SSL/TLS troubleshooting

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL/TLS troubleshooting

Christian Schulte
Hello,

I am facing an issue accessing an SSL/TLS webserver from OpenBSD. I have
another box not running OpenBSD connected to the same router and that
box can connect to that server flawlessly. I already tried to
troubleshoot things with the administrator of that system without
success. Is there something I need to be aware of accessing SSL/TLS
(https) servers with OpenBSD? How can I capture information I can send
to the administrator of that system to help him/her find out what is
special about connections coming from OpenBSD?

Regards,
--
Christian

Kai
Reply | Threaded
Open this post in threaded view
|

Re: SSL/TLS troubleshooting

Kai
Am 10. Dezember 2016 21:35:04 MEZ, schrieb Christian Schulte <[hidden email]>:

>Hello,
>
>I am facing an issue accessing an SSL/TLS webserver from OpenBSD. I
>have
>another box not running OpenBSD connected to the same router and that
>box can connect to that server flawlessly. I already tried to
>troubleshoot things with the administrator of that system without
>success. Is there something I need to be aware of accessing SSL/TLS
>(https) servers with OpenBSD? How can I capture information I can send
>to the administrator of that system to help him/her find out what is
>special about connections coming from OpenBSD?
>
>Regards,

I doubt this is special to OpenBSD. But you don't give any information to pin
point this. What error do you get? What tls version does the server offer?
What version is supported by your installation?

Are you using a current version of OpenBSD?

Regards

Reply | Threaded
Open this post in threaded view
|

Re: SSL/TLS troubleshooting

Christian Schulte
Am 12/10/16 um 21:43 schrieb Kai:

> Am 10. Dezember 2016 21:35:04 MEZ, schrieb Christian Schulte <[hidden email]>:
>> Hello,
>>
>> I am facing an issue accessing an SSL/TLS webserver from OpenBSD. I
>> have
>> another box not running OpenBSD connected to the same router and that
>> box can connect to that server flawlessly. I already tried to
>> troubleshoot things with the administrator of that system without
>> success. Is there something I need to be aware of accessing SSL/TLS
>> (https) servers with OpenBSD? How can I capture information I can send
>> to the administrator of that system to help him/her find out what is
>> special about connections coming from OpenBSD?
>>
>> Regards,
>
> I doubt this is special to OpenBSD. But you don't give any information to pin
> point this. What error do you get?
> What tls version does the server offer?

It's <https://repository.apache.org/>

Operation timed out. Connections are very slow. Too slow so that they
time out. Does not happen using that other box ever. So there is a
difference accessing that server from OpenBSD (tested with Java, Firefox
and Chromium) and from that other box. I am not having any issues
accessing other servers. I created a ticket with them already.

<https://issues.apache.org/jira/browse/INFRA-13074>

> What version is supported by your installation?
>
> Are you using a current version of OpenBSD?

$ uname -a
OpenBSD t60.schulte.it 6.0 1KHZ.MP#7 amd64

Thanks,
--
Christian

Reply | Threaded
Open this post in threaded view
|

Re: SSL/TLS troubleshooting

Peter Hessler
On 2016 Dec 10 (Sat) at 22:56:05 +0100 (+0100), Christian Schulte wrote:
:$ uname -a
:OpenBSD t60.schulte.it 6.0 1KHZ.MP#7 amd64

You broke it.  Please use a GENERIC kernel, and it will work as normal.

Reply | Threaded
Open this post in threaded view
|

Re: SSL/TLS troubleshooting

Karel Gardas
In reply to this post by Christian Schulte
On Sat, Dec 10, 2016 at 10:56 PM, Christian Schulte <[hidden email]> wrote:
> It's <https://repository.apache.org/>
>
> Operation timed out. Connections are very slow. Too slow so that they

Not sure about the issue, but I've seen that last night too. Generally
speaking there were too high number of lost packets which made TCP
slow to crawl or broken. It stayed around 2-3 hours and then suddenly
resolved. And I was accessing this from Ubuntu 16.04.1 if that matters

Reply | Threaded
Open this post in threaded view
|

Re: SSL/TLS troubleshooting

Christian Schulte
Am 12/10/16 um 23:28 schrieb Karel Gardas:

> On Sat, Dec 10, 2016 at 10:56 PM, Christian Schulte <[hidden email]> wrote:
>> It's <https://repository.apache.org/>
>>
>> Operation timed out. Connections are very slow. Too slow so that they
>
> Not sure about the issue, but I've seen that last night too. Generally
> speaking there were too high number of lost packets which made TCP
> slow to crawl or broken. It stayed around 2-3 hours and then suddenly
> resolved. And I was accessing this from Ubuntu 16.04.1 if that matters
>

Never disappears here. I'd really like to know why I can access that
without any issue using Windows 10 but start running into issues when
using OpenBSD. I also doubt this is affecting OpenBSD users only.

Regards,
--
Christian

Reply | Threaded
Open this post in threaded view
|

Re: SSL/TLS troubleshooting

Christian Schulte
In reply to this post by Peter Hessler
Am 12/10/16 um 22:57 schrieb Peter Hessler:
> On 2016 Dec 10 (Sat) at 22:56:05 +0100 (+0100), Christian Schulte wrote:
> :$ uname -a
> :OpenBSD t60.schulte.it 6.0 1KHZ.MP#7 amd64
>
> You broke it.  Please use a GENERIC kernel, and it will work as normal.
>

This is the configuration in use. Do you really think that HZ=1000 is
causing this? Will give GENERIC.MP a try, of course.

$cat 1KHZ.MP
#       $OpenBSD: GENERIC.MP,v 1.10 2008/12/22 16:35:28 deraadt Exp $

include "arch/amd64/conf/GENERIC"

option          MULTIPROCESSOR
option          HZ=1000
option          BUFCACHEPERCENT=5
rmoption        POOL_DEBUG
makeoptions     DEBUG="-g"
cpu*            at mainbus?

Thanks,
--
Christian

Reply | Threaded
Open this post in threaded view
|

Re: SSL/TLS troubleshooting

Christian Schulte
In reply to this post by Peter Hessler
Am 12/10/16 um 22:57 schrieb Peter Hessler:
> On 2016 Dec 10 (Sat) at 22:56:05 +0100 (+0100), Christian Schulte wrote:
> :$ uname -a
> :OpenBSD t60.schulte.it 6.0 1KHZ.MP#7 amd64
>
> You broke it.  Please use a GENERIC kernel, and it will work as normal.
>

This is what I did using a recent source tree:

$ cd /usr/src/sys/arch/amd64/conf
$ config GENERIC.MP
$ cd /usr/src/sys/arch/amd64/compile/GENERIC.MP
$ make
$ make install
$ reboot

$ uname -a
OpenBSD t60.schulte.it 6.0 GENERIC.MP#2 amd64

$ cd /usr/src/lib/libssl
$ make clean
$ make obj
$ make depend
$ make
$ make install
$ cd /usr/src/lib/libcrypto
$ make clean
$ make obj
$ make depend
$ make
$ make install

This does not solve the issue, sadly.

Regards,
--
Christian