Я столкнулся с проблемой во время рукопожатия с клиентом:TLS соединение - сообщение неожиданной
Как вы можете видеть, клиент reveives неожиданного сообщения так заканчивается сообщение. Похоже, сервер пытается возобновить сеанс, используя стратегию сеанса билета, и клиенту это не нравится. Взглянув на документацию RFC 5077, сообщение с сервера с помощью NewSessionTicket должно быть отправлено, когда клиент поддерживает это функционально (через расширение SessionTicket) и отправляет билет.
Проблема заключается в том, что клиент отправляет (в приветственном письме клиента) пустое расширение сеанса билета, без билета. Посмотрите на сообщение «клиент привет»:
Там нет билетов. Итак, почему сервер отвечает новым билетом? В соответствии с Doc:
Когда клиент желает возобновить сеанс, он включает в себя билет в расширении SessionTicket в сервере ClientHello messageThe затем расшифровывает полученный билет, проверяет действительность билета, извлекает состояние сеанса от содержание билета, и использует это состояние, чтобы возобновить сеанс
на стороне сервера у нас есть Apache версия 2.2.15 и как, Session возобновление (кэширование) и Session возобновление (билеты), активируется. Что касается клиентской стороны, у меня мало информации, я пытаюсь ее собрать.
Более того, такая ситуация не всегда. В том же сценарии также есть случаи, когда сервер отвечает правильно (полное рукопожатие) и случаи, когда клиент отправляет билет, и сервер в любом случае отвечает полным рукопожатием.
У меня такое ощущение, что ошибка имеет какое-то отношение к клиенту, но на данный момент похоже, что проблемы на стороне сервера, как ошибка в Apache o что-то подобное.
EDITED
Hello Client
No. Time Source Destination Protocol Length Info
1378 132.627955 XX.XXX.138.11 YY.YY.2.200 TLSv1 180 Client Hello
Frame 1378: 180 bytes on wire (1440 bits), 180 bytes captured (1440 bits)
Encapsulation type: Ethernet (1)
Arrival Time: May 6, 2015 11:13:51.817868000 Hora de verano romance
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1430903631.817868000 seconds
[Time delta from previous captured frame: 0.000212000 seconds]
[Time delta from previous displayed frame: 0.000212000 seconds]
[Time since reference or first frame: 132.627955000 seconds]
Frame Number: 1378
Frame Length: 180 bytes (1440 bits)
Capture Length: 180 bytes (1440 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:ssl]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Ethernet II, Src: 10:11:11:11:11:11 (10:11:11:11:11:11), Dst: F5Networ_6e:9f:c4 (00:23:e9:6e:9f:c4)
Destination: F5Networ_6e:9f:c4 (00:23:e9:6e:9f:c4)
Address: F5Networ_6e:9f:c4 (00:23:e9:6e:9f:c4)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 10:11:11:11:11:11 (10:11:11:11:11:11)
Address: 10:11:11:11:11:11 (10:11:11:11:11:11)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: XX.XXX.138.11 (XX.XXX.138.11), Dst: YY.YY.2.200 (YY.YY.2.200)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 166
Identification: 0x2af6 (10998)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 54
Protocol: TCP (6)
Header checksum: 0x77eb [validation disabled]
[Good: False]
[Bad: False]
Source: XX.XXX.138.11 (XX.XXX.138.11)
Destination: YY.YY.2.200 (YY.YY.2.200)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 35413 (35413), Dst Port: 443 (443), Seq: 1, Ack: 1, Len: 126
Source Port: 35413 (35413)
Destination Port: 443 (443)
[Stream index: 5]
[TCP Segment Len: 126]
Sequence number: 1 (relative sequence number)
[Next sequence number: 127 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
Header Length: 20 bytes
.... 0000 0001 1000 = Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
Window size value: 49680
[Calculated window size: 49680]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0x9d55 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Urgent pointer: 0
[SEQ/ACK analysis]
[iRTT: 0.010337000 seconds]
[Bytes in flight: 126]
Secure Sockets Layer
TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 121
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 117
Version: TLS 1.0 (0x0301)
Random
GMT Unix Time: May 6, 2015 11:13:53.000000000 Hora de verano romance
Random Bytes: 0a2aeead9ad4fcc71cedea83f57456f1383edd09f9ff3217...
Session ID Length: 32
Session ID: eb32d8d516eed625fa6b57d983bfb2f807db851a047093ac...
Cipher Suites Length: 40
Cipher Suites (20 suites)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)
Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)
Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 4
Extension: SessionTicket TLS
Type: SessionTicket TLS (0x0023)
Length: 0
Data (0 bytes)
Здравствуйте сервера
No. Time Source Destination Protocol Length Info
1380 132.629663 YY.YY.2.200 XX.XXX.138.11 TLSv1 398 Server Hello, New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
Frame 1380: 398 bytes on wire (3184 bits), 398 bytes captured (3184 bits)
Encapsulation type: Ethernet (1)
Arrival Time: May 6, 2015 11:13:51.819576000 Hora de verano romance
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1430903631.819576000 seconds
[Time delta from previous captured frame: 0.001648000 seconds]
[Time delta from previous displayed frame: 0.001648000 seconds]
[Time since reference or first frame: 132.629663000 seconds]
Frame Number: 1380
Frame Length: 398 bytes (3184 bits)
Capture Length: 398 bytes (3184 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:ssl]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Ethernet II, Src: F5Networ_6e:9f:c4 (00:23:e9:6e:9f:c4), Dst: 10:11:11:11:11:11 (10:11:11:11:11:11)
Destination: 10:11:11:11:11:11 (10:11:11:11:11:11)
Address: 10:11:11:11:11:11 (10:11:11:11:11:11)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: F5Networ_6e:9f:c4 (00:23:e9:6e:9f:c4)
Address: F5Networ_6e:9f:c4 (00:23:e9:6e:9f:c4)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: YY.YY.2.200 (YY.YY.2.200), Dst: XX.XXX.138.11 (XX.XXX.138.11)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 384
Identification: 0xce71 (52849)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: TCP (6)
Header checksum: 0x0a95 [validation disabled]
[Good: False]
[Bad: False]
Source: YY.YY.2.200 (YY.YY.2.200)
Destination: XX.XXX.138.11 (XX.XXX.138.11)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 443 (443), Dst Port: 35413 (35413), Seq: 1, Ack: 127, Len: 344
Source Port: 443 (443)
Destination Port: 35413 (35413)
[Stream index: 5]
[TCP Segment Len: 344]
Sequence number: 1 (relative sequence number)
[Next sequence number: 345 (relative sequence number)]
Acknowledgment number: 127 (relative ack number)
Header Length: 20 bytes
.... 0000 0001 1000 = Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
Window size value: 4266
[Calculated window size: 4266]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0x4889 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Urgent pointer: 0
[SEQ/ACK analysis]
[iRTT: 0.010337000 seconds]
[Bytes in flight: 344]
Secure Sockets Layer
TLSv1 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 85
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 81
Version: TLS 1.0 (0x0301)
Random
GMT Unix Time: May 6, 2015 11:13:53.000000000 Hora de verano romance
Random Bytes: 8b392c52c3188f5a121594c0f176c09b579c2c4e4b7dedb5...
Session ID Length: 32
Session ID: eb32d8d516eed625fa6b57d983bfb2f807db851a047093ac...
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Compression Method: null (0)
Extensions Length: 9
Extension: renegotiation_info
Type: renegotiation_info (0xff01)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: SessionTicket TLS
Type: SessionTicket TLS (0x0023)
Length: 0
Data (0 bytes)
TLSv1 Record Layer: Handshake Protocol: New Session Ticket
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 202
Handshake Protocol: New Session Ticket
Handshake Type: New Session Ticket (4)
Length: 198
TLS Session Ticket
Session Ticket Lifetime Hint: 0
Session Ticket Length: 192
Session Ticket: 21425f8c986d7fe5fea84e7ef3e8c8739c4427455c5fad73...
TLSv1 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.0 (0x0301)
Length: 1
Change Cipher Spec Message
TLSv1 Record Layer: Handshake Protocol: Encrypted Handshake Message
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 36
Handshake Protocol: Encrypted Handshake Message
Неожиданное сообщение
No. Time Source Destination Protocol Length Info
1382 132.638728 XX.XXX.138.11 YY.YY.2.200 TLSv1 61 Alert (Level: Fatal, Description: Unexpected Message)
Frame 1382: 61 bytes on wire (488 bits), 61 bytes captured (488 bits)
Encapsulation type: Ethernet (1)
Arrival Time: May 6, 2015 11:13:51.828641000 Hora de verano romance
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1430903631.828641000 seconds
[Time delta from previous captured frame: 0.000295000 seconds]
[Time delta from previous displayed frame: 0.000295000 seconds]
[Time since reference or first frame: 132.638728000 seconds]
Frame Number: 1382
Frame Length: 61 bytes (488 bits)
Capture Length: 61 bytes (488 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:ssl]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Ethernet II, Src: 10:11:11:11:11:11 (10:11:11:11:11:11), Dst: F5Networ_6e:9f:c4 (00:23:e9:6e:9f:c4)
Destination: F5Networ_6e:9f:c4 (00:23:e9:6e:9f:c4)
Address: F5Networ_6e:9f:c4 (00:23:e9:6e:9f:c4)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 10:11:11:11:11:11 (10:11:11:11:11:11)
Address: 10:11:11:11:11:11 (10:11:11:11:11:11)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: XX.XXX.138.11 (XX.XXX.138.11), Dst: YY.YY.2.200 (YY.YY.2.200)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 47
Identification: 0x2af8 (11000)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 54
Protocol: TCP (6)
Header checksum: 0x7860 [validation disabled]
[Good: False]
[Bad: False]
Source: XX.XXX.138.11 (XX.XXX.138.11)
Destination: YY.YY.2.200 (YY.YY.2.200)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 35413 (35413), Dst Port: 443 (443), Seq: 127, Ack: 345, Len: 7
Source Port: 35413 (35413)
Destination Port: 443 (443)
[Stream index: 5]
[TCP Segment Len: 7]
Sequence number: 127 (relative sequence number)
[Next sequence number: 134 (relative sequence number)]
Acknowledgment number: 345 (relative ack number)
Header Length: 20 bytes
.... 0000 0001 1000 = Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
Window size value: 49680
[Calculated window size: 49680]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0x5f13 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Urgent pointer: 0
[SEQ/ACK analysis]
[iRTT: 0.010337000 seconds]
[Bytes in flight: 7]
Secure Sockets Layer
TLSv1 Record Layer: Alert (Level: Fatal, Description: Unexpected Message)
Content Type: Alert (21)
Version: TLS 1.0 (0x0301)
Length: 2
Alert Message
Level: Fatal (2)
Description: Unexpected Message (10)
Спасибо заранее.
Поскольку клиенту не нравится ответ с сервера, может оказаться более полезным увидеть (полный) ответ с сервера.Еще лучше будет пакетный захват соединения. –
@SteffenUllrich Вы можете найти запрос на ответ. Спасибо – jddsantaella