: 0]

Sequence number: 87    (relative sequence number)

Acknowledgement number: 70    (relative ack number)

Header length: 20 bytes

Flags: 0x10 (ACK)

Window size: 65466

Checksum: 0x833a [validation disabled]

[SEQ/ACK analysis]

No. Time Source Destination Protocol Info

 10 0.017655    192.168.1.105         192.168.0.102         SSLv3    Encrypted Handshake Message

Frame 10 (115 bytes on wire, 115 bytes captured)

Ethernet II, Src: Cisco_29:4d:20 (00:1a:2f:29:4d:20), Dst: Intel_da:92:43 (00:0e:0c:da:92:43)

Internet Protocol, Src: 192.168.1.105 (192.168.1.105), Dst: 192.168.0.102 (192.168.0.102)

Transmission Control Protocol, Src Port: https (443), Dst Port: wafs (4049), Seq: 70, Ack: 87, Len: 61

Source port: https (443)

Destination port: wafs (4049)

[Stream index: 0]

Sequence number: 70    (relative sequence number)

[Next sequence number: 131    (relative sequence number)]

Acknowledgement number: 87    (relative ack number)

Header length: 20 bytes

Flags: 0x18 (PSH, ACK)

Window size: 65449

Checksum: 0xf9dc [validation disabled]

[SEQ/ACK analysis]

Secure Socket Layer

SSLv3 Record Layer: Handshake Protocol: Encrypted Handshake Message

    Content Type: Handshake (22)

    Version: SSL 3.0 (0x0300)

    Length: 56

    Handshake Protocol: Encrypted Handshake Message

No. Time Source Destination Protocol Info

 11 0.018682    192.168.0.102         192.168.1.105         SSLv3    Change Cipher Spec, Encrypted Handshake Message

Frame 11 (121 bytes on wire, 121 bytes captured)

Ethernet II, Src: Intel_da:92:43 (00:0e:0c:da:92:43), Dst: Cisco_29:4d:20 (00:1a:2f:29:4d:20)

Internet Protocol, Src: 192.168.0.102 (192.168.0.102), Dst: 192.168.1.105 (192.168.1.105)

Transmission Control Protocol, Src Port: wafs (4049), Dst Port: https (443), Seq: 87, Ack: 131, Len: 67

Source port: wafs (4049)

Destination port: https (443)

[Stream index: 0]

Sequence number: 87    (relative sequence number)

[Next sequence number: 154    (relative sequence number)]

Acknowledgement number: 131    (relative ack number)

Header length: 20 bytes

Flags: 0x18 (PSH, ACK)

Window size: 65405

Checksum: 0x837d [validation disabled]

[SEQ/ACK analysis]

Secure Socket Layer

SSLv3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec

    Content Type: Change Cipher Spec (20)

    Version: SSL 3.0 (0x0300)

    Length: 1

    Change Cipher Spec Message

SSLv3 Record Layer: Handshake Protocol: Encrypted Handshake Message

    Content Type: Handshake (22)

    Version: SSL 3.0 (0x0300)

    Length: 56

    Handshake Protocol: Encrypted Handshake Message

No. Time Source Destination Protocol Info

 12 0.019437    192.168.0.102         192.168.1.105         TCP      wafs > https [FIN, ACK] Seq=154 Ack=131 Win=65405 Len=0

Frame 12 (54 bytes on wire, 54 bytes captured)

Ethernet II, Src: Intel_da:92:43 (00:0e:0c:da:92:43), Dst: Cisco_29:4d:20 (00:1a:2f:29:4d:20)

Internet Protocol, Src: 192.168.0.102 (192.168.0.102), Dst: 192.168.1.105 (192.168.1.105)

Transmission Control Protocol, Src Port: wafs (4049), Dst Port: https (443), Seq: 154, Ack: 131, Len: 0

Source port: wafs (4049)

Destination port: https (443)

[Stream index: 0]

Sequence number: 154    (relative sequence number)

Acknowledgement number: 131    (relative ack number)

Header length: 20 bytes

Flags: 0x11 (FIN, ACK)

Window size: 65405

Checksum: 0x833a [validation disabled]

No. Time Source Destination Protocol Info

 13 0.020928    192.168.1.105         192.168.0.102         TCP      https > wafs [ACK] Seq=131 Ack=155 Win=65382 Len=0

Frame 13 (60 bytes on wire, 60 bytes captured)

Ethernet II, Src: Cisco_29:4d:20 (00:1a:2f:29:4d:20), Dst: Intel_da:92:43 (00:0e:0c:da:92:43)

Internet Protocol, Src: 192.168.1.105 (192.168.1.105), Dst: 192.168.0.102 (192.168.0.102)

Transmission Control Protocol, Src Port: https (443), Dst Port: wafs (4049), Seq: 131, Ack: 155, Len: 0

Source port: https (443)

Destination port: wafs (4049)

[Stream index: 0]

Sequence number: 131    (relative sequence number)

Acknowledgement number: 155    (relative ack number)

Header length: 20 bytes

Flags: 0x10 (ACK)

Window size: 65382

Checksum: 0x9657 [validation disabled]

[SEQ/ACK analysis]

No. Time Source Destination Protocol Info

 14 0.021243    192.168.1.105         192.168.0.102         TCP      https > wafs [FIN, ACK] Seq=131 Ack=155 Win=65382 Len=0

Frame 14 (60 bytes on wire, 60 bytes captured)

Ethernet II, Src: Cisco_29:4d:20 (00:1a:2f:29:4d:20), Dst: Intel_da:92:43 (00:0e:0c:da:92:43)

Internet Protocol, Src: 192.168.1.105 (192.168.1.105), Dst: 192.168.0.102 (192.168.0.102)

Transmission Control Protocol, Src Port: https (443), Dst Port: wafs (4049), Seq: 131, Ack: 155, Len: 0

Source port: https (443)

Destination port: wafs (4049)

[Stream index: 0]

Sequence number: 131    (relative sequence number)

Acknowledgement number: 155    (relative ack number)

Header length: 20 bytes

Flags: 0x11 (FIN, ACK)

Window size: 65382

Checksum: 0x9656 [validation disabled]

No. Time Source Destination Protocol Info

 15 0.021264    192.168.0.102         192.168.1.105         TCP      wafs > https [ACK] Seq=155 Ack=132 Win=65405 Len=0

Frame 15 (54 bytes on wire, 54 bytes captured)

Ethernet II, Src: Intel_da:92:43 (00:0e:0c:da:92:43), Dst: Cisco_29:4d:20 (00:1a:2f:29:4d:20)

Internet Protocol, Src: 192.168.0.102 (192.168.0.102), Dst: 192.168.1.105 (192.168.1.105)

Transmission Control Protocol, Src Port: wafs (4049), Dst Port: https (443), Seq: 155, Ack: 132, Len: 0

Source port: wafs (4049)

Destination port: https (443)

[Stream index: 0]

Sequence number: 155    (relative sequence number)

Acknowledgement number: 132    (relative ack number)

Header length: 20 bytes

Flags: 0x10 (ACK)

Window size: 65405

Checksum: 0x833a [validation disabled]

[SEQ/ACK analysis]

hcl-bot · October 15, 2009, 9:37am

Subject: Forwarded to development <>

Security/rp/sr

hcl-bot · October 15, 2009, 11:40am

Subject: fwd to development. This mean it is known issue?

hcl-bot · October 16, 2009, 9:12am

Subject: No - Fwd to dev means that I am asking someone from the dev team to review the post and see if it is a known issue or one that should be PMR’d/SPR’d <>

hcl-bot · October 19, 2009, 9:48am

Subject: seems to be ssl certs created in Domino

Seems like issue is related to SSL certs generated through domino. There were no errors during creation of the SSL cert and it is recognized by the server!

3rd party certs have no issue. e.g. verisign etc.

Need solution for this IBM.