MozillaZine

Getting a lot of TLS handshake errors!

Discuss various technical topics not related to Mozilla.
Grumpus

User avatar
 
Posts: 11592
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Post Posted October 27th, 2017, 6:12 am

You're expecting the definitive when there is none.
Traffic to the site can limit the server response, same for the cookie load or even the site load.
I have only a couple of legacy extensions and haven't experienced any TLS lag but I do not accept cookies except for a couple of sites and change preferences before accessing them. Still no lag on those sites.
When opening to a blank page Hurricane Electric shouldn't be showing in the top section unless you have to manually login to your ISP.
Check the captive portal settings in about:config. If not accessing through a login page these are not necessary and can cause some problems.
Akamai is usually connected to a specific site and I would check your preferences and about:newtab and newtabpage settings in about:config.
Also site exceptions for, Phishing Protections, Warnings for installation of anything, Storage of offline website data, etc.
Some of the ips at startup could be related to Mozilla or extensions but I doubt it's Hurricane or Akamai.

ginahoy
 
Posts: 186
Joined: October 18th, 2007, 8:32 pm

Post Posted October 27th, 2017, 2:51 pm

Grumpus wrote:Traffic to the site can limit the server response, same for the cookie load or even the site load.

That wouldn't explain indefinite hang versus fast response with nothing in between. How indefinite? I just waited 30 minutes and TLS handshake msg still hasn't resolved or generated a time out. This appears to be some sort of breakdown somewhere along the line.

I have only a couple of legacy extensions and haven't experienced any TLS lag but I do not accept cookies except for a couple of sites and change preferences before accessing them. Still no lag on those sites.

I don't see how this could have anything to do with an extension or stored cookie since I can replicate the hang on a clean install.

When opening to a blank page Hurricane Electric shouldn't be showing in the top section unless you have to manually login to your ISP. Check the captive portal settings in about:config. If not accessing through a login page these are not necessary and can cause some problems.

Thanks for assisting with this. There's no login to access my ISP. I have a DSL modem and the network is rural microwave (small dish, line-of-site). I toggled network.captive-portal-service.enabled to false, but I'm still seeing these IP's in iptraf, top section, when I start browser with a blank page. I appreciate your advice on this as I have never used an IP monitor before.

Akamai is usually connected to a specific site... Some of the ips at startup could be related to Mozilla or extensions but I doubt it's Hurricane or Akamai.

Ok, when I open browser in safe mode, the Akamai IP doesn't appear so that one appears to be triggered by an extension, which I can isolate. But the Hurricane Electric IP still shows up.

I would check your preferences and about:newtab and newtabpage settings in about:config.

Not sure what specifically to look for re: newtab settings: http://bit.ly/2yRDe4z.

Also site exceptions for, Phishing Protections, Warnings for installation of anything, Storage of offline website data, etc.

I have all the boxes (4) checked under Preferences/Security/General. The only site exceptions are the two mozilla sites for addons that are included at installation. Under Preferences/Advanced/Data Choices, I have all (3) boxes unchecked, and under Advanced/Network, I have cached web content set to 0 MB, and offline storage "currently using 0 bytes" and the "tell you when a website asks..." checked, with no exceptions entered. In any case, I have my privacy settings set to clear offline data when browser closes.

BTW, I noticed when I exit iptraf-ng, it doesn't unload itself so when I want to use it again, I have to manually kill the process first. Do you know if this is normal, or if there's a work-around? I'm new to Linux so I'm not yet familiar with script writing.

Brummelchen
 
Posts: 2582
Joined: March 19th, 2005, 10:51 am

Post Posted October 28th, 2017, 6:47 am

either its linux or v55 specific - i can not recreate with v56 and windows -> https://de.linkedin.com/ (ok, its german entry point, but should not matter)
the cert is valid until nov'30'2017.

i have mint on a stick and can try to reproduce - without noscript. but it seems you had no clean profile as you submitted you are using noscript and that is no longer a clean profile.

#edit
Mint 18.2 LiveLinux - Firefox 54 - with and w/o NoScropt (latest) - LinkedIn has no TLS issue, although it did not load complete due missing scripts (default settings noscript)

if you are running external filters on linux, deactivate - and have a look into your modem/router.

Grumpus

User avatar
 
Posts: 11592
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Post Posted October 28th, 2017, 8:00 am

You should be opening iptraf or iptraf-ng in a terminal using sudo.
Neither will close by closing the terminal.
Closing iptraf or iptraf-ng hit "x" and "x" again. Hitting once takes you to the index for configuration.
Then you can close the terminal.
Look at the configurations and set according to your preferences.
If you need more information open a terminal and type "info iptraf-ng" you can close information by hitting "q".

Newtabpage setings control how many ads/sites are loaded on a new tab page when opening a new tab, where, when or how, in how many columns and rows.
It's an advertising thing which was installed by Mozilla and never really properly removed.
Search both the 'zine's Support and General forums for how to deal with it, closing it off, removing the url or changing the items to about:blank.

I don't know what to tell you about Hurricane electric, you should see the service ports the IPs are related to in iptraf-ng.
Wikipedia has a page on it and they do supply Internet access.
You can go into /etc/services on your system to see what the port are for or you can download a current list after a Google search.

ginahoy
 
Posts: 186
Joined: October 18th, 2007, 8:32 pm

Post Posted October 28th, 2017, 11:10 pm

Brummelchen wrote:either its linux or v55 specific - i can not recreate with v56 and windows -> https://de.linkedin.com/

As I previously mentioned, TLS hang occurs on a linkedin page that requires signing in. This is consistent with the others who reported TLS hangs earlier in this thread.

I use a bookmark to access my linkedin page. By protecting certain persistent cookies, I'm able to bypass their sign-in page and maintain an indefinite session. When testing with a fresh profile, FF defaults to 'remember history', so I was able to access my linkedin page without having to sign each time as I repeatedly opened and closed FF in my attempt to replicate the hang. And since a clean profile obviously starts with an empty cookie.sqlite, this eliminates the possibility that a corrupt cookie stored in my standard profile might be causing the hang.

EDIT: I had not tried to replicate the TLS hang while logged out. I just tried that and was able to replicate the error, first attempt. I don't know if it makes a difference, but I was navigating to my bookmarked (private) page when I got the error, not the home page.

you had no clean profile as you submitted you are using noscript and that is no longer a clean profile.

I knew that would confuse folks. My clean profile has no add-ons. I was responding to Grumpus who wanted me to check the NoScript panel as a troubleshooting step. I used my standard profile when responding to his question.

if you are running external filters on linux, deactivate - and have a look into your modem/router.

Not sure what you mean by external filters... I guess that means I'm not. My router is mostly set to factory default. The only changes I made were to add OpenDNS servers and tweak some wireless setting, which don't affect my machine, since it's hardwired to the router.

Brummelchen
 
Posts: 2582
Joined: March 19th, 2005, 10:51 am

Post Posted October 29th, 2017, 3:15 am

were to add OpenDNS servers

what if you reset those to default or let router handle it?
maybe the opendns server takes too long to answer?
you wrote that it dont happen every event, only on few.

i am an idiot with linux, my plans about are growing slowly. i try to adapt from windows.
what i meant with "external" are eg. proxies, vpn, installed security software, opendns ;).
what if you use an untouched linux and device?

have you took a look into the browser console -> network if there are listed errors?

about iptraf-ng (i dont know)
https://wiki.ipfire.org/en/addons/iptraf-ng/start

ginahoy
 
Posts: 186
Joined: October 18th, 2007, 8:32 pm

Post Posted October 29th, 2017, 3:43 am

Brummelchen wrote:maybe the opendns server takes too long to answer?

In my experience, when that happens, the status message hangs at 'looking up domain.com'

what i meant with "external" are eg. proxies, vpn, installed security software

I didn't use proxies, vpn or tsr security software on my XP machine, and I don't even now how to set those up on my new linux machine :wink:

what if you use an untouched linux and device?

Tomorrow I will test by booting into Linux Mint from the installation disk (iso), which I believe came with FF54.

have you took a look into the browser console -> network if there are listed errors?

yes, when there's a TLS handshake hang, there's a GET command but nothing else.

Brummelchen
 
Posts: 2582
Joined: March 19th, 2005, 10:51 am

Post Posted October 29th, 2017, 4:34 am

windows xp? sorry, cant help, thats not negotiable for me - security reason.
but if you have same issues on windows and linux you should look for similarities.
the only advice i can give you.

Grumpus

User avatar
 
Posts: 11592
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Post Posted October 29th, 2017, 8:06 am

General note - Updates if doing the disc now may be as much as 240 MB.
Additional for the Linux Mint 18 - watch out for the time settings.
I noticed in setting up a new Linux Mint they used any and all Internet time servers and there were too many IPs sending time information.
These show in the Udp side of iptraf-ng and Hurricane is one of them.
You may want to drop the full NTP and drop back to only the NTPdate and set the clock on Manual. Close the 123 port if you don't intend to use it.
There was an exploit of this a number of years back and there was also an issue with frequency of time call, with as many as 6 servers being called it loads up the connection with unnecessary data creating something similar to a DoS.

ginahoy
 
Posts: 186
Joined: October 18th, 2007, 8:32 pm

Post Posted October 29th, 2017, 2:30 pm

Brummelchen wrote:windows xp? sorry, cant help, thats not negotiable for me

Huh? My comments re: TLS hangs are 100% related to Linux. I only mentioned my XP machine to emphasize that I'm not familiar with setting up vpn or proxies. In any case, I don't experience the TLS hangs on that machine, but it's running an older version of FF.

Grumpus wrote: Updates if doing the disc now may be as much as 240 MB.

I wasn't talking about reinstalling Linux, just booting from the disk to see if I can replicate the TLS handshake hang on a 'untouched' instance of Linux as suggested by Brummelchen.

OK, I just did that, and was able to replicate the TLS hang from Linux live, which comes with FF54. I replicated the hang on the main page as well as on the sign in screen that comes up when I try to navigate to my page. I also had the router switched off and connected directly to the DSL modem provided by my ISP (I don't have access to setup). The hang doesn't happen every time... as I recall it took at least 10 times to replicate on the main LinkedIn page (I would close browser and reopen between attempts), but when it hung, it hung like forever -- I left to eat lunch as it was still spinning when I returned. Other times I get a time out page. Not sure why the inconsistency with that. Perhaps a clue? Also, I happens a lot more frequently on first attempt when I'm accessing my private page using a persistent session cookie, which is what makes this so irritating.

... Linux Mint 18 - watch out for the time settings... You may want to drop the full NTP and drop back to only the NTPdate and set the clock on Manual. Close the 123 port if you don't intend to use it.

Of course! I forgot about NTP. And thanks for alerting me to Linux Mint 18 time setting issues.

...stepping back off topic
When I first installed Linux, I changed the Time and Date GUI configuration setting to 'Manual' so theoretically there shouldn't be any NTP traffic, right? HOWEVER, surprisingly my system clock is still within 1 second of 'official' time after more than 3 months, which in my experience, is highly unlikely without NTP. So I suspect the manual setting is either broken or overridden by another process, which might explain the Hurricane Electric traffic. Rather than trying to troubleshoot, I like your idea of simply closing the port, except I don't know how. I found this page that seems to cover it all. I would be grateful if you would glance over the proposed commands before I blindly execute something I know nothing about :?

Grumpus

User avatar
 
Posts: 11592
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Post Posted October 30th, 2017, 6:11 am

With 18.2 there seems to be an abrogation of admin power with regard to the manual setting in the NTP package.
This is a guess at this point but I couldn't get it to hold with NTP.
Changing to the NTPdate package and dumping the NTP package allows for the administration of the switch between manual and Internet set and it holds
Blocking the 123 port is a good thing as far as I can see even with the change from NTP to NTPdate which is a smaller package, less footprint.
There's also a configuration file for the servers and they can be commented out as well. Use admin level search in Caja, Nemo or Nautilus for NTP.
If you do re-install or have it already you might check for updates which are relative.
The TLS issue could be the Linkedin site.
With the current Power issue in Puerto Rico and the Whitefish contract it could be fluctuating levels of traffic or even hacks.
Since you had less hangs with the ISPs supplied router it might be good to talk to their technical support people and see if they have any ideas.
The use of two routers could be creating a conflict, double access attempts or insecure process,
There also may be a connection break which occurs during the access to the Linkedin page, something like an unreported connection timing out.

ginahoy
 
Posts: 186
Joined: October 18th, 2007, 8:32 pm

Post Posted October 30th, 2017, 4:24 pm

Grumpus wrote:The TLS issue could be the Linkedin site. With the current Power issue in Puerto Rico and the Whitefish contract it could be fluctuating levels of traffic or even hacks.

I figure this probably a Linkedin issue since I don't experience TLS hangs on any other sites. BUT, since others report TLS hangs with different sites going back several months, I'm thinking it could be an issue with some 3rd party network software that LinkedIn deployed this month, but other sites may have deployed earlier, that has a bug that causes an indeterminate race condition? Just a guess. What's odd is that the problem occurs with Firefox but not other browsers, according to the other reports in this thread. I don't care to install another browser on my machine so I can't corroborate that. When I have time, I'll boot into Linux Live and install Chrome and test that.

Since you had less hangs with the ISPs supplied router it might be good to talk to their technical support people and see if they have any ideas.

Although I can't rule out an issue with my ISP's network, I didn't mean to imply that there were fewer hangs when I disconnected my router. Whether I connect through my router or directly to the DSL modem/router, it always takes multiple tries to replicate the TLS hang when I navigate to the LinkedIn home page. On the other hand, when I navigate to my private LinkedIn page, it usually hangs on the first attempt. That's true whether I'm using my router or connect directly to the DSL modem/router.

There also may be a connection break which occurs during the access to the Linkedin page, something like an unreported connection timing out.

Could you say more about this?

ginahoy
 
Posts: 186
Joined: October 18th, 2007, 8:32 pm

Post Posted October 31st, 2017, 1:11 am

Some of the earlier posts in this thread suggest that TLS hangs happen with Firefox but not Chrome. To test this, I booted from my Linux Mint install disk ("Linux Live") and installed Chromium (open source version of Chrome). I was able to replicate the TLS hang. But the behavior was somewhat different. The status message when it hangs reads: "Establishing secure connection", and 'time outs' typically follow in under a minute: "This site can't be reached. LinkedIn took too long to load.", although once the time-out page appears, the site finally loads within a few seconds after that. That took me by surprise... I've never seen that happen before with FF.

I wasn't surprised that I experienced hangs with Chromium/Chrome since the onset of the hangs in my case didn't correspond to a Firefox upgrade. I had been running v55 on my Linux machine at least 2 weeks before I started getting the LinkedIn TLS hangs

So this apparently isn't a Firefox issue, at least in my case, so I don't expect to receive further support here. Hopefully it will eventually clear up on its own.

Grumpus

User avatar
 
Posts: 11592
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Post Posted October 31st, 2017, 5:47 am

Whether it's Firefox or other it doesn't hurt to hash it out, Good Luck. ;)

Return to MozillaZine Tech


Who is online

Users browsing this forum: No registered users and 2 guests