Hello,
I have an embedded device (with limited ressources) that needs to connect to an
OpenSSL server (Apache2).
The device works very well with many SSL servers with OpenSSL, but not on some
Apache2 servers, because there's a timeout,
after 10 seconds the server always send a "close_notify" alert (part of the SSL
session, and encrypted).
The problem is that the duration of the whole handshake protocol on my small
device is about 8 seconds and then the record (encrypt the GET request) is
about 3 seconds... This makes a total of 11 seconds, so I am just 1 second over
the timeout...
I have disabled the timeout on Apache2, so this concerns only SSL...
I ran ssldump on the server, as you can see in the logs(attached), the
close_notify alert is sent just before the application data of the record is
sent to server,
and the server never answers to this application data.(it should return some
HTML content).
Have you got a trick, or a solution to disable or extend this timeout properly
on the server side without modifying the OpenSSL source code...
In the configuration file of the virtual host, I have tried some of these
options:
---------------------------------------------------------------
SetEnvIf User-Agent "TLS test" \
nokeepalive
---------------------------------------------------------------
But the result is that the session is always closed after 10 seconds, only on
this particular server(Apache2 + OpenSSL)..., this is not the case on other
servers...
Regards.
root@lamp ~# ssldump -a -A -H -k /etc/ssl/certs/server2key.pem -i eth0
Enter PEM pass phrase:
New TCP connection #1: 192.168.100.1(10994) <-> 192.168.100.172(443)
1 1 0.0011 (0.0011) C>SV3.1(45) Handshake
ClientHello
Version 3.1
random[32]=
4e b1 e7 f5 f2 71 7b 9a 50 9f b3 f0 9c 67 6a e7
d9 85 2f 44 d5 b5 4d 8e d5 bf 09 64 0d c5 0d f2
cipher suites
TLS_RSA_WITH_RC4_128_MD5
compression methods
NULL
1 2 0.0024 (0.0013) S>CV3.1(74) Handshake
ServerHello
Version 3.1
random[32]=
4e b1 e7 f6 69 da cb 07 26 95 6a f8 1e 85 fa 31
23 92 fc 72 04 3b 1e b8 d3 52 cf 47 92 1d 02 77
session_id[32]=
42 13 c3 03 3a d2 87 46 99 cd 5b 15 f0 c8 7f af
f6 a5 3c 01 0d d4 47 4f dc 94 ec 78 a6 0b af d1
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
1 3 0.0024 (0.0000) S>CV3.1(1349) Handshake
Certificate
1 4 0.0024 (0.0000) S>CV3.1(4) Handshake
ServerHelloDone
1 5 7.0099 (7.0074) C>SV3.1(134) Handshake
ClientKeyExchange
EncryptedPreMasterSecret[128]=
86 95 f0 5b 5f a0 ee 56 f9 ee 9b 6b 6f b2 bc 96
d4 46 59 d7 0f aa c8 1f 7d 47 75 92 5b 2b 83 a7
75 b8 06 cd 01 e1 bf d5 34 99 ae 73 5b ab 88 8f
1a 8d 32 10 34 54 ae 21 33 f7 d9 13 b6 07 ce 83
18 31 f0 d4 cc 52 a6 26 aa 5b a9 6a 9a 4a a9 89
d9 bb 25 de 17 18 6b 36 1f 2d 4b e6 6f 06 3f 6c
47 8e 57 58 07 48 13 12 c3 e4 d4 70 ee 14 3c d9
32 67 d3 e3 98 c1 18 a3 d4 ba 13 15 55 5a dd 64
1 6 7.2125 (0.2026) C>SV3.1(1) ChangeCipherSpec
1 7 7.2228 (0.0103) C>SV3.1(32) Handshake
Finished
verify_data[12]=
35 49 5f 6f f0 ef 4f 3f 32 5a 75 e8
1 8 7.2231 (0.0002) S>CV3.1(1) ChangeCipherSpec
1 9 7.2231 (0.0000) S>CV3.1(32) Handshake
Finished
verify_data[12]=
df 77 73 1e 7b b0 e2 18 da 19 bb 61
1 10 10.4692 (3.2460) S>CV3.1(18) Alert
level warning
value close_notify
1 10.4693 (0.0001) S>C TCP FIN
1 11 11.2244 (0.7550) C>SV3.1(114) application_data
1 11.2444 (0.0200) C>S TCP RST
^Croot@lamp ~#
