Hi, I have an intermittent problem with SSL on our local network. We have a proxy on the network but all ssl traffic should be untouched. The hand-off of http traffic is achieved through these iptable rules (where .23 is the proxy):
When the problem happens, I can't for example open an SSL site from Chrome, but going to Firefox magically helps. Then the trouble disappears and I can use that site again. Sometimes refreshing the page helps. Other people in the office with the same wired connections may have no problem going to the site though. Weird stuff like that. So, I took a capture of the traffic while the problem was happening, but I can't understand due to insufficient knowledge in the area what is abnormal in the sequence. How could I post the capture? EDIT: I've put the capture here: https://docs.google.com/file/d/0B8FF7jZJwuoUNExMdHB2eFZ1WU0/edit?usp=sharing Thanks for any help! asked 08 Oct '13, 09:12 surge edited 08 Oct '13, 09:20 |
One Answer:
If you look at the content, you will see this:
If I compare the two capture files, I can see that the HTTPS request is sent to MAC address of an Intel device (probably your proxy), while the POP3S request ist sent to a Netgear MAC address (probably your Internet router). So, the HTTPS request is forwarded to the proxy. Looks like the iptables rules you posted are not complete. Regards answered 08 Oct '13, 10:37 Kurt Knochner ♦ edited 08 Oct '13, 13:18 The netgear is our router, you're right.
I'm on Linux and when I go the proxy settings, it says "Google Chrome is using your computer's system proxy settings to connect to the network." In my /etc/network/interfaces I have
Now, the router runs ddwrt and here is the more complete set of rules from the router:
(08 Oct '13, 11:02) surge sorry bout the formatting. the forum interface is fighting me. (08 Oct '13, 11:03) surge well, those rules do not explain why the HTTPS traffic (TCP/443) is forwarded to the proxy. There must be more than just that. Can you please post the output of
Some more questions:
I guess you captured on the client. If so, there must be something on the client as well, because the client already sent the traffic to the proxy MAC (Intel MAC), so the iptables and routing rules on the router were not involved at all. (08 Oct '13, 13:16) Kurt Knochner ♦
hm... that sounds like a temporary network problem, like if there was the wrong ARP entry for your default gateway. While the problem occurs, please check on your client if the ARP entry for 192.168.0.1 shows the Netgear MAC address.
If it's not the ARP entry, please add the information I was asking for in my last comment. (08 Oct '13, 14:00) Kurt Knochner ♦ |
The capture file contains only traffic for the POP3S port (995). So, yes it is SSL, but unrelated to a proxy and/or a browser (chrome). Maybe a user downloaded his mail via POP3S. Are you sure you posted the right capture file?
Oops, yeah, not sure what I was thinking. Should have at least looked at the remote address and seen that it's one of mine :)
Anyway, I was able capture another set, this time (i hope) more to the point.
Here it is: https://docs.google.com/file/d/0B8FF7jZJwuoUVmFzNmFrQkQ3QWc/edit?usp=sharing
I already see that the proxy somehow wedges in on the ssl conversation ("Gremlins ate your request" is a message from our proxy), but i'm not sure why.
Thanks for any insight.