Forum OpenACS Q&A: Re: AOL Server SSL errors

Collapse
2: Re: AOL Server SSL errors (response to 1)
Posted by Brad Duell on
I once asked Scott Goodwin (nsopenssl author) about this, and this is what he said:

*******************************

This is fairly common and it's usually caused by SSL clients that aren't doing the protocol correctly. I used to see these same errors in my Apache SSL logs when I was running Apache, and see about the same amount in my
AOLserver log files, after we switched to AOLserver. Sometimes it's caused by a user who hits the stop or back button before the handshake or page load is complete. The problem is that debugging these failures is almost
impossible without knowing the client's browser version, and you have no idea what that is unless the connection succeeds. It doesn't help that many clients, particularly some of the Microsoft ones, don't even do the protocol
properly. The only way to really debug these issues is to get a copy of every browser and OS combination and test each of them. Afraid I don't have the money to do that.

One thing you can do though is not use SSLv3 or TLSv1. It's not as secure to run SSLv2, but you're running it now anyway. You might want to try that and then watch your logs and see if the number of these errors drops or goes
away completely.

I have on my todo list an item to do more logging for these kinds of failures, specifically adding the IP address and, if possible, the User-Agent string of the failing client. I probably won't be able to get the User-Agent if the handshake really does fail, and the IP address may or may
not be useful depending on if the user is coming through a NAT-enabled firewall.

*******************************

We still see these from time to time, but don't need to restart our server instance as this happens at the session level.