Closed mkaroshi closed 3 years ago
That sounds like expected behavior for DTLS, when a ServerHello or alert are totally unauthenticated, and the connection might succeed if retried. If this is regular TLS, on the other hand, it would be weird. Please clarify.
We are not using DTLS, we are using TLS only.
Are you in a position where you can obtain a packet capture (with, e.g., tcpdump or wireshark) of the behavior in question and post it publicly? That would seem like the fastest path to understanding the issue.
i was able to reproduce the issue. The client side ssl version is [mkaroshi@caxv-mkaroshi-2 thud]$ openssl version OpenSSL 1.0.2k-fips 26 Jan 2017
server side openssl version is diag@8180:~$ openssl version OpenSSL 1.1.1g 21 Apr 2020
the wireshark capture is attached. ha.txt
when it receives ciphers don't match error from ssl server.
In your wireshark trace it looks like this particular instance is the result of a "certificate expired" alert.
What is the application here? Is this your own custom application or some third party software?
gnmi client sending request to ha proxy. Both are open source. Any error comes from the server, the client keeps retrying. On Thursday, August 6, 2020, 01:45:45 AM PDT, mattcaswell notifications@github.com wrote:
when it receives ciphers don't match error from ssl server.
In your wireshark trace it looks like this particular instance is the result of a "certificate expired" alert.
What is the application here? Is this your own custom application or some third party software?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.
gnmi client sending request to ha proxy. Both are open source. Any error comes from the server, the client keeps retrying.
This looks to me like a problem on the client side. I'd suggest contacting the developers of your client software.
Can this be closed now?
yes. On Thursday, September 24, 2020, 08:31:29 AM PDT, mattcaswell notifications@github.com wrote:
Can this be closed now?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.
Great. Closing.
openssl client keeps retrying(resending client hello) when it receives ciphers dont match error from ssl server.