Intermittent access issues to HTTPS sites…
Randomly, the same HTTPS site would sometimes not respond. IE would show its very unhelpful “page cannot be displayed” while firefox displays the slightly more descriptive “peer recieved a valid certificate but access denied”
Cause (in this case) :
An upstream Fortigate IPS was dropping “unknown” SSL session IDs
In wireshark, run the following filter:
In this case we saw the following:
Usually, the “access denied” message means that the client is missing a client-side certificate used for authentication. So of course first step is to check if the site requires any client-side authentication. This wasn’t the case here, so we expand the above wireshark filter to see the whole ssl handshake:
ssl.alert_message or ssl.handshake
After isolating a tcp stream of interest we saw both successful and unsuccessful handshakes.
A successful one:
An unsuccessful one:
So, the problem has to be in the “client hello”
Comparing the client hellos the problem becomes apparent:
There seems to be a problem with the session ID. Everytime the client tries to re-use and SSL negotiation by specifying the session ID, something blocks this.
After some digging around, we found the following, which solved the issue:
Apparently fortigate has an inbuild IPS that drops any unknown session IDs. There’s some good theory in the above link 🙂