Menu
▾
▴
Re: [Shorewall-users] Unable to connect to an HTTPS service
|
From: Matt D. <ma...@sh...> - 2022-02-28 11:04:10
|
On 2/28/2022 11:22 AM, Vieri Di Paola wrote: > Hi, > > Some hosts in the LAN are randomly unable to connect to external https > services. All conections are going through a Shorewall routing > firewall. > > One host in the same vlan with src IP addr. 10.215.111.210 is properly > accessing the following site: > > curl --verbose --head https://teams.microsoft.com > * Trying 52.113.194.132:443... > * Connected to teams.microsoft.com (52.113.194.132) port 443 (#0) > * ALPN, offering h2 > * ALPN, offering http/1.1 > * CAfile: C:\cURL\curl-ca-bundle.crt > * CApath: none > * TLSv1.0 (OUT), TLS header, Certificate Status (22): > * TLSv1.3 (OUT), TLS handshake, Client hello (1): > * TLSv1.2 (IN), TLS header, Certificate Status (22): > * TLSv1.3 (IN), TLS handshake, Server hello (2): > * TLSv1.2 (IN), TLS handshake, Certificate (11): > * TLSv1.2 (IN), TLS handshake, Server key exchange (12): > * TLSv1.2 (IN), TLS handshake, Server finished (14): > * TLSv1.2 (OUT), TLS header, Certificate Status (22): > * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): > * TLSv1.2 (OUT), TLS header, Finished (20): > * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): > * TLSv1.2 (OUT), TLS header, Certificate Status (22): > * TLSv1.2 (OUT), TLS handshake, Finished (20): > * TLSv1.2 (IN), TLS header, Finished (20): > * TLSv1.2 (IN), TLS header, Certificate Status (22): > * TLSv1.2 (IN), TLS handshake, Finished (20): > * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 > * ALPN, server accepted to use h2 > [etc] > > Another host in the same vlan with IP addr. 10.215.111.199 is unable > to connect to the exact same site and at the same time > (52.113.194.132): > > curl --verbose --head https://teams.microsoft.com > * Trying 52.113.194.132:443... > * Connected to teams.microsoft.com (52.113.194.132) port 443 (#0) > * ALPN, offering h2 > * ALPN, offering http/1.1 > * CAfile: C:\curl\curl-ca-bundle.crt > * CApath: none > * TLSv1.0 (OUT), TLS header, Certificate Status (22): > * TLSv1.3 (OUT), TLS handshake, Client hello (1): > * TLSv1.0 (OUT), TLS header, Unknown (21): > * TLSv1.3 (OUT), TLS alert, decode error (562): > * error:0A000126:SSL routines::unexpected eof while reading > * Closing connection 0 > curl: (35) error:0A000126:SSL routines::unexpected eof while reading > > This is what I see with tcpdump while trying the above connection > ("wan" is the interface facing Internet): > > # tcpdump -n -i wan host 10.215.111.199 > dropped privs to pcap > tcpdump: verbose output suppressed, use -v[v]... for full protocol decode > listening on wan, link-type EN10MB (Ethernet), snapshot length 262144 bytes > 10:58:55.602587 IP 10.215.111.199.60258 > 52.113.194.132.443: Flags > [S], seq 1097095637, win 64240, options [mss 1460,nop,wscale > 8,nop,nop,sackOK], length 0 > 10:58:55.602797 IP 52.113.194.132.443 > 10.215.111.199.60258: Flags > [S.], seq 2635751257, ack 1097095638, win 14600, options [mss > 1460,nop,nop,sackOK,nop,wscale 7], length 0 > 10:58:55.604900 IP 10.215.111.199.60258 > 52.113.194.132.443: Flags > [.], ack 1, win 1026, length 0 > 10:58:55.880427 IP 10.215.111.199.60258 > 52.113.194.132.443: Flags > [P.], seq 1:518, ack 1, win 1026, length 517 > 10:58:55.880581 IP 52.113.194.132.443 > 10.215.111.199.60258: Flags > [.], ack 518, win 123, length 0 > > What makes things "worse" is that if I tamper with this host's "hosts" > file and manually set the name resolution of teams.microsoft.com to > 52.113.195.132 (another valid IP addr. for teams.microsoft.com) then > it can finally connect as expected. > > There's no shorewall rule to block 52.113.194.132:443 so I don't know > why the TLS handshake is failing. > > I'd like to determine if this is a communications issue (ie. > Shorewall) or a client/server hosts problem. > I'm not sure that this is the issue, but Teams requires lots of open ports to work. I had to open those for the Desktop edition. -- Matt Darfeuille <ma...@sh...> Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/ Homepage: https://shorewall.org |
