Article delegate-en/3111 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A3108@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: SSL disconnect problem
28 Jan 2006 21:39:57 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Hi,

In message <_A3108@delegate-en.ML_> on 01/25/06(16:03:03)
you peqgabdyi-kp76qhuvkelr.ml@ml.delegate.org wrote:
 |We are running Delegate 9.0.5/6 on windows 2003 server.
 |
 |It looks like when the delegate application receive a "SSL shutdown alert" 
 |it does not handle it correct and the sessions stays up in the server for 
 |30 seconds(minimun tcp_wait time in windows), because of that delegate are 
 |unable to set up a new session from the same client within the 30 seconds.
 |
 |(Ehereal log fragment)
 |                   Sender          Destination
 |33    13.500888    10.1.1.x        212.213.51.x    TCP    1026 > https [ACK] Seq=613 Ack=1529 Win=1500 Len=0 
 |34    13.520005    212.213.51.x    10.1.1.x        SSLv3  Application Data 
 |35    13.523312    10.1.1.x        212.213.51.x    TCP    1026 > https [ACK] Seq=613 Ack=1586 Win=1500 Len=0 
 |36    13.875400    10.1.1.x        212.213.51.x    SSLv3  Encrypted Alert 
 |37    13.921090    212.213.51.x    10.1.1.x        TCP    https > 1026 [FIN  ACK] Seq=1586 Ack=636 Win=65512 Len=0 
 |38    13.923773    10.1.1.x        212.213.51.x    TCP    1026 > https [FIN  ACK] Seq=636 Ack=1587 Win=1500 Len=0 
 |39    13.965846    212.213.51.x    10.1.1.x        TCP    https > 1026 [ACK] Seq=1587 Ack=637 Win=65512 Len=0 
 |
 |If I have understod the SSL protocol right, the delegate server need to 
 |send an ack for the encrypted alert or do nothing with it (that works 
 |also), now it starts to shutdown the session by it self and the client and 
 |delegate failes to shutdown the sessions and both ends.
 |
 |Is this a known "feature" and are there any solution for it? 
 |I really need this problem solved asap because it is a major problem for 
 |us.

If you are using DeleGate as a HTTP proxy for SSL-Tunneling, and
if you see "not half_duplex ?" in your logfile of DeleGate, you will be
able to escape the problem by specifying as this:

  REMITTABLE=+,ssltunnel

DeleGate as a proxy for SSL-Tunneling tries to block non HTTPS/SSL
(non half-duplex) communication by default.  But the Alert type
record can be sent in non half-duplex order.  So I made DeleGate to
detect the packet and pass it through.  The detection is done simply
seeing the first octet of a record is 0x15 or not.  It might not
match in your case.  So I'd like to see the binary dump of your
"Encrypted Alert" packet.

If you are using DeleGate as a HTTPS origin server or a HTTPS gateway,
it is another problem.  I need a little more information about your
configuration parameters of DeleGate and the client program.

Cheers,
Yutaka
--
  D G   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( - )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller


Subject: Re: [DeleGate] fix for "non-half-dup CONNECT" (Re: Delegate9.0.3pre14Win32Httpにて)
From: ysato@delegate.org (Yutaka Sato)
On 06/22/05(15:43) I wrote in <_A12985@delegate.ML_>
<URL:http://www.delegate.org/mail-lists/delegate/12985>:
 |+ static int toBeBroken(int fdc,int fdv[]){
 |+ 	unsigned char b[4];
 |+ 	int rcc;
 |+ 	int fi;
 |+ 	int fd;
 |+ 
 |+ 	if( !IsAlive(fdv[0]) )
 |+ 		return 0;
 |+ 	if( !IsAlive(fdv[1]) )
 |+ 		return 0;
 |+ 	for( fi = 0; fi < 2; fi++ ){
 |+ 		fd = fdv[fi];
 |+ 		rcc = recv(fd,b,1,MSG_PEEK);
 |+ 		syslog_ERROR(
 |+ 		"## EXIT relaysx: not half_duplex ? [%d] %d[%X]\n",fd,rcc,b[0]);
 |+ 
 |+ 		if( b[0] == 0x15 ){ /* SSL_RT_ALERT */
 |+ 			syslog_ERROR(
 |+ 			"## relaysx: thru SSL ALERT [%d] %d[%X]\n",fd,rcc,b[0]);
 |+ 			return 0;
 |+ 		}
 |+ 		rcc = recv(fd,b,4,MSG_PEEK);
 |+ 		syslog_ERROR(
 |+ 		"## EXIT relaysx: not half_duplex ? [%d] %d[%X][%X][%X][%X]\n",
 |+ 			fd,rcc,b[0],b[1],b[2],b[3]);
 |+ 	}
 |+ 	return 1;
 |+ }

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V