SSL session ID & IPS

Intermittent access issues to HTTPS sites…

Issue :

Randomly, the same HTTPS site would sometimes not respond. IE would show its very unhelpful “page cannot be displayed” while firefox displays the slightly more descriptive “peer recieved a valid certificate but access denied”

Cause (in this case) :

An upstream Fortigate IPS was dropping “unknown” SSL session IDs

Troubleshooting :

In wireshark, run the following filter:


In this case we saw the following:


Usually, the “access denied” message means that the client is missing a client-side certificate used for authentication. So of course first step is to check if the site requires any client-side authentication. This wasn’t the case here, so we expand the above wireshark filter to see the whole ssl handshake:

ssl.alert_message or ssl.handshake

After isolating a tcp stream of interest we saw both successful and unsuccessful handshakes.

A successful one:


An unsuccessful one:


So, the problem has to be in the “client hello”

Comparing the client hellos the problem becomes apparent:


There seems to be a problem with the session ID. Everytime the client tries to re-use and SSL negotiation by specifying the session ID, something blocks this.

After some digging around, we found the following, which solved the issue:

Apparently fortigate has an inbuild IPS that drops any unknown session IDs. There’s some good theory in the above link🙂