Re: PF possibly causing weird SSL issues ?

Tim Jones Wed, 19 Sep 2018 10:34:42 -0700

I've just done a tcpdump. About to look at it myself, but maybe eyes on list 
will spot the issue (if any) quicker than my tired eyes.


198.51.100.167 is me (RFC5737 obfuscated)
52.216.65.232 is amazon (I used the IP to rule out any possible DNS issues even 
though I've triple checked the DNS is working perfectly)

# From a server behind the firewall
> openssl s_client -connect 52.216.65.232:443 -servername 
> github-production-release-asset-2e65be.s3.amazonaws.com
CONNECTED(00000003)
140007268579136:error:1408F10B:SSL routines:ssl3_get_record:wrong version 
number:ssl/record/ssl3_record.c:252:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 240 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1537377960
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
# INTERNAL INTERFACE
$ doas tcpdump -i vlan178  'host 198.51.100.167 and 52.216.65.232'
tcpdump: listening on vlan178, link-type EN10MB
18:25:57.268855 myserver.example.com.32792 > s3-1-w.amazonaws.com.4433: . ack 
630647770 win 29200 (DF)
18:26:00.298134 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: S 
4238555681:4238555681(0) win 29200 <mss 1460,sackOK,timestamp 1612824367 
0,nop,wscale 7> (DF)
18:26:00.298147 s3-1-w.amazonaws.com.https > myserver.example.com.54112: S 
3428578097:3428578097(0) ack 4238555682 win 0 <mss 1460> (DF) [tos 0x10]
18:26:00.298384 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: . ack 
1 win 29200 (DF)
18:26:00.373869 s3-1-w.amazonaws.com.https > myserver.example.com.54112: . ack 
1 win 1 (DF) [tos 0x10]
18:26:00.580732 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: P 
1:2(1) ack 1 win 29200 (DF)
18:26:00.788730 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: P 
1:2(1) ack 1 win 29200 (DF)
18:26:01.204744 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: P 
1:2(1) ack 1 win 29200 (DF)
18:26:02.036771 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: P 
1:2(1) ack 1 win 29200 (DF)
18:26:03.700700 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: P 
1:2(1) ack 1 win 29200 (DF)
18:26:06.996828 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: P 
1:2(1) ack 1 win 29200 (DF)
18:26:11.410370 s3-1-w.amazonaws.com.4433 > myserver.example.com.32792: R 
0:0(0) ack 1 win 0 (DF) [tos 0x10]
18:26:13.652796 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: P 
1:2(1) ack 1 win 29200 (DF)
18:26:20.474809 s3-1-w.amazonaws.com.https > myserver.example.com.54112: P 
1:8(7) ack 1 win 14600
18:26:20.475044 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: . ack 
8 win 29200 (DF)
18:26:20.475294 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: FP 
2:241(239) ack 8 win 29200 (DF)
18:26:20.475296 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: R 
242:242(0) ack 8 win 29200 (DF)
18:26:20.550879 s3-1-w.amazonaws.com.https > myserver.example.com.54112: . ack 
1 win 14600
18:26:20.550892 s3-1-w.amazonaws.com.https > myserver.example.com.54112: . ack 
1 win 14600
18:26:20.551002 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: R 
4238555682:4238555682(0) win 0 (DF)
18:26:20.551126 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: R 
4238555682:4238555682(0) win 0 (DF)
# EXTERNAL INTERFACE
$ doas tcpdump -i em1 'host 198.51.100.167 and 52.216.65.232'
tcpdump: listening on em1, link-type EN10MB
18:26:00.298424 198.51.100.167.54112 > 52.216.65.232.https: S 
3428578097:3428578097(0) win 0 (DF) [tos 0x10]
18:26:00.373822 52.216.65.232.https > 198.51.100.167.54112: S 
4188089135:4188089135(0) ack 3428578098 win 0 <mss 1432>
18:26:00.373863 198.51.100.167.54112 > 52.216.65.232.https: . ack 1 win 29200 
(DF) [tos 0x10]
18:26:20.474775 52.216.65.232.https > 198.51.100.167.54112: P 1:8(7) ack 1 win 
14600 (DF)
18:26:20.475060 198.51.100.167.54112 > 52.216.65.232.https: . ack 8 win 29200
18:26:20.475311 198.51.100.167.54112 > 52.216.65.232.https: FP 2:241(239) ack 8 
win 29200
18:26:20.475323 198.51.100.167.54112 > 52.216.65.232.https: R 242:242(0) ack 8 
win 29200
18:26:20.550857 52.216.65.232.https > 198.51.100.167.54112: . ack 1 win 14600 
(DF)
18:26:20.550858 52.216.65.232.https > 198.51.100.167.54112: . ack 1 win 14600 
(DF)
18:26:20.551018 198.51.100.167.54112 > 52.216.65.232.https: R 
3428578098:3428578098(0) win 0
18:26:20.551140 198.51.100.167.54112 > 52.216.65.232.https: R 
3428578098:3428578098(0) win 0

Re: PF possibly causing weird SSL issues ?

Reply via email to