Opened 5 years ago

#568 new change

Add monitoring for SSL connection failures

Reported by: trev Assignee:
Priority: P3 Milestone:
Module: Infrastructure Keywords:
Cc: fhd Blocked By:
Blocking: Platform:
Ready: yes Confidential: no
Tester: Verified working: no
Review URL(s):

Description

Background

nginx doesn't log SSL handshake failures so currently we have no way of knowing how many clients tried to connect to our server and failed.

What to change

Add monitoring of connection failures. The simplest approach would be to run tcpdump for 10 seconds and record how many SSL connections were established, how many were closed and which percentage was closed by the client. It seems to be a safe assumption that any connection closed by the client is an issue - normally the server closes the connection when all the data is sent. This doesn't require parsing the SSL protocol.

Understanding why the clients close connections will be more complicated however. I looked into this and my impression is that this cannot really be done on the server side. A cipher mismatch would be visible on the server side but I haven't seen a single one. If the client rejects our certificate for some reason the server will only see a disconnect however. Also, in most cases I've looked at the same client managed to open another connection successfully - it just seems to have disconnected "randomly". It might be that some timeouts are involved here, so an increased rate of client disconnects might indicate server responsiveness issues. Not sure whether we can get any more information.

Change History (0)

Note: See TracTickets for help on using tickets.