How to track "Connection timeout during SSL connection establishment" and "Connection closed when trying to acknowledge ssl"

Question

How to track "Connection timeout during SSL connection establishment" and "Connection closed when trying to acknowledge ssl"

I recently switched to HAProxy from AWS ELB. I am completing SSL on a load balancer (HAProxy 1.5dev19).

Since switching, I continue to receive SSL connection errors in the HAProxy log (5-10% of the total number of requests). Three types of errors are repeated there: Connection closed during SSL connection establishment Timeout during SSL connection establishment SSL connection establishment error (this rarely happens)

I use the free StartSSL certificate, so I thought that some hosts could not accept this certificate, and I did not see these errors in the past because ELB does not offer any protocols. The only problem is that some hosts have successful connections after all.

I can connect to the servers without any errors, so I'm not sure how to replicate these errors at my end.

+7

ssl haproxy

andreimarinescu Jul 07 '13 at 12:43

source share

3 answers

I did it too. First, the following SSL handshake failure , after disabling option dontlognull we also got a Timeout during SSL handshake in haproxy logs.

At first I made sure that all defaults timeouts are correct.

 timeout connect 30s timeout client 30s timeout server 60s

Unfortunately, the problem was in the frontend section

There was a line with timeout client 60 , which I assume is only 60ms instead of 60s .

It seems that some clients slowly connected and failed during the establishment of the SSL connection. Test your interface while waiting for a client.

+1

adnans Sep 22 '16 at 18:15

source share

How is your haproxy ssl interface configured?

For example, to mitigate BEAST attacks, use the following: bind XXXX: 443 ssl crt / etc / haproxy / ssl / XXXX.pem no-sslv3 ciphers RC4-SHA: AES128-SHA: AES256-SHA

But some clients seem to generate the same "SSL connection failure" errors. I think because the configuration is too restrictive.

0

user3379156 Mar 04 '14 at 13:05

source share

Tim dierks · Accepted Answer · 2013-07-11T15:41:51+0000

It sounds like clients who are leaving in the middle of a handshake (TCP RST or timeout). That would be normal, but 5-10% sounded too high. Perhaps this is a problem with the certificate; I'm not sure exactly what this represents

Things that happen to me:

If negotiations are very slow, you will have more customers.
You may have problems with TCP that you did not know about until your new SSL endpoint proxy starts reporting them.

Do you see individual hosts that sometimes succeed and sometimes fail? If so, this is unlikely to be a certificate issue. I'm not sure how connections break when a user refuses an untrusted certificate.

You can use Wireshark on a HAProxy machine to capture SSL handshakes and analyze them (you do not need to decrypt the sessions to analyze handshakes, although you can, since you have the server’s private key).

How to track "Connection timeout during SSL connection establishment" and "Connection closed when trying to acknowledge ssl"

More articles: