Highlighted
Respected Contributor.
Respected Contributor.
1028 views

Why does a TLS 1.2 call take 2 TCP/IP connections?

All, I have an HP VuGen client that is using 2 TCP/IP connections to do the TLS v1.2 handshake with my server when mutual authentication is enabled.

According to Wireshark, the sequence is approximately this:

  1. Client SYN
  2. TLS v1.2 client hello
  3. Server sends server hello, certificate, server key exchange, certificate request, server hello done
  4. Client FIN's the old connection
  5. Client SYN's a new connection
  6. Server handshake failure on the old connection (out of order packet)
  7. TLS v1.2 client hello
  8. Server hello, certificate, server key exchange, certificate request, server hello done
  9. (everything is ok after this)

Neither OpenSSL nor a standalone java client exhibits this same behavior. When the server asks for the client certificate the first time, they send it.

With VuGen, I can't see anything different about the two client hello message, nor the server responses. There are definitely two connections, though, because there are 2 FIN's from the client using 2 different outbound ports.

I would like to prevent this because I don't think our production clients do this (since neither OpenSSL nor a java app do it.)

FWIW, it doesn't matter whether I go through a load balancer or not. I get the same behavior.

I believe this has something to do with the server asking for the client certificate because the same server has another non-MA port open that is otherwise configured the same and the VuGen client only makes a single connection there.

Thanks

Tags (1)
0 Likes
1 Reply
Highlighted
Absent Member.
Absent Member.

Re: Why does a TLS 1.2 call take 2 TCP/IP connections?

To change this behavior, go to default.cfg configuration file and place the following entry within the [Web] section:

SetClientCertImmediately=Yes

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.