Opened on 05/27/2014 at 04:37:43 PM

#568 new change

Add monitoring for SSL connection failures

Reported by: trev Assignee:
Priority: P3 Milestone:
Module: Infrastructure Keywords:
Cc: fhd Blocked By:
Blocking: Platform:
Ready: yes Confidential: no
Tester: Verified working: no
Review URL(s):



nginx doesn't log SSL handshake failures so currently we have no way of knowing how many clients tried to connect to our server and failed.

What to change

Add monitoring of connection failures. The simplest approach would be to run tcpdump for 10 seconds and record how many SSL connections were established, how many were closed and which percentage was closed by the client. It seems to be a safe assumption that any connection closed by the client is an issue - normally the server closes the connection when all the data is sent. This doesn't require parsing the SSL protocol.

Understanding why the clients close connections will be more complicated however. I looked into this and my impression is that this cannot really be done on the server side. A cipher mismatch would be visible on the server side but I haven't seen a single one. If the client rejects our certificate for some reason the server will only see a disconnect however. Also, in most cases I've looked at the same client managed to open another connection successfully - it just seems to have disconnected "randomly". It might be that some timeouts are involved here, so an increased rate of client disconnects might indicate server responsiveness issues. Not sure whether we can get any more information.

Attachments (0)

Change History (0)

Add Comment

Modify Ticket

Change Properties
as new .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from (none).
Next status will be 'reviewing'.
Note: See TracTickets for help on using tickets.