Forum OpenACS Q&A: AOL Server SSL errors

Collapse
1: AOL Server SSL errors
Posted by Bob Powell on 06/07/04 05:37 PM
Hello Everyone:

I'm using OpenACS 4.X and Aol Server 3.3.1 with a Postgres 7.2.3 backend.

I've been having intermittend problems with the encrypted tunnels that seem to lose contact with my backend database.

Error log entries are:

Error: nsopenssl: EOF during SSL handshake
Error: nsopenssl: error during SSL handshake:Connection reset by peer
Error: nsopenssl: error 0/1 during SSL handshake

Connections seem to drop.  This appears to get worse over time.  The solution for me at the moment is to restart the AOL server.

Has anyone seen this kind of behavior before?  Thanks.

Collapse
2: Re: AOL Server SSL errors (response to 1)
Posted by Brad Duell on 06/07/04 06:26 PM
I once asked Scott Goodwin (nsopenssl author) about this, and this is what he said:

*******************************

This is fairly common and it's usually caused by SSL clients that aren't doing the protocol correctly. I used to see these same errors in my Apache SSL logs when I was running Apache, and see about the same amount in my
AOLserver log files, after we switched to AOLserver. Sometimes it's caused by a user who hits the stop or back button before the handshake or page load is complete. The problem is that debugging these failures is almost
impossible without knowing the client's browser version, and you have no idea what that is unless the connection succeeds. It doesn't help that many clients, particularly some of the Microsoft ones, don't even do the protocol
properly. The only way to really debug these issues is to get a copy of every browser and OS combination and test each of them. Afraid I don't have the money to do that.

One thing you can do though is not use SSLv3 or TLSv1. It's not as secure to run SSLv2, but you're running it now anyway. You might want to try that and then watch your logs and see if the number of these errors drops or goes
away completely.

I have on my todo list an item to do more logging for these kinds of failures, specifically adding the IP address and, if possible, the User-Agent string of the failing client. I probably won't be able to get the User-Agent if the handshake really does fail, and the IP address may or may
not be useful depending on if the user is coming through a NAT-enabled firewall.

*******************************

We still see these from time to time, but don't need to restart our server instance as this happens at the session level.

Collapse
3: Re: AOL Server SSL errors (response to 1)
Posted by Torben Brosten on 06/07/04 08:54 PM

Bob, since you're restarting aolserver, you might try setting these nsopenssl module params to true, to see if more details about the errors are available.

In your config.tcl file, below this line: 

ns_section "ns/server/${servername}/module/nsopenssl"

set these params to true: 

ns_param ServerTrace                     true ;# was false
ns_param SockServerTrace                 true ;# was false
ns_param SockClientTrace                 true ;# was false

Then watch for errors. The details helped me identify the cause of problem connects in an unrelated situation.

cheers, Torben