Hello
I have been having trouble getting an openBSD laptop to connect to ssl
connections when communicating over ikev2.
In general terms (since I don't know exactly what specifics would be
important), this is what I observe:
1. OpenBSD laptop has no issues connecting to imaps or https on a openBSD
server when connected to the local network over wireless connection. For
example:
$ openssl s_client -state -connect name.tld:imaps
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
.
.
.
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
---
Certificate chain
.
.
.
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 4779 bytes and written 281 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
.
.
.
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT
THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP
ready. Copyright 1998-2017 Double Precision, Inc. See COPYING for
distribution information.
2. Apple iOS devices have no issues connecting to imaps/https on openbsd
server, when connected to the local network.
3. OpenBSD laptop, when connected remotely using iked is unable to complete
ssl connection _most_ of the time (by this, I would guesstimate about 95%+
of the connections to imaps "hang," and about 75%+ of the connections to
https "hang"). This occurs at one of two places. Either:
$ openssl s_client -state -connect name.tld:imaps
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
... and that's it. Or:
$ openssl s_client -state -connect name.tld:imaps
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
.
.
.
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
... and nothing more. However, using nc to connect to the non-ssl imap port
appears to work (both locally and over the ikev2 VPN):
$ nc name.tld imap
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT
THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION] Courier-IMAP ready.
Copyright 1998-2017 Double Precision, Inc. See COPYING for distribution
information.
4. Apple iOS devices, when connected (using ssl) over iked VPN appear to be
much more reliable. While there are times when they appear to "hang" when
connecting, it seems like it happens < 20% of the time.
I don't use my laptop remotely very often; the last time I did was about 4-5
months ago. At that point, I was able to connect to imaps much more
reliably (basically, the mail client worked over imaps, and there was no
reason to investigate anything).
I don't think this is a pf issue, since the connection attempts over ssl get
an initial response.
I tried dropping the mtu on the openbsd laptop's wireless adapter to 1200;
but that did not seem to change anything.
I guess I don't really have much of an idea how to investigate this further.
Any suggestions on how to proceed would be great.
Thanks
Ted
No comments:
Post a Comment