Intermittent access issues to HTTPS sites…
Issue :
Randomly, the same HTTPS site would sometimes not respond. IE would show its very unhelpful “page cannot be displayed” while firefox displays the slightly more descriptive “peer recieved a valid certificate but access denied”
Cause (in this case) :
An upstream Fortigate IPS was dropping “unknown” SSL session IDs
Troubleshooting :
In wireshark, run the following filter:
ssl.alert_message
In this case we saw the following:
Usually, the “access denied” message means that the client is missing a client-side certificate used for authentication. So of course first step is to check if the site requires any client-side authentication. This wasn’t the case here, so we expand the above wireshark filter to see the whole ssl handshake:
ssl.alert_message or ssl.handshake
After isolating a tcp stream of interest we saw both successful and unsuccessful handshakes.
A successful one:
An unsuccessful one:
So, the problem has to be in the “client hello”
Comparing the client hellos the problem becomes apparent:
There seems to be a problem with the session ID. Everytime the client tries to re-use and SSL negotiation by specifying the session ID, something blocks this.
After some digging around, we found the following, which solved the issue:
Apparently fortigate has an inbuild IPS that drops any unknown session IDs. There’s some good theory in the above link 🙂
David Vassallo's Blog 