SSL session ID & IPS

Intermittent access issues to HTTPS sites…

Issue :

Randomly, the same HTTPS site would sometimes not respond. IE would show its very unhelpful “page cannot be displayed” while firefox displays the slightly more descriptive “peer recieved a valid certificate but access denied”

Cause (in this case) :

An upstream Fortigate IPS was dropping “unknown” SSL session IDs

Troubleshooting :

In wireshark, run the following filter:

ssl.alert_message

In this case we saw the following:

ssl_ID

Usually, the “access denied” message means that the client is missing a client-side certificate used for authentication. So of course first step is to check if the site requires any client-side authentication. This wasn’t the case here, so we expand the above wireshark filter to see the whole ssl handshake:

ssl.alert_message or ssl.handshake

After isolating a tcp stream of interest we saw both successful and unsuccessful handshakes.

A successful one:

ssl_ID2

An unsuccessful one:

ssl_ID3

So, the problem has to be in the “client hello”

Comparing the client hellos the problem becomes apparent:

ssl_ID4

There seems to be a problem with the session ID. Everytime the client tries to re-use and SSL negotiation by specifying the session ID, something blocks this.

After some digging around, we found the following, which solved the issue:

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=13737&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=12013499&stateId=0%200%2012011584

Apparently fortigate has an inbuild IPS that drops any unknown session IDs. There’s some good theory in the above link🙂