1

Frage

2

Antwort

3

Lösung

[English] SSL/TLS traffic is being dropped sporadically which breaks pretty much everything
slivarez
Smart-Analyzer
Smart-Analyzer

Hi,

 

starting today 26.06.2024 I get SSL/TLS errors (handshake timeouts) abour 30% of time, which breaks secure connections to pretty much everything but https://www.google.com - google's SSL works 100% of time.

 

Here's an example of successful TLS:

 

 

 

 

$ curl --connect-timeout 2 --insecure https://api.fast.com -v
*   Trying 63.35.136.11:443...
* Connected to api.fast.com (63.35.136.11) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=California; L=Los Gatos; O=Netflix, Inc.; CN=api.fast.com
*  start date: Oct 25 00:00:00 2023 GMT
*  expire date: Oct 24 18:46:36 2024 GMT
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert Secure Site ECC CA-1
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: api.fast.com
> User-Agent: curl/7.74.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Content-Length: 7
<
* Connection #0 to host api.fast.com left intact
BLOCKED

 

 

 

 

And here's the next curl command that fails

 

 

 

 

$ curl --connect-timeout 2 --insecure https://api.fast.com -v
*   Trying 44.213.221.81:443...
* Connected to api.fast.com (44.213.221.81) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* Operation timed out after 2001 milliseconds with 0 out of 0 bytes received
* Closing connection 0
curl: (28) Operation timed out after 2001 milliseconds with 0 out of 0 bytes received

 

 

 

 

As you can see there's no reply to TLS Client hello. I get the same curl result from different devices (mac and linux), also things like Playstation network do not work on PS, etc. So it's not an issue on one of my devices. Also it fails for all sorts of different SSL/TLS endpoints, so it's not some single site issue.

 

I've tried powering off and on again for the Vodafone modem/router - did not help.

2 Antworten 2
RobertP
Giga-Genie
Giga-Genie

poste mal die Signalpegel

im Webinterface zu finden unter Status >> DOCSIS Status

The Fritzbox is in bridge mode, since it's not capable of performing any network switching if it has more than 1-4 clients. https://forum.vodafone.de/t5/Archiv-Internet-Ger%C3%A4te/English-Packet-loss-on-router/td-p/2038934 
I have no idea how to get access to web interface in bridge mode, tired connecting laptop directly and using 192.168.100.10/24 on laptop and opening 192.168.100.1 - nothing. Found this info in other forum thread.

 

Also as of last 1h the problem is gone, I no longer get TLS handshake timeouts.