Šta je novo?

Slow TLS handshake

fluxy

Slavan
Učlanjen(a)
15.05.2007
Poruke
173
Poena
320
Da li je neko imao slucajeve sporog tls handshake-a prilikom koriscenja mail klijenta i to samo na odredjenim segmentima mreze. Za server hello poruku treba 20 sekundi.
 
Poslednja izmena:
Provjeri da li je u antivirusu uključeno skeniranje SSL/TLS saobraćaja i ako jeste ugasi ga pa testiraj opet.
 
Kako si zakljucio da je spor tls handshake. HELO/EHLO se desava pre uspostavljanja TLS na portovima 25, 587, jer je kijent duzan da proveri STARTTLS capability. Jedino na portu 465 uspostavlja TLS bez prethodnog HELO/EHLO zahteva.
 
Poslednja izmena:
Na klijentu ne postoji antivirus.

Uz pomoc wiresharka. Nakon client hello poruke upucene serveru (dest. port 465) od servera stize ack paket nakon cega se ceka 20 sekundi do server hello.
 
Kod:
$ openssl s_client -connect smtp.gmail.com:465
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = smtp.gmail.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=smtp.gmail.com
   i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
 1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
   i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEijCCA3KgAwIBAgIQaiGCOBlBFzCgFMqcMuRIjzANBgkqhkiG9w0BAQsFADBU
MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMSUw
IwYDVQQDExxHb29nbGUgSW50ZXJuZXQgQXV0aG9yaXR5IEczMB4XDTE5MDMyNjEz
MzAzM1oXDTE5MDYxODEzMjMwMFowaDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh
bGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEzARBgNVBAoMCkdvb2ds
ZSBMTEMxFzAVBgNVBAMMDnNtdHAuZ21haWwuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAt4YgqfwyCcfbiK1Fkiq9lXCCzH8V1nza5MgaAcAPYTlv
708e9Wa/N1BHYV/ZuSAFHrcMQR4Y2WfzaOLItYbN1pQSMCIfB7//5X6AXatdhsGQ
caAFCqw+C4pp9iA4K9WcjHGMHXxOJBLpZxKKoxvjj0yz/jqp97BfXZsdgVJg6HbI
w1wbkTrr5TZ21vzbdJMfQg4HUvvByORj3m4cxWvdAldlIScL/d3CR1ulje6Ao7da
COwL6XJE6xROWEQm6M91w70a6LpsZfCZc3R+WeTJzbDjPVfC0jlhc0EHs9x0Pr1g
U6w5XprIKPgL99nDS2ervxyqqTDuf9t87N0qdTXSDQIDAQABo4IBQjCCAT4wEwYD
VR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc210cC5nbWFpbC5jb20waAYI
KwYBBQUHAQEEXDBaMC0GCCsGAQUFBzAChiFodHRwOi8vcGtpLmdvb2cvZ3NyMi9H
VFNHSUFHMy5jcnQwKQYIKwYBBQUHMAGGHWh0dHA6Ly9vY3NwLnBraS5nb29nL0dU
U0dJQUczMB0GA1UdDgQWBBRKhPsaFl9Ax4JvivUJr6BIaD4uTTAMBgNVHRMBAf8E
AjAAMB8GA1UdIwQYMBaAFHfCuFCaZ3Z2sS3ChtCDoH6mfrpLMCEGA1UdIAQaMBgw
DAYKKwYBBAHWeQIFAzAIBgZngQwBAgIwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDov
L2NybC5wa2kuZ29vZy9HVFNHSUFHMy5jcmwwDQYJKoZIhvcNAQELBQADggEBAIrG
whEhlDZFQmYVGcpNT47QS3W/U4R6rlybAkpNR9Ak8AtJrtwHZtp9sklb0aG0BB+T
4NuXu8pM/P5m3QvsgdKIo5pkjrJFRQjmiHiyxuQCZUuXgeu2d2nS2Ro2WB/lBuBY
PripR7Z+rko4CrmNr4BJKymfGuZRVe9/ADYt9+a9MByLcIgoe22Pfxd87w+noZnS
2EpGf5u8rfwh2N47hRIyvC4GyU3+j0lwReavyETGuKugVJuEYoZsCXV1/sWnAE4w
dk1IaD6w/A3Y+xHWiaTgOoUIkT0Qa7xhMuorgJMjzGIxMkcGU/SC2iiRyrQKH4pQ
fhldLEHkmtdnfCFfmG0=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=smtp.gmail.com
issuer=/C=US/O=Google Trust Services/CN=Google Internet Authority G3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2994 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: B3889FF0A30CF5AE07DD48861C8D15A8B1C85F1C3E4FBE2D66F17EE939F09BCA
    Session-ID-ctx: 
    Master-Key: 471A9DB66A087471BB18A23B1EBC796027FFAC6CA8E5FC7CD7CF7667637BD3C6016360B8B71A131402C088AADEF79C38
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 00 29 08 43 4c 65 bf 15-a7 c9 51 d2 2f b7 da 58   .).CLe....Q./..X
    0010 - 81 e9 67 78 9a ce 60 4c-e5 ac 3d 94 e9 1a 87 79   ..gx..`L..=....y
    0020 - ac 77 6b a8 87 a7 9b cc-91 6f bf a8 29 89 c7 41   .wk......o..)..A
    0030 - 11 2c 4a 52 0a 79 8c ca-5d 2c 30 2f a1 f8 8f 48   .,JR.y..],0/...H
    0040 - 0b a0 f1 09 36 34 39 d6-8f 52 16 76 fd 5f 2c b5   ....649..R.v._,.
    0050 - 89 26 bb 7a ef fc 01 3e-6c 74 61 c1 1f 02 3e 7d   .&.z...>lta...>}
    0060 - a1 04 72 22 79 a3 0a 22-dc 38 40 75 0a 78 3c db   ..r"y.."[email protected]<.
    0070 - 3e 09 23 9d 7a 24 e9 ab-2c 75 45 46 5e 1c aa ab   >.#.z$..,uEF^...
    0080 - 51 d9 0a 53 e4 e8 fd 2c-25 86 b5 cb 32 26 83 3b   Q..S...,%...2&.;
    0090 - 75 f4 53 4f d4 c2 f2 16-84 52 67 b9 ec 49 41 20   u.SO.....Rg..IA 
    00a0 - e4 89 01 36 65 db 02 49-de 77 ba 5b 7c 71 27 9a   ...6e..I.w.[|q'.
    00b0 - 99 58 c3 ca c0 90 1f 61-4c f5 e6 07 52 94 a6 bb   .X.....aL...R...
    00c0 - ea 4f ba 3e 5d ca df 20-1d dc 8d 5c 7e 4b 90 3a   .O.>].. ...\~K.:
    00d0 - ab e1 04 64 f5                                    ...d.

    Start Time: 1555671882
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
220 smtp.gmail.com ESMTP h12sm1678307wrw.36 - gsmtp
HELO [1.1.1.1]
250 smtp.gmail.com at your service

Ako je pauza tek nakon sto klijent posalje HELO ( nakon 220 greet, dok ceka 250 resp. ), onda je TLS morao vec biti upostavljen. Tako da uzrok te pauze od 20 sec. verovatno nije na strani klijenta, vec nesto na serveru.
 
Poslednja izmena:
na segmentu mreze koji je problematican zadrska od 20 sekundi nakon pokretanja ove komande se javlja odmah posle CONNECTED(00000003), ali ni na jednom ni na jednom klijentu ne dobijam nista nakon 220
 
Nazad
Vrh Dno