Unable to complete SSL/TLS handshake

[NotionCommotion]

I have the following script.

<?php
$loop = \React\EventLoop\Factory::create();
$server = new \React\Socket\TcpServer('0.0.0.0:1337', $loop);
$arr=['local_cert' => '/etc/pki/tls/certs/crt.pem','local_pk' => '/etc/pki/tls/private/pk.pem']];
$server = new \React\Socket\SecureServer($server, $loop, $arr );
$server->on('connection', function (\React\Socket\ConnectionInterface $conn) {
    $connStream = new LengthPrefixStream($conn);
    $connStream->on('data', function($data) use ($connStream){
      //...
    });
    $conn->on('error', function($error, $conn) {
      //Log error
      $conn->close();
    });
 });


$server->on('error', function($error) use ($loop){
  //Log error => Unable to complete SSL/TLS handshake
});
$loop->run();

 Occasionally, I experience an "Unable to complete SSL/TLS handshake".  According to https://github.com/reactphp/socket:

The error event will be emitted whenever there's an error accepting a new connection from a client.

$server->on('error', function (Exception $e) {
echo 'error: ' . $e->getMessage() . PHP_EOL;
});

Note that this is not a fatal error event, i.e. the server keeps listening for new connections even after this event.

 

 

So, I do nothing.  But the client experiences socket error: Connection reset by peer

 

What might be causing this and how do I prevent it?

 

I suppose I can stop the loop and restart it, but that seems a little excessive.  Maybe move the $server on error callback inside the on connect call back so I can access the specific client connection and close just that?

 

Thanks

[requinix]

First you have to figure out why there's an error. Client not connecting with SSL support? Invalid certificates?

[NotionCommotion]

First you have to figure out why there's an error. Client not connecting with SSL support? Invalid certificates?

 

 

Agree!

 

Client connects.  All is good.  Client can write to server and the reverse.  Chatty, chatty, chatty...  So,client has SSL support and certificates (by the way, they are self signed) are valid.

 

But then, this event happens after several hours.  So, not lack of client SSL support or valid certificates, but something is amiss.

 

How can I gather more information to determine what is causing it?

 

Thanks

[requinix]

The handshake only happens at the beginning of the connection, not after it's already been established. So there's a new connection being attempted.

 

Basic troubleshooting strategies apply. Is it the same client every time? Happen regularly or randomly? What else is happening on the server and client around that time? What, if anything, do you have to do (on either end) once this happens to make everything work again?

 

Also look at system logs. Especially the server's, but you might as well check the client's too.

 

openssl_error_string() should give some information, though it might not be terribly helpful. Might also be the same error message you already have. Might not even return anything, if React already checked it.

[NotionCommotion]

The handshake only happens at the beginning of the connection...  Thanks

Basic troubleshooting strategies apply.  Agree, but my current lack of clues is making this difficult.

 

Is it the same client every time?  No

 

Happen regularly or randomly? No pattern yet found.

 

What else is happening on the server and client around that time? Nothing yet identified.

 

What, if anything, do you have to do (on either end) once this happens to make everything work again?  Nothing required on server.  For client, I need to manually run the file.  Guess I can create a cron to do so, but doing so is just a band aid.

Also look at system logs. Especially the server's, but you might as well check the client's too.  I've been looking at some of the logs.  Any recommended specific logs?

openssl_error_string() should give some information...  Thanks I am now doing so, and am waiting for the even to happen again.

[requinix]

This may just end up being one of those things you can't explain (yet) and just have to anticipate. Retrying the connection after a short delay should work; worst case would be having to restart the script.

 

I've been looking at some of the logs.  Any recommended specific logs?

Besides PHP's, the logs for general system operation like dmesg and kernel. Basically any besides those for specific services - if you look shortly after the error happens then there shouldn't be too many that have been updated in that timeframe.

 

Are you still going through an SSH tunnel? If so look into problems with that, which adds the sshd log on the server to the list of files to check. Turning on verbose logging (to a file) on the client may or may not be possible and/or useful, I don't know.

[NotionCommotion]

This may just end up being one of those things you can't explain (yet) and just have to anticipate. Retrying the connection after a short delay should work; worst case would be having to restart the script.

 

Besides PHP's, the logs for general system operation like dmesg and kernel. Basically any besides those for specific services - if you look shortly after the error happens then there shouldn't be too many that have been updated in that timeframe.

 

Are you still going through an SSH tunnel? If so look into problems with that, which adds the sshd log on the server to the list of files to check. Turning on verbose logging (to a file) on the client may or may not be possible and/or useful, I don't know.

 

I see entries for the first few seconds (solid state hd goes fast), then nothing.  dmesg is just server start log, right?  I don't seem to have a kernel log.  Is this not the same as dmesg?  Specific services?  I looked through /var/log, and nothing jumped out.

 

No, not going through SSH tunnel.

 

Appreciate the help.  This is really aggravating.