Random SSL Handshake failure

Question

I'm seeing some strange SSL handshake failures on the client side. We are having custom web js application that is accessed only by browsers with older Webkit (like found in Epiphany). All requests coming from client are made from the same browser (version and type).

Here are the symptoms:

a.) client browser displays SSL Handshake failure:

If webpage is reloaded, error stays
If browser session is killed and new session loaded, error goes away

b.) No SSL errors are found in nginx error, syslog or openssl log

c.) In tcp dump I'm seeing some strange occasional SSL Handshake errors:

List item Bad certificate status response
No Certificate
Internal Error

d.) we are using Let's encrypt SSL certificates

e.) nginx.conf:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
nginx serves as proxy that redirects all http traffic to https
sites-enabled:

server {

    listen 80;

    server_name srv_name;
    return 301 https://$host$request_uri;

}

server {

    listen 443;
    server_name srv_name;


    proxy_connect_timeout 600;
    proxy_send_timeout 600;
    proxy_read_timeout 600;
    send_timeout 600;

    ssl on;
    ssl_certificate fullchain.pem_path;
    ssl_certificate_key privkey.pem_path;
    ssl_session_timeout 5m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;

    location /robots.txt {
            alias /opt/robots.txt;
    }

    location /.well-known/ {
            alias /usr/share/nginx/html/.well-known/;
    }

    location / {
            proxy_redirect off;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host $http_host;
            proxy_pass http://localhost:8000/;
            break;
    }

}

f.) Basic flow:

client browser opens http url and gets 301 redirect to https
js application makes periodic ajax calls (I suspect those calls also randomly fail due to SSL handshake failure since HTTP response code equals 0)
if ajax call returns http response code 0, page is reloaded (location.reload()), usually resulting in SSL handshake failure message in client browser.

g.) Things started to happen after the migration to new servers (from Ubuntu 14.04 lts (openssl 1.0.1f 6 Jan 2014) to Ubuntu 16.04 lts (1.0.2g 1 Mar 2016) Application and client browser version stayed the same.

Do you have any ideas where to look next? Why is this not happening always when client opens the url, but very sporadically.

[Wobbly OCSP server](https://archive.is/GGJgG#selection-843.476-843.758), maybe? Also: you may need to divulge more detail about your server. — StackzOfZtuff, Oct 10 '16 at 12:57
@StackzOfZtuff thank you for the tip. Will check it out. Regarding nginx server there is not a lot more config to tell you about. Will add some more nginx.conf details. — user2011328, Oct 10 '16 at 13:04
Sadly enabling ocsp on nginx hasn't resolved it. The issue still persists. Any other clues where to look at? — user2011328, Oct 11 '16 at 10:57
If you give make public the domain name someone could run it through the common test sites and/or custom tests. Do you wish to make that name public? — StackzOfZtuff, Oct 12 '16 at 06:24
Sorry can't give domain name due to company's policy. Could there be anything specific that I should be watching in wireshark when ssl handshake fails? — user2011328, Oct 12 '16 at 14:09
No. Try https://ssllabs.com/ against the frontend and https://testssl.sh/ against front end and all backend servers and see what you find. — StackzOfZtuff, Oct 13 '16 at 06:12
Maybe it is related to my problem https://serverfault.com/questions/1002021/nginx-fails-on-high-load-with-debian10-and-not-with-debian9 and maybe this might help: https://medium.com/@andrewhowdencom/mysterious-ssl-tls-network-connection-failures-in-debian-buster-52c29a661cb3 — Janning, Feb 07 '20 at 10:05

Random SSL Handshake failure

0 Answers0