On Fri, May 12, 2023 at 8:30 PM Jordan Brown
<[email protected]> wrote:
>
> So, as s_client implies when it says "read 0 bytes", the client said "hello"
> and the server hung up the phone.
>
> That means that the server doesn't like the way that the client said hello.
>
> There are three obvious reasons why that might happen:
>
> The server doesn't really speak TLS, and when the client sent it this TLS
> gibberish the server just gave up.
> The server doesn't like the maximum TLS version that the client specified; it
> demands a later version.
> The server doesn't support any ciphers that the client offered.
>
> For the first, there's no telling what the server might do.
>
> For the second and third, I don't remember what the usual response is. I
> wouldn't be surprised if an immediate disconnect is usual.
>
> So, what does that Client Hello packet look like?
For the third:
> The server doesn't support any
> ciphers that the client offered.
That will generate an alert, which should cause traffic. For example,
RFC 8446, Section 4.1.1 says: [1]
If the server is unable to negotiate a supported
set of parameters (i.e., there is no overlap
between the client and server parameters),
it MUST abort the handshake with either a
"handshake_failure" or "insufficient_security"
fatal alert.
That should generate a message, and the client should read something.
I really feel like there's something wrong with the server configuration.
Doesn't systemd open a socket even if a service is _not_ running? I
think systemd does it to make the service start fast. I.e., a
`systemctl start slapd.service` will happen quickly because the
listening socket is already operating.
Jeff
[1] https://www.rfc-editor.org/rfc/rfc8446#section-4.1.1
