2 Replies Latest reply on Jul 17, 2017 12:24 PM by Jon Scholten

    Proxy Returns SSL Handshake Failed before Client Hello after ~150ms

    johnaldridge

      We have a group working with an AWS service that we haven't used before (though many others are in use), and it just can't seem to get off the ground.

       

      We've resorted to packet traces for understanding the breakdown.

       

      Here's a summary:

       

      1. Client establishes socket to MWG (syn, syn/ack, ack).
      2. Client requests: POST https://monitoring.us-east-1.amazonaws.com HTTP/1.1  (application/x-amz-json-1.0)
      3. Proxy ack to client.
      4. About 150ms later, proxy establishes socket to distant server (syn, syn/ack, ack).
      5. Immediately following this (<1ms), the proxy sends the client a status 500, handshakefailed, along with the error page for "SSL Handshake failed".
      6. Remaining packets moot.

       

      The thing is, there is no SSL inspection/intercept.

       

      AWS support says that packet traces on working systems show the Client Hello going out about 180ms after the socket is established.

       

      All of the proxy timeouts in the configuration are 10 seconds or more.

       

      Is there a setting we need to know about here--a hidden timeout for SSL/TLS that applies when there is no SSL inspection/intercept?