tcpcrypt
tcpcrypt copied to clipboard
sorbo
Browser connections hang when server tcpcryptd process restarted
Hello,
When a server running tcpcryptd restarts it while a tcpcrypt enabled client is connected through a web browser, further page loads hang. I'm not sure at this point exactly why, but I would guess that either (1) established connections have packets dropped without the connection closing or (2) new connections attempt to reuse key material and fail due to loss of key material on server end.
One real life scenario where the server process could change would be when moving between load balanced servers using the same IP. You would expect current tcp connections to drop and new ones be formed for any subsequent requests after such a switch.
Client log (-vvv) from point server tcpcryptd restarted:
Ignoring established connection: 192.168.2.18:52050->192.168.2.201:80 52 AF [out] tc (nil) Ignoring established connection: 192.168.2.201:80->192.168.2.18:52050 52 AF [in] tc (nil) Ignoring established connection: 192.168.2.18:52050->192.168.2.201:80 52 A [out] tc (nil) 192.168.2.18:50572->120.138.19.204:80 584 A [out] tc 0x9fc8108 120.138.19.204:80->192.168.2.18:50572 52 A [in] tc 0x9fc8108 MAC failed -1 Last ack for 0xb75140e6 Gotta malloc 8 Gotta malloc 8 192.168.2.18:52072->192.168.2.201:80 60 S [out] tc 0x9fcb418 Can't find session for host 192.168.2.201:80->192.168.2.18:52072 60 SA [in] tc 0x9fcb418 Ignoring established connection: 192.168.2.18:52072->192.168.2.201:80 52 A [out] tc (nil) Ignoring established connection: 192.168.2.18:52072->192.168.2.201:80 481 A [out] tc (nil) Ignoring established connection: 192.168.2.201:80->192.168.2.18:52072 52 A [in] tc (nil) Ignoring established connection: 192.168.2.201:80->192.168.2.18:52072 1500 A [in] tc (nil) Ignoring established connection: 192.168.2.201:80->192.168.2.18:52072 568 A [in] tc (nil) Ignoring established connection: 192.168.2.18:52072->192.168.2.201:80 52 A [out] tc (nil) Ignoring established connection: 192.168.2.18:52072->192.168.2.201:80 52 A [out] tc (nil) 192.168.2.18:50572->120.138.19.204:80 584 A [out] tc 0x9fc8108 120.138.19.204:80->192.168.2.18:50572 52 A [in] tc 0x9fc8108 MAC failed -1 Ignoring established connection: 192.168.2.18:52072->192.168.2.201:80 52 AF [out] tc (nil) Ignoring established connection: 192.168.2.201:80->192.168.2.18:52072 52 AF [in] tc (nil) Ignoring established connection: 192.168.2.18:52072->192.168.2.201:80 52 A [out] tc (nil)
Server log (-vvv) after restart:
Initializing... Gotta malloc 1384 Generating RSA keys Generating RSA key: 2048 bits Done generating RSA keys Gotta malloc 16 Buffer size 2097152 wanted 1048576 Divert packets using iptables -j NFQUEUE --queue-num 666 Running Ignoring established connection: 202.78.240.7:50572->120.138.19.204:80 608 A [in] tc (nil) No timestamp provided in packet - expect low performance due to calls to gettimeofday Ignoring established connection: 120.138.19.204:80->202.78.240.7:50572 52 A [out] tc (nil) Ignoring established connection: 202.78.240.7:50572->120.138.19.204:80 608 A [in] tc (nil) Ignoring established connection: 120.138.19.204:80->202.78.240.7:50572 52 A [out] tc (nil) Ignoring established connection: 120.138.19.204:80->120.138.19.204:42761 60 SA [out] tc (nil) Ignoring established connection: 120.138.19.204:80->120.138.19.204:42761 52 A [out] tc (nil) Ignoring established connection: 120.138.19.204:80->120.138.19.204:42761 283 A [out] tc (nil) Ignoring established connection: 120.138.19.204:80->120.138.19.204:42761 504 A [out] tc (nil) Ignoring established connection: 120.138.19.204:80->120.138.19.204:42761 52 AF [out] tc (nil) Ignoring established connection: 202.78.240.7:50572->120.138.19.204:80 608 A [in] tc (nil) Ignoring established connection: 120.138.19.204:80->202.78.240.7:50572 52 A [out] tc (nil) Ignoring established connection: 120.138.19.204:80->202.78.240.7:50572 52 AF [out] tc (nil) Ignoring established connection: 120.138.19.204:80->202.78.240.7:50574 52 AF [out] tc (nil) Ignoring established connection: 120.138.19.204:80->202.78.240.7:50572 52 AF [out] tc (nil) Ignoring established connection: 120.138.19.204:80->202.78.240.7:50574 52 AF [out] tc (nil) Ignoring established connection: 120.138.19.204:80->202.78.240.7:50572 52 AF [out] tc (nil)
Cheers,
Tim
P.S. How about creating a flattr account? I'd flattr this.
Client version: 91cce74067c35f90254ca787a744cbbbeea958ab Server version: 892aee34546f16a1db3d89deea23b742b20cbacd
Same happens when server firewall rules to send through tcpcryptd are stopped while browser has connections open. Any way to make this situation be detected and drop / force reconnection with new session?