Opened on 05/27/2014 at 04:37:43 PM
#568 new change
Add monitoring for SSL connection failures
Reported by: | trev | Assignee: | |
---|---|---|---|
Priority: | P3 | Milestone: | |
Module: | Infrastructure | Keywords: | |
Cc: | fhd | Blocked By: | |
Blocking: | Platform: | ||
Ready: | yes | Confidential: | no |
Tester: | Verified working: | no | |
Review URL(s): |
Description
Background
nginx doesn't log SSL handshake failures so currently we have no way of knowing how many clients tried to connect to our server and failed.
What to change
Add monitoring of connection failures. The simplest approach would be to run tcpdump for 10 seconds and record how many SSL connections were established, how many were closed and which percentage was closed by the client. It seems to be a safe assumption that any connection closed by the client is an issue - normally the server closes the connection when all the data is sent. This doesn't require parsing the SSL protocol.
Understanding why the clients close connections will be more complicated however. I looked into this and my impression is that this cannot really be done on the server side. A cipher mismatch would be visible on the server side but I haven't seen a single one. If the client rejects our certificate for some reason the server will only see a disconnect however. Also, in most cases I've looked at the same client managed to open another connection successfully - it just seems to have disconnected "randomly". It might be that some timeouts are involved here, so an increased rate of client disconnects might indicate server responsiveness issues. Not sure whether we can get any more information.