SSL via netfilter

richard@iguana.co.nz richard@iguana.co.nz
Tue, 11 Jan 2000 13:38:20 +1100 (EST) 

Further updates.

For interested parties, I have no idea whether this can really count as a
bug in Netfilter, however it certainly counts as something you should
know.

You can't seem load balance SSL and expect IE to like it. For some reason
it requires that all connections to the host following the first go to the
same box. Once I removed the balancing component (ie: forwarded to one
machine only, didn't matter which one) the problem was solved, and IE was
happy. Netscape doesn't mind balancing.

Theories at this end revolve around assumptions about incoming
certificates etc.

Dumps of network traffic were caught and analysed, but there was no
problem with the information net-filter was putting out as far as we could
tell.

We have simply set up static balancing, sending one site to one box, and
another to another. Hardly an ideal solution, but unfortunately IE isn't
as amenable to fixing as net-filter.

A possible solution would be an SSL tracking module which ensured that in
a load balanced scenario SSL connections from the same host went to the
same box, but on heavily loaded sites, where it would be needed most, the
storage issues could be substantial. Comments welcome.

Richard.

> After some complaints from users, we managed to track down a really weird
> thing. Netscape works perfectly on SSL balanced by a netfilter box,
> however many (not all) revisions of IE behave erractically, with
> everything from crashes to message boxes claiming not all page contents
> are secure to refusing to load the page at all.
> 
> This affects both 40 and 128bit encryption pipes. I am currently looking
> into it, hopefully have some packet dumps soon. This is just for anyone
> who happens to be suffering from the same problem, and may not have
> noticed, or in case someone has it set up and reliably working, in which
> case I may be able to switch versions or something.
> 
> System: PIII-500
> Kernel: 2.3.36
> Version 0.1.14 (will test with 15 as soon as I can get the eepro driver
>                 working properly)
> 
> Hints or comments as always appreciated.
> 
> Richard.
>