Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: [SOLVED] Firefox 3 + Zimbra 5 - TLS Interop issue

  1. #1
    irvingpop is offline Member
    Join Date
    Apr 2008
    Location
    Portland, OR
    Posts
    14
    Rep Power
    7

    Default [SOLVED] Firefox 3 + Zimbra 5 - TLS Interop issue

    Disclaimer: Yeah, yeah, I know FF3 is still in beta. I'm posting this for the public good.


    Firefox 3 users may have already noticed a 20-30 second delay when connecting to Zimbra via https, both to the zimbra and ZimbraAdmin services.

    From what I've found, Firefox 3 is sending a TLS Client Hello message, but the server (Jetty) never responds with a TLS Server Hello message. After about 20-30 seconds, Firefox3 gives up and drops back to SSLv3. SSLv3 works as normal.

    I haven't noticed any TLS issues like this between FF3 and Apache or Tomcat. Other browsers are using TLS to Jetty just fine. My assumption is that there must be something funny that FF3 is sending in the TLS Client Hello message that Jetty doesn't like.

    Any pointers on how to debug this further to provide a usable bug report to the faulting party?



    Packet capture from ethereal.
    Notice the time jump between packets 5 and 6, with no TLS Server Hello message. At packet 10, SSLv3 initiates just fine.

    Code:
    1   0.000000 172.16.20.147 -> 172.16.20.51 TCP 59247 > https [SYN] Seq=0 Ack=0 Win=8192 Len=0 MSS=1460 WS=2
    2   0.016308 172.16.20.51 -> 172.16.20.147 TCP https > 59247 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=2
    3   0.019622 172.16.20.147 -> 172.16.20.51 TCP 59247 > https [ACK] Seq=1 Ack=1 Win=65700 Len=0
    4   0.023145 172.16.20.147 -> 172.16.20.51 TLS Client Hello
    5   0.023171 172.16.20.51 -> 172.16.20.147 TCP https > 59247 [ACK] Seq=1 Ack=173 Win=6912 Len=0
    6  27.941715 172.16.20.147 -> 172.16.20.51 TCP 59247 > https [FIN, ACK] Seq=173 Ack=1 Win=65700 Len=0
    7  27.943256 172.16.20.147 -> 172.16.20.51 TCP 59249 > https [SYN] Seq=0 Ack=0 Win=8192 Len=0 MSS=1460 WS=2
    8  27.943391 172.16.20.51 -> 172.16.20.147 TCP https > 59249 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=2
    9  27.943411 172.16.20.147 -> 172.16.20.51 TCP 59249 > https [ACK] Seq=1 Ack=1 Win=65700 Len=0
    10  27.946558 172.16.20.147 -> 172.16.20.51 SSLv2 Client Hello
    11  27.946734 172.16.20.51 -> 172.16.20.147 TCP https > 59249 [ACK] Seq=1 Ack=82 Win=5840 Len=0
    12  27.964218 172.16.20.51 -> 172.16.20.147 TCP https > 59247 [FIN, ACK] Seq=1 Ack=174 Win=6912 Len=0
    13  27.964886 172.16.20.147 -> 172.16.20.51 TCP 59247 > https [ACK] Seq=174 Ack=2 Win=65700 Len=0
    14  28.017420 172.16.20.51 -> 172.16.20.147 SSLv3 Server Hello, Certificate, Server Key Exchange, Server Hello Done
    15  28.023431 172.16.20.147 -> 172.16.20.51 SSLv3 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
    16  28.023463 172.16.20.51 -> 172.16.20.147 TCP https > 59249 [ACK] Seq=1216 Ack=264 Win=6912 Len=0
    17  28.037937 172.16.20.51 -> 172.16.20.147 SSLv3 Change Cipher Spec
    18  28.038197 172.16.20.51 -> 172.16.20.147 SSLv3 Encrypted Handshake Message
    Ethereal output of FF3's TLS Client Hello message

    Code:
    Secure Socket Layer
        SSL Record Layer: Handshake Protocol: Client Hello
            Content Type: Handshake (22)
            Version: TLS 1.0 (0x0301)
            Length: 167
            Handshake Protocol: Client Hello
                Handshake Type: Client Hello (1)
                Length: 163
                Version: TLS 1.0 (0x0301)
                Random.gmt_unix_time: Jan  6, 1970 12:46:38.000000000
                Random.bytes
                Session ID Length: 0
                Cipher Suites Length: 68
                Cipher Suites (34 suites)
                    Cipher Suite: Unknown (0xc00a)
                    Cipher Suite: Unknown (0xc014)
                    Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
                    Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
                    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                    Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                    Cipher Suite: Unknown (0xc00f)
                    Cipher Suite: Unknown (0xc005)
                    Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
                    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                    Cipher Suite: Unknown (0xc007)
                    Cipher Suite: Unknown (0xc009)
                    Cipher Suite: Unknown (0xc011)
                    Cipher Suite: Unknown (0xc013)
                    Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
                    Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
                    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                    Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                    Cipher Suite: Unknown (0xc00c)
                    Cipher Suite: Unknown (0xc00e)
                    Cipher Suite: Unknown (0xc002)
                    Cipher Suite: Unknown (0xc004)
                    Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
                    Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                    Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                    Cipher Suite: Unknown (0xc008)
                    Cipher Suite: Unknown (0xc012)
                    Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                    Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                    Cipher Suite: Unknown (0xc00d)
                    Cipher Suite: Unknown (0xc003)
                    Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff)
                    Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Compression Methods Length: 1
                Compression Methods (1 method)
                    Compression Method: null (0)
                Extensions Length: 54
                Extension: server_name
                    Type: server_name (0x0000)
                    Length: 28
                    Data (28 bytes)
                Extension: Unknown 10
                    Type: Unknown (0x000a)
                    Length: 8
                    Data (8 bytes)
                Extension: Unknown 11
                    Type: Unknown (0x000b)
                    Length: 2
                    Data (2 bytes)
                Extension: EAP-FAST PAC-Opaque
                    Type: EAP-FAST PAC-Opaque (0x0023)
                    Length: 0
                    Data (0 bytes)

    TLS Client Hello message from FF2, for posterity

    Code:
    Secure Socket Layer
        SSL Record Layer: Handshake Protocol: Client Hello
            Content Type: Handshake (22)
            Version: TLS 1.0 (0x0301)
            Length: 151
            Handshake Protocol: Client Hello
                Handshake Type: Client Hello (1)
                Length: 147
                Version: TLS 1.0 (0x0301)
                Random.gmt_unix_time: Dec 31, 1969 22:50:13.000000000
                Random.bytes
                Session ID Length: 0
                Cipher Suites Length: 56
                Cipher Suites (28 suites)
                    Cipher Suite: Unknown (0xc00a)
                    Cipher Suite: Unknown (0xc014)
                    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                    Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                    Cipher Suite: Unknown (0xc00f)
                    Cipher Suite: Unknown (0xc005)
                    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                    Cipher Suite: Unknown (0xc007)
                    Cipher Suite: Unknown (0xc009)
                    Cipher Suite: Unknown (0xc011)
                    Cipher Suite: Unknown (0xc013)
                    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                    Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                    Cipher Suite: Unknown (0xc00c)
                    Cipher Suite: Unknown (0xc00e)
                    Cipher Suite: Unknown (0xc002)
                    Cipher Suite: Unknown (0xc004)
                    Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                    Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                    Cipher Suite: Unknown (0xc008)
                    Cipher Suite: Unknown (0xc012)
                    Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                    Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                    Cipher Suite: Unknown (0xc00d)
                    Cipher Suite: Unknown (0xc003)
                    Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff)
                    Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Compression Methods Length: 1
                Compression Methods (1 method)
                    Compression Method: null (0)
                Extensions Length: 50
                Extension: server_name
                    Type: server_name (0x0000)
                    Length: 28
                    Data (28 bytes)
                Extension: Unknown 10
                    Type: Unknown (0x000a)
                    Length: 8
                    Data (8 bytes)
                Extension: Unknown 11
                    Type: Unknown (0x000b)
                    Length: 2
                    Data (2 bytes)

  2. #2
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,366
    Rep Power
    10

    Default

    We are seeing the same thing.

    FF3b5 on OpenSuSE 10.3 connecting to 64-bit ZCS 5.0.4NE on SLES10, w/ http mode set to "redirect".

    If I hit the FF3 "stop" button immediately followed by the "reload" button, the https login screen loads instantly.

    If I log out of ZCS but keep the browser open, subsequent connects to ZCS have the login window appear near instantly.

    Hope that helps,
    Mark

    P.S. If anyone form Zimbra wants logs, Wireshark packet captures, etc., just let me know.

  3. #3
    irvingpop is offline Member
    Join Date
    Apr 2008
    Location
    Portland, OR
    Posts
    14
    Rep Power
    7

    Question bump

    So, just to follow-up:

    Are LMStone and myself crazy, or are other administrators seeing this as well?

    FF3 beta appears to be wildly popular, especially for Mac users. I can't be the only admin with users jumping aboard in droves.

  4. #4
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,366
    Rep Power
    10

    Default

    Quote Originally Posted by irvingpop View Post
    So, just to follow-up:

    Are LMStone and myself crazy, or are other administrators seeing this as well?

    FF3 beta appears to be wildly popular, especially for Mac users. I can't be the only admin with users jumping aboard in droves.
    Thanks for the compliment! Usually I'm just called "different"...

    Yes, we are seeing lots of non-tech users download/install FF3B5 primarily because it so much noticeably faster than FF2.

    Hope that helps,
    Mark

  5. #5
    jhansen's Avatar
    jhansen is offline New Member
    Join Date
    Jun 2007
    Location
    Salt Lake City, UT
    Posts
    3
    Rep Power
    7

    Default

    Quote Originally Posted by irvingpop View Post
    So, just to follow-up:

    Are LMStone and myself crazy, or are other administrators seeing this as well?

    FF3 beta appears to be wildly popular, especially for Mac users. I can't be the only admin with users jumping aboard in droves.
    Yes, seeing this here with FF3b5 as well. Cross-platform.

    Unable to reproduce with previous FF3 beta releases.

  6. #6
    Insanity5902 is offline Intermediate Member
    Join Date
    Dec 2007
    Posts
    20
    Rep Power
    7

    Default

    I've notice this also with just FF3b5. b4 and previous builds didn't do this.

    I've also noticed the same connection speedups when reconnected a different zimbra session in the same browser session.

    Edit :: my was a self compiled on 64bit Linux
    Last edited by Insanity5902; 04-25-2008 at 10:16 PM.

  7. #7
    Rick Baker is offline Loyal Member
    Join Date
    Dec 2005
    Location
    Eugene, OR
    Posts
    78
    Rep Power
    9

    Default

    I have seen the same thing. Both for the Mac 10.5 and 64 bit Vista.

  8. #8
    bigmudcake is offline Senior Member
    Join Date
    Sep 2006
    Location
    Lismore NSW, Australia
    Posts
    60
    Rep Power
    8

    Default

    Has anyone submitted a bug report to Zimbra on this, as the GA release of Firefox 3 is not that far away
    Cheers
    Bigmudcake

    I am running:
    Zimbra 5.0.7 Open Source Edition on openSUSE 10.2
    Zimbra 5.0.7 Open Source Edition on openSUSE 10.3 inside VirtualBox
    Zimbra 5.0.7 Open Source Edition on Ubuntu Server 8.04 LTS inside VirtualBox 1.6.2
    Currently testing 5.0.8 on openSUSE 11

  9. #9
    Insanity5902 is offline Intermediate Member
    Join Date
    Dec 2007
    Posts
    20
    Rep Power
    7

    Default

    No b/c Firefox 3 is still in too much flux imho. It worked fine during all the other alpha and beta releases. This is the first one that it hasn't. I would wait until the RC hit's. Even this beta5 included a new JS engine.

    That and I am not sure it is Zimbra's/Jetty's fault. At least wait until beta 6 comes out

  10. #10
    p24t is offline Moderator
    Join Date
    Mar 2007
    Location
    Austin
    Posts
    441
    Rep Power
    8

    Default

    I'm also seeing this just starting with FF3 b5. Was fine in b4.

Page 1 of 3 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. admin consol blank after 5.0.3 upgarde
    By maumar in forum Administrators
    Replies: 6
    Last Post: 03-21-2008, 05:16 AM
  2. Replies: 12
    Last Post: 02-25-2008, 07:28 PM
  3. Replies: 12
    Last Post: 02-24-2008, 12:16 AM
  4. zimbra-core missing
    By kinaole in forum Developers
    Replies: 1
    Last Post: 10-02-2006, 11:59 AM
  5. FC3 Install and no zimbra ?
    By aws in forum Installation
    Replies: 10
    Last Post: 10-09-2005, 04:19 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •