firefox 2 (but not 1.5) hangs with https

firefox 2 (but not 1.5) hangs with https

am 30.11.2006 22:00:49 von Adrian Bridgett

I've been banging my head for a day or so on this. We have a website
and when I surf it with firefox 2.0, I see a bunch of requests, then a
large gap when nothing happens, then another bunch of request, then a
gap. I can't think what different on this setup as to why I can't see
other people reporting the same thing. We only noticed it recently,
although that's not to say that it wasn't there before. I've gone
through all the FAQs and google searches I can think of :(

This worked okay on firefox 1.5 (1.5.dfsg+1.5.0.7-2 from debian), but
we've also seen this behaviour on MSIE (7.0 I think).

The gaps are as long as KeepAliveTimeout is set to in apache.conf
(15sec normally) if I change it to 5 seconds then the gaps also drop to
5 seconds. The file in question is always a flash (.swf) file, the
request times I see are like this:

17:22:28
17:22:29
17:22:30
17:22:31
17:22:46
17:23:01
17:23:16
(every 15secs until page is loaded)

The server is Debian stable, completely up to date, I've tried
everything I can find:

- SSLRandomSeed was set to urandom (startup) and builtin (connect)
I've tried setting this to both urandom and builtin across the board

- I've changed the Sessioncache from dbm to shmcb, shmht, none

- I've removed some external URLs which were occuring and that's not
helped at all either.

- I've tried matching the User-Agent and turning off keepalive, all
three shutdowns, etc.

Apache - /2.0.54
openssl - 0.9.7e-3sarge4

With info level debugging I'm seeing this:
[Thu Nov 30 10:16:22 2006] [info] (70007)The timeout specified has
expired: SSL input filter read failed. (lots!)
.....
[Thu Nov 30 17:22:31 2006] [info] (104)Connection reset by peer:
core_output_filter: writing data to the network
[Thu Nov 30 17:22:31 2006] [info] (104)Connection reset by peer: SSL
output filter write failed.
[Thu Nov 30 17:22:32 2006] [info] (104)Connection reset by peer:
core_output_filter: writing data to the network
[Thu Nov 30 17:22:32 2006] [info] (104)Connection reset by peer: SSL
output filter write failed.
[Thu Nov 30 17:22:42 2006] [info] (70014)End of file found: SSL input
filter read failed.

Other message which might explain things are:
[Thu Nov 30 17:22:31 2006] [info] Connection to child 1 established
(server staging.truphone.com:443, client 81.5.177.202)
[Thu Nov 30 17:23:23 2006] [info] Connection to child 1 established
(server staging.truphone.com:443, client 84.65.175.231)

(no messages about it being shutdown in the middle - done silently in
those error messages?)

One last log which is probably a little clearer. I've turned off
keepalive, pipelining, set all requests to 1 on the browser:

[Thu Nov 30 18:29:19 2006] [info] Connection to child 6 established
(server staging.truphone.com:443, client 81.5.177.202)
[Thu Nov 30 18:29:19 2006] [info] Seeding PRNG with 512 bytes of entropy
[Thu Nov 30 18:29:19 2006] [info] Connection to child 6 closed with
standard shutdown(server staging.truphone.com:443, client 81.5.177.202)
[Thu Nov 30 18:29:19 2006] [info] Connection to child 3 established
(server staging.truphone.com:443, client 81.5.177.202)
[Thu Nov 30 18:29:19 2006] [info] Seeding PRNG with 512 bytes of entropy
[Thu Nov 30 18:29:20 2006] [info] Connection to child 3 closed with
standard shutdown(server staging.truphone.com:443, client 81.5.177.202)
[Thu Nov 30 18:29:20 2006] [info] Connection to child 8 established
(server staging.truphone.com:443, client 81.5.177.202)
[Thu Nov 30 18:29:20 2006] [info] Seeding PRNG with 512 bytes of entropy
<< now the browser sits waiting, no network traffic >>
[Thu Nov 30 18:29:35 2006] [info] Connection to child 8 closed with
standard shutdown(server staging.truphone.com:443, client 81.5.177.202)
[Thu Nov 30 18:29:35 2006] [info] Connection to child 1 established
(server staging.truphone.com:443, client 81.5.177.202)
[Thu Nov 30 18:29:35 2006] [info] Seeding PRNG with 512 bytes of entropy
<< data is transferred, then waiting browser, no traffic >>
[Thu Nov 30 18:29:50 2006] [info] Connection to child 1 closed with
standard shutdown(server staging.truphone.com:443, client 81.5.177.202)

So the session seems to be used, but instead of being reused, the
browser sits there, eventually the server kills the session and the
browser then continues..

Is there a way I can sniff the TLS/SSL traffic? I've tried ssldump
but it looks like it only works with certain ciphers.

Any suggestion as to other things to try would be most appeciated!

Many thanks,

Adrian
--
Adrian Bridgett - adrian@smop.co.uk
GPG key available on public key servers
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: firefox 2 (but not 1.5) hangs with https

am 01.12.2006 14:47:41 von Adrian Bridgett

On Thu, Nov 30, 2006 at 21:00:49 +0000 (+0000), adrian wrote:
[snip]
> The gaps are as long as KeepAliveTimeout is set to in apache.conf
> (15sec normally) if I change it to 5 seconds then the gaps also drop to
> 5 seconds. The file in question is always a flash (.swf) file, the
> request times I see are like this:

I think that bit was sheer luck, it seems to be unrelated (which makes
more sense since I've turned KA off to try and debug what's going on.

I've changed all my browser settings down to the bare minimum - no
persistent connections, 1 connection at once, no pipelining etc.

What I can see is after the initial syn, syn/ack, ack from the
browser, there is a typically just under 15s wait until it sends
Client Hello.

I wondered if this was due to lack of entropy so I've symlinked
/dev/random to /dev/urandom temporarily (no help), and I've tried
wiggling the mouse around (not sure where firefox gets randomness
from). This hasn't helped either.

OTOH I'm suprised no-one else has seen this, but since the file in
question is .swf fetched via javascript, maybe that's why? Trying a
dummy page with just 50 images on it, the client hello is always
instantaneous.

Very puzzling (well to me at least :-))

Adrian
--
Adrian Bridgett - adrian@smop.co.uk
GPG key available on public key servers
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org