如何跟踪"SSL握手期间的连接超时"?以及“在ssl握手期间关闭连接".错误 [英] How to track down "Connection timout during SSL handshake" and "Connection closed during ssl handshake" errors
问题描述
我最近已从AWS ELB切换到HAProxy.我要在负载均衡器(HAProxy 1.5dev19)处终止SSL.
I have recently switched over to HAProxy from AWS ELB. I am terminating SSL at the load balancer (HAProxy 1.5dev19).
自切换以来,我在HAProxy日志中不断收到一些SSL连接错误(占请求总数的5-10%).重复出现三种错误:SSL握手期间连接已关闭SSL握手期间超时SSL握手失败(这种情况很少发生)
Since switching, I keep getting some SSL connection errors in the HAProxy log (5-10% of the total number of requests). There's three types of errors repeating: Connection closed during SSL handshake Timeout during SSL handshake SSL handshake failure (this one happens rarely)
我正在使用免费的StartSSL证书,所以我首先想到的是某些主机在接受该证书时遇到了麻烦,并且由于ELB不提供日志记录,我过去也没有看到这些错误.唯一的问题是某些主机最终确实具有成功的连接.
I'm using a free StartSSL certificate, so my first thought was that some hosts are having trouble accepting this certificate, and I didn't see these errors in the past because ELB offers no logging. The only issue is that some hosts have do have successful connections eventually.
我可以连接到服务器而没有任何错误,所以我不确定如何在我的末端复制这些错误.
I can connect to the servers without any errors, so I'm not sure how to replicate these errors on my end.
推荐答案
这听起来像是正在握手(TCP RST或超时)的客户端.这在某种程度上是正常的,但是5-10%的声音听起来太高了.可能是证书问题;我不确定这对
This sounds like clients who are going away mid-handshake (TCP RST or timeout). This would be normal at some rate, but 5-10% sounds too high. It's possible it's a certificate issue; I'm not certain exactly how that presents to
发生在我身上的事情
- 如果谈判非常缓慢,您将有更多的客户下线.
- 您可能会遇到根本的TCP问题,直到新的SSL端点代理开始报告这些问题为止.
您看到个别主机有时成功但有时失败吗?如果是这样,这不太可能是证书问题.我不确定当用户拒绝不受信任的证书时如何断开连接.
Do you see individual hosts that sometimes succeed and sometimes fail? If so, this is unlikely to be a certificate issue. I'm not sure how connections get torn down when a user rejects an untrusted certificate.
您可以在HAProxy机器上使用Wireshark捕获SSL握手并进行解析(您无需解密会话以进行握手分析,尽管您可以拥有服务器私钥).
You can use Wireshark on the HAProxy machine to capture SSL handshakes and parse them (you won't need to decrypt the sessions for handshake analysis, although you could since you have the server private key).
这篇关于如何跟踪"SSL握手期间的连接超时"?以及“在ssl握手期间关闭连接".错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
