Opened on 05/27/2014 at 04:37:43 PM

#568 new change

Add monitoring for SSL connection failures

Reported by:	trev	Assignee:
Priority:	P3	Milestone:
Module:	Infrastructure	Keywords:
Cc:	fhd	Blocked By:
Blocking:		Platform:
Ready:	yes	Confidential:	no
Tester:		Verified working:	no
Review URL(s):

Description

Background

nginx doesn't log SSL handshake failures so currently we have no way of knowing how many clients tried to connect to our server and failed.

What to change

Add monitoring of connection failures. The simplest approach would be to run tcpdump for 10 seconds and record how many SSL connections were established, how many were closed and which percentage was closed by the client. It seems to be a safe assumption that any connection closed by the client is an issue - normally the server closes the connection when all the data is sent. This doesn't require parsing the SSL protocol.

Understanding why the clients close connections will be more complicated however. I looked into this and my impression is that this cannot really be done on the server side. A cipher mismatch would be visible on the server side but I haven't seen a single one. If the client rejects our certificate for some reason the server will only see a disconnect however. Also, in most cases I've looked at the same client managed to open another connection successfully - it just seems to have disconnected "randomly". It might be that some timeouts are involved here, so an increased rate of client disconnects might indicate server responsiveness issues. Not sure whether we can get any more information.

Summary:

Description:

You may use WikiFormatting here.

=== Background ===
nginx doesn't log SSL handshake failures so currently we have no way of knowing how many clients tried to connect to our server and failed.

=== What to change ===
Add monitoring of connection failures. The simplest approach would be to run tcpdump for 10 seconds and record how many SSL connections were established, how many were closed and which percentage was closed by the client. It seems to be a safe assumption that any connection closed by the client is an issue - normally the server closes the connection when all the data is sent. This doesn't require parsing the SSL protocol.

Understanding **why** the clients close connections will be more complicated however. I looked into this and my impression is that this cannot really be done on the server side. A cipher mismatch would be visible on the server side but I haven't seen a single one. If the client rejects our certificate for some reason the server will only see a disconnect however. Also, in most cases I've looked at the same client managed to open another connection successfully - it just seems to have disconnected "randomly". It might be that some timeouts are involved here, so an increased rate of client disconnects might indicate server responsiveness issues. Not sure whether we can get any more information.

Type:

Priority:

Milestone:

Module:

Keywords:

Cc:

Blocked By:

Blocking:

Platform:

Ready:

Confidential:

Tester:

Verified working:

Review URL(s):

Context Navigation

#568 new change

Add monitoring for SSL connection failures

Description

Background

What to change

Attachments (0)

Change History (0)

Add Comment

Modify Ticket

Changed by kzar

Download in other formats:

Summary:
Description:	You may use WikiFormatting here. === Background === nginx doesn't log SSL handshake failures so currently we have no way of knowing how many clients tried to connect to our server and failed. === What to change === Add monitoring of connection failures. The simplest approach would be to run tcpdump for 10 seconds and record how many SSL connections were established, how many were closed and which percentage was closed by the client. It seems to be a safe assumption that any connection closed by the client is an issue - normally the server closes the connection when all the data is sent. This doesn't require parsing the SSL protocol. Understanding why the clients close connections will be more complicated however. I looked into this and my impression is that this cannot really be done on the server side. A cipher mismatch would be visible on the server side but I haven't seen a single one. If the client rejects our certificate for some reason the server will only see a disconnect however. Also, in most cases I've looked at the same client managed to open another connection successfully - it just seems to have disconnected "randomly". It might be that some timeouts are involved here, so an increased rate of client disconnects might indicate server responsiveness issues. Not sure whether we can get any more information.
Type:		Priority:
Milestone:		Module:
Keywords:		Cc:
Blocked By:		Blocking:
Platform:		Ready:
Confidential:		Tester:
Verified working:
Review URL(s):