2
So I cannot connect to certain websites. Just a few, most are OK. The one I really care about is paypal.com.
I have done the usual things. Let's see:
- Cleared browsing history
- Tried different browsers
- Uninstalled and downloaded/installed fresh browser
- System restored to before problem first occurred
- Installed all system patches
- Checked my etc/hosts
- Flushed the DNS cache
- Checked firewall
- Switched on & off virus protection
- Switched on and off ad blocking
- pinged the sites
- Connect directly to ISP access point without using router
Eventually, I decided to look at what curl is saying in detail
== Info: About to connect() to www.paypal.com port 443 (#0)
== Info: Trying 66.211.169.2... == Info: connected
== Info: SSLv3, TLS handshake, Client hello (1):
=> Send SSL data, 110 bytes (0x6e)
0000: 01 00 00 6a 03 01 4f 6c aa 8c 57 2b 3d 1e 74 64 ...j..Ol..W+=.td
0010: c1 27 25 a5 3a 12 7f 3f 41 0a 17 15 2e c9 67 7c .'%.:.?A.....g|
0020: b3 e1 f6 9a db a9 00 00 2a 00 39 00 38 00 35 00 ........*.9.8.5.
0030: 16 00 13 00 0a 00 33 00 32 00 2f 00 07 00 05 00 ......3.2./.....
0040: 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 ................
0050: 03 00 ff 01 00 00 17 00 00 00 13 00 11 00 00 0e ................
0060: 77 77 77 2e 70 61 79 70 61 6c 2e 63 6f 6d www.paypal.com
(hangs here for ever)
This looks to me like paypal is refusing to reply to the first SSL handshake.
I don't know much about SSL, but compaing to the output from a site that works for me seems to make it obvious
== Info: About to connect() to www.cibc.com port 443 (#0)
== Info: Trying 159.231.80.200... == Info: connected
== Info: SSLv3, TLS handshake, Client hello (1):
=> Send SSL data, 108 bytes (0x6c)
0000: 01 00 00 68 03 01 4f 6c ad 6a 1f 67 d5 84 c4 4b ...h..Ol.j.g...K
0010: 0d 49 ae d6 b9 5b c3 63 f9 48 aa 18 da 43 d1 32 .I...[.c.H...C.2
0020: 47 ae 17 e5 cd e9 00 00 2a 00 39 00 38 00 35 00 G.......*.9.8.5.
0030: 16 00 13 00 0a 00 33 00 32 00 2f 00 07 00 05 00 ......3.2./.....
0040: 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 ................
0050: 03 00 ff 01 00 00 15 00 00 00 11 00 0f 00 00 0c ................
0060: 77 77 77 2e 63 69 62 63 2e 63 6f 6d www.cibc.com
== Info: SSLv3, TLS handshake, Server hello (2):
<= Recv SSL data, 74 bytes (0x4a)
0000: 02 00 00 46 03 01 00 00 58 cf 26 e2 e1 65 db 11 ...F....X.&..e..
0010: bc 6f 26 7b 3b 6d eb 14 5f ad 47 dd 86 ea 4d a3 .o&{;m.._.G...M.
0020: fb 9f b7 2a 54 3e 20 5f 6b 04 5a 12 38 64 5d 18 ...*T> _k.Z.8d].
0030: 65 9e e9 cd 61 eb 91 c1 16 25 61 30 bb 08 2a 78 e...a....%a0..*x
0040: b8 ee b8 7e f2 65 6a 00 04 00 ...~.ej...
== Info: SSLv3, TLS handshake, CERT (11):
... and so on - working nicely eventually get some nice HTML
Now I am reaaly stuck. This has been going on for five days, so I am pretty sure that the problem is not with paypal. But what on my system could be interfering with the SSL handshaking done by curl with this particular site?
Next I installed WireShark to capture the packets being exchanged with paypal.com
No. Time Source Destination Protocol Length Info
123 118.847059 192.168.100.3 66.211.169.14 TCP 66 59884 > https [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1
124 118.982913 66.211.169.14 192.168.100.3 TCP 66 https > 59884 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1440 WS=1 SACK_PERM=1
125 118.982981 192.168.100.3 66.211.169.14 TCP 54 59884 > https [ACK] Seq=1 Ack=1 Win=66240 Len=0
126 118.983728 192.168.100.3 66.211.169.14 SSL 240 Client Hello
129 119.373787 192.168.100.3 66.211.169.14 SSL 240 [TCP Retransmission] Client Hello
132 119.560671 66.211.169.14 192.168.100.3 SSL 153 [TCP Previous segment lost] Continuation Data
133 119.560714 192.168.100.3 66.211.169.14 TCP 66 [TCP Dup ACK 129#1] 59884 > https [ACK] Seq=187 Ack=1 Win=66240 Len=0 SLE=4381 SRE=4480
V-e-r-y interesting!
The client Hello is being retransmitted, after less than 0.5 secs. Why? Could this be confusing things? Can I control this somehow?
A reply is received from paypal, but is market as 'previous fragment lost' which would seem to my problem. How to solve it???
It seems that this might well be a network issue. It happens with two machines connected to this ISP. However, when I connect one of the machines showing the problem on this network to the internet at a friends house who has a different ISP, the problem goes away!
( Note: How I connect to the internet (AFAIK ). I connect the ethernet port on my computer to a small black box called a 'wireless access point'. This in turn is connected to what looks like a ruggedized ethernet cable connected to a microwave ariel on my roof, which connects through a series of microwave arials to the internet. )
What do I say to the ISP? They will not believe that their network is interfering with the SSL handshaking from certain sites, but not others.
Here's a link to the Wireshark capture of SSL handshaking
ravenspoint
Posted 2012-03-23T19:14:11.477
Reputation: 121
@maweeras Thank you. I agree. See note at end of my question. – ravenspoint – 2012-03-25T13:46:32.953
"You should upload the netmon/wireshark trace of you attempting to connect to PayPal for someone here to analyse." I would be delighted to do so. Who? How? – ravenspoint – 2012-03-25T13:51:49.797
You can use something like www.skydrive.com to upload a file to a folder that ou can share as public. Then once uploaded, update the post with a link to it. Don't blame the ISP. Its your network devices that I suspect at this stage. – maweeras – 2012-03-25T16:47:53.810
"Network devices"? I connect my computer to the access point with an ethernet cable. – ravenspoint – 2012-03-25T17:15:01.200
I will do so on Monday, when I am back at my desk. I will add what little I know about connecting to my ISP to my question. – ravenspoint – 2012-03-25T18:10:03.910
@maweeras link to wireshark capture added to question – ravenspoint – 2012-03-27T18:02:33.833