Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to track down "Connection timout during SSL handshake" and "Connection closed during ssl handshake" errors

Tags:

ssl

haproxy

I have recently switched over to HAProxy from AWS ELB. I am terminating SSL at the load balancer (HAProxy 1.5dev19).

Since switching, I keep getting some SSL connection errors in the HAProxy log (5-10% of the total number of requests). There's three types of errors repeating: Connection closed during SSL handshake Timeout during SSL handshake SSL handshake failure (this one happens rarely)

I'm using a free StartSSL certificate, so my first thought was that some hosts are having trouble accepting this certificate, and I didn't see these errors in the past because ELB offers no logging. The only issue is that some hosts have do have successful connections eventually.

I can connect to the servers without any errors, so I'm not sure how to replicate these errors on my end.

like image 672
andreimarinescu Avatar asked Jul 07 '13 12:07

andreimarinescu

2 Answers

This sounds like clients who are going away mid-handshake (TCP RST or timeout). This would be normal at some rate, but 5-10% sounds too high. It's possible it's a certificate issue; I'm not certain exactly how that presents to

Things that occur to me:

  • If negotiation is very slow, you'll have more clients drop off.
  • You may have underlying TCP problems which you weren't aware of until your new SSL endpoint proxy started reporting them.

Do you see individual hosts that sometimes succeed and sometimes fail? If so, this is unlikely to be a certificate issue. I'm not sure how connections get torn down when a user rejects an untrusted certificate.

You can use Wireshark on the HAProxy machine to capture SSL handshakes and parse them (you won't need to decrypt the sessions for handshake analysis, although you could since you have the server private key).

like image 138
Tim Dierks Avatar answered Sep 19 '22 13:09

Tim Dierks

I had this happen as well. The following appeared first SSL handshake failure then after switching off option dontlognull we also got Timeout during SSL handshake in the haproxy logs.

At first, I made sure all the defaults timeouts were correct.

timeout connect 30s
timeout client  30s
timeout server  60s

Unfortunately, the issue was in the frontend section

There was a line with timeout client 60 which I only assume means 60ms instead of 60s.

It seems certain clients were slow to connect and were getting kicked out during the SSL handshake. Check your frontend for client timeouts.

like image 38
adnans Avatar answered Sep 20 '22 13:09

adnans
Sign in to Comment

Related questions

How to configure Yii Framework to use HTTPS?
https with ECDHE-ECDSA-AES256-GCM-SHA384 in windows 2012
Why is appcmd.exe unlock config not working on Azure emulator?
Boost, asio, https, and host/certificate verifcation
iOS Push notification sending error
MongoDB: Error parsing command line: unrecognised option '--sslMode'
GKE - How to serve HTTPS via the L7 load balancer?
creating valid test SSL certificates for IIS
How to programmatically create a Certificate Signing Request (CSR)?
Generation of private key using des3 gets stuck
socat - how to listen on non-ssl TCP and forward to ssl TCP endpoint?
Forward HTTPS traffic thru Nginx without SSL certificate
OpenSSL SSL_read Failure (error:00000005:lib(0):func(0):DH lib)
Best SSL certificates provider? [closed]
SSL session persistence and secure cookies
Can Java connect to wildcard ssl
Spring Security: requires-channel="https" behind SSL accelerator
What is boost::asio::ssl::context::load_verify_file and how to work with it?
Secure ASP.NET MVC application with SSL and client certificate authentication
KeyUsage does not allow digital signatures

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!