Environment:
- OpenBSD 4.9, stock (base) apache with self-signed certificate
- behind a SOHO NAT router (with relevant in-bound redirects)
Problem: non-local SSL connections never complete the handshake
(verified while monitoring the interface with tcpdump, see below)
During troubleshooting I was able to eliminate a few suspects:
- Regular un-encrypted HTTP (port 80) works every time;
- https:// from the same LAN (i.e. no NAT) always works;
- SSH always works (whether local or remote);
- PF seems to have no bearing -- no difference in behavior whether
enabled, enabled with "pass in quick" for the remote test host, or even
altogether disabled.
Unfortunately, I cannot eliminate the NAT device and need to find a way
to work with it.
All clues(ticks) are appreciated,
-Jacob.
Sanitized tcpdump -netttvv log:
Jul 11 17:26:39.589073 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74:
a.b.c.d.37325 > 192.168.x.y.443: S [tcp sum ok]
2560292710:2560292710(0) win 5840 <mss 1452,sackOK,timestamp 3005841692
0,nop,wscale 0> (DF) (ttl 45, id 30330, len 60)
Jul 11 17:26:39.590087 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
192.168.x.y.443 > a.b.c.d.37325: S [tcp sum ok]
1786229842:1786229842(0) ack 2560292711 win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359378
3005841692> (DF) (ttl 64, id 5701, len 64)
Jul 11 17:26:42.584962 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74:
a.b.c.d.37325 > 192.168.x.y.443: S [tcp sum ok]
2560292710:2560292710(0) win 5840 <mss 1452,sackOK,timestamp 3005841992
0,nop,wscale 0> (DF) (ttl 45, id 30331, len 60)
Jul 11 17:26:42.585565 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
192.168.x.y.443 > a.b.c.d.37325: S [tcp sum ok]
1786229842:1786229842(0) ack 2560292711 win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359384
3005841992> (DF) (ttl 64, id 52775, len 64)
Jul 11 17:26:42.589685 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
192.168.x.y.443 > a.b.c.d.37325: S [tcp sum ok]
1786229842:1786229842(0) ack 2560292711 win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359384
3005841992> (DF) (ttl 64, id 3806, len 64)
Jul 11 17:26:48.584959 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74:
a.b.c.d.37325 > 192.168.x.y.443: S [tcp sum ok]
2560292710:2560292710(0) win 5840 <mss 1452,sackOK,timestamp 3005842592
0,nop,wscale 0> (DF) (ttl 45, id 30332, len 60)
Jul 11 17:26:48.585435 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
192.168.x.y.443 > a.b.c.d.37325: S [tcp sum ok]
1786229842:1786229842(0) ack 2560292711 win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359396
3005842592> (DF) (ttl 64, id 4014, len 64)
Jul 11 17:26:48.590024 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
192.168.x.y.443 > a.b.c.d.37325: S [tcp sum ok]
1786229842:1786229842(0) ack 2560292711 win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359396
3005842592> (DF) (ttl 64, id 59349, len 64)
Jul 11 17:27:00.584563 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74:
a.b.c.d.37325 > 192.168.x.y.443: S [tcp sum ok]
2560292710:2560292710(0) win 5840 <mss 1452,sackOK,timestamp 3005843792
0,nop,wscale 0> (DF) (ttl 45, id 30333, len 60)
Jul 11 17:27:00.584880 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
192.168.x.y.443 > a.b.c.d.37325: S [tcp sum ok]
1786229842:1786229842(0) ack 2560292711 win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359419
3005843792> (DF) (ttl 64, id 4439, len 64)
Jul 11 17:27:00.590727 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
192.168.x.y.443 > a.b.c.d.37325: S [tcp sum ok]
1786229842:1786229842(0) ack 2560292711 win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359419
3005843792> (DF) (ttl 64, id 17093, len 64)
Jul 11 17:27:24.585829 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74:
a.b.c.d.37325 > 192.168.x.y.443: S [tcp sum ok]
2560292710:2560292710(0) win 5840 <mss 1452,sackOK,timestamp 3005846192
0,nop,wscale 0> (DF) (ttl 45, id 30334, len 60)
Jul 11 17:27:24.586302 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
192.168.x.y.443 > a.b.c.d.37325: S [tcp sum ok]
1786229842:1786229842(0) ack 2560292711 win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359467
3005846192> (DF) (ttl 64, id 12052, len 64)
Jul 11 17:27:24.592057 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
192.168.x.y.443 > a.b.c.d.37325: S [tcp sum ok]
1786229842:1786229842(0) ack 2560292711 win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359467
3005846192> (DF) (ttl 64, id 15080, len 64)
Obligatory dmesg:
OpenBSD 4.9 (GENERIC) #671: Wed Mar 2 07:09:00 MST 2011
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III ("GenuineIntel" 686-class) 848 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PSE36,MMX,FXSR,
SSE
real mem = 267915264 (255MB)
avail mem = 253403136 (241MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 01/21/04, BIOS32 rev. 0 @
0xffe90, SMBIOS rev. 2.3 @ 0xf6ef0 (60 entries)
bios0: vendor Dell Computer Corporation version "A23" date 01/21/2004
bios0: Dell Computer Corporation Latitude C800
apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 100%
apm0: AC on, battery charge high, estimated 9:34 hours
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfbc20/192 (10 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371 ISA and IDE"
rev 0x00)
pcibios0: PCI bus #4 is the last bus
bios0: ROM list: 0xc0000/0x10000
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82815 Host" rev 0x02
intelagp0 at pchb0
agp0 at intelagp0: aperture at 0xe4000000, size 0x2400000
ppb0 at pci0 dev 1 function 0 "Intel 82815 AGP" rev 0x02
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Rage 128 Mobility" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb1 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0x03
pci2 at ppb1 bus 2
mem address conflict 0x10000000/0x1000
mem address conflict 0x10001000/0x1000
esa0 at pci2 dev 3 function 0 "ESS Maestro 3" rev 0x10: irq 5
ac97: codec id 0x83847609 (SigmaTel STAC9721/23)
ac97: codec features 18 bit DAC, 18 bit ADC, SigmaTel 3D
audio0 at esa0
xl0 at pci2 dev 6 function 0 "3Com 3c556 100Base-TX" rev 0x10: irq 10,
address 00:01:03:zz:zz:zz
tqphy0 at xl0 phy 0: 78Q2120 10/100 PHY, rev. 11
"3Com V.90 Modem" rev 0x10 at pci2 dev 6 function 1 not configured
cbb0 at pci2 dev 15 function 0 "TI PCI4451 CardBus" rev 0x00: irq 10
cbb1 at pci2 dev 15 function 1 "TI PCI4451 CardBus" rev 0x00: irq 10
"TI PCI4451 FireWire" rev 0x00 at pci2 dev 15 function 2 not configured
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 3 device 0 cacheline 0x8, lattimer 0x20
pcmcia0 at cardslot0
cardslot1 at cbb1 slot 1 flags 0
cardbus1 at cardslot1: bus 4 device 0 cacheline 0x8, lattimer 0x20
pcmcia1 at cardslot1
ichpcib0 at pci0 dev 31 function 0 "Intel 82801BAM LPC" rev 0x03: 24-
bit timer at 3579545Hz
pciide0 at pci0 dev 31 function 1 "Intel 82801BAM IDE" rev 0x03: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <IC25N020ATCS04-0>
wd0: 16-sector PIO, LBA, 19077MB, 39070080 sectors
atapiscsi0 at pciide0 channel 0 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <MATSHITA, UJDA330, 1.05> ATAPI 5/cdrom
removable
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
cd0(pciide0:0:1): using PIO mode 4, DMA mode 2
pciide0: channel 1 ignored (disabled)
uhci0 at pci0 dev 31 function 2 "Intel 82801BA USB" rev 0x03: irq 10
isa0 at ichpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
biomask ef4d netmask ef4d ttymask ffdf
mtrr: Pentium Pro MTRR support
com3 at pcmcia0 function 0 "MEGAHERTZ, XJ2288, V.34 PCMCIA MODEM" port
0xe3f8/8: ns16550a, 16 byte fifo
com3: probed fifo depth: 0 bytes
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
