Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
 
Go Back   Zimbra - Forums > Zimbra Collaboration Suite > Administrators
Reload this Page [SOLVED] Firefox 3 + Zimbra 5 - TLS Interop issue

Welcome to the Zimbra - Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
Page 1 of 3 1 23
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 04-16-2008, 12:25 PM
Member
  
Posts: 14
Default [SOLVED] Firefox 3 + Zimbra 5 - TLS Interop issue
Disclaimer: Yeah, yeah, I know FF3 is still in beta. I'm posting this for the public good.


Firefox 3 users may have already noticed a 20-30 second delay when connecting to Zimbra via https, both to the zimbra and ZimbraAdmin services.

From what I've found, Firefox 3 is sending a TLS Client Hello message, but the server (Jetty) never responds with a TLS Server Hello message. After about 20-30 seconds, Firefox3 gives up and drops back to SSLv3. SSLv3 works as normal.

I haven't noticed any TLS issues like this between FF3 and Apache or Tomcat. Other browsers are using TLS to Jetty just fine. My assumption is that there must be something funny that FF3 is sending in the TLS Client Hello message that Jetty doesn't like.

Any pointers on how to debug this further to provide a usable bug report to the faulting party?



Packet capture from ethereal.
Notice the time jump between packets 5 and 6, with no TLS Server Hello message. At packet 10, SSLv3 initiates just fine.

Code:
1   0.000000 172.16.20.147 -> 172.16.20.51 TCP 59247 > https [SYN] Seq=0 Ack=0 Win=8192 Len=0 MSS=1460 WS=2
2   0.016308 172.16.20.51 -> 172.16.20.147 TCP https > 59247 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=2
3   0.019622 172.16.20.147 -> 172.16.20.51 TCP 59247 > https [ACK] Seq=1 Ack=1 Win=65700 Len=0
4   0.023145 172.16.20.147 -> 172.16.20.51 TLS Client Hello
5   0.023171 172.16.20.51 -> 172.16.20.147 TCP https > 59247 [ACK] Seq=1 Ack=173 Win=6912 Len=0
6  27.941715 172.16.20.147 -> 172.16.20.51 TCP 59247 > https [FIN, ACK] Seq=173 Ack=1 Win=65700 Len=0
7  27.943256 172.16.20.147 -> 172.16.20.51 TCP 59249 > https [SYN] Seq=0 Ack=0 Win=8192 Len=0 MSS=1460 WS=2
8  27.943391 172.16.20.51 -> 172.16.20.147 TCP https > 59249 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=2
9  27.943411 172.16.20.147 -> 172.16.20.51 TCP 59249 > https [ACK] Seq=1 Ack=1 Win=65700 Len=0
10  27.946558 172.16.20.147 -> 172.16.20.51 SSLv2 Client Hello
11  27.946734 172.16.20.51 -> 172.16.20.147 TCP https > 59249 [ACK] Seq=1 Ack=82 Win=5840 Len=0
12  27.964218 172.16.20.51 -> 172.16.20.147 TCP https > 59247 [FIN, ACK] Seq=1 Ack=174 Win=6912 Len=0
13  27.964886 172.16.20.147 -> 172.16.20.51 TCP 59247 > https [ACK] Seq=174 Ack=2 Win=65700 Len=0
14  28.017420 172.16.20.51 -> 172.16.20.147 SSLv3 Server Hello, Certificate, Server Key Exchange, Server Hello Done
15  28.023431 172.16.20.147 -> 172.16.20.51 SSLv3 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
16  28.023463 172.16.20.51 -> 172.16.20.147 TCP https > 59249 [ACK] Seq=1216 Ack=264 Win=6912 Len=0
17  28.037937 172.16.20.51 -> 172.16.20.147 SSLv3 Change Cipher Spec
18  28.038197 172.16.20.51 -> 172.16.20.147 SSLv3 Encrypted Handshake Message
Ethereal output of FF3's TLS Client Hello message

Code:
Secure Socket Layer
    SSL Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 167
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 163
            Version: TLS 1.0 (0x0301)
            Random.gmt_unix_time: Jan  6, 1970 12:46:38.000000000
            Random.bytes
            Session ID Length: 0
            Cipher Suites Length: 68
            Cipher Suites (34 suites)
                Cipher Suite: Unknown (0xc00a)
                Cipher Suite: Unknown (0xc014)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
                Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                Cipher Suite: Unknown (0xc00f)
                Cipher Suite: Unknown (0xc005)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: Unknown (0xc007)
                Cipher Suite: Unknown (0xc009)
                Cipher Suite: Unknown (0xc011)
                Cipher Suite: Unknown (0xc013)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
                Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                Cipher Suite: Unknown (0xc00c)
                Cipher Suite: Unknown (0xc00e)
                Cipher Suite: Unknown (0xc002)
                Cipher Suite: Unknown (0xc004)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
                Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: Unknown (0xc008)
                Cipher Suite: Unknown (0xc012)
                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                Cipher Suite: Unknown (0xc00d)
                Cipher Suite: Unknown (0xc003)
                Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 54
            Extension: server_name
                Type: server_name (0x0000)
                Length: 28
                Data (28 bytes)
            Extension: Unknown 10
                Type: Unknown (0x000a)
                Length: 8
                Data (8 bytes)
            Extension: Unknown 11
                Type: Unknown (0x000b)
                Length: 2
                Data (2 bytes)
            Extension: EAP-FAST PAC-Opaque
                Type: EAP-FAST PAC-Opaque (0x0023)
                Length: 0
                Data (0 bytes)

TLS Client Hello message from FF2, for posterity

Code:
Secure Socket Layer
    SSL Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 151
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 147
            Version: TLS 1.0 (0x0301)
            Random.gmt_unix_time: Dec 31, 1969 22:50:13.000000000
            Random.bytes
            Session ID Length: 0
            Cipher Suites Length: 56
            Cipher Suites (28 suites)
                Cipher Suite: Unknown (0xc00a)
                Cipher Suite: Unknown (0xc014)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                Cipher Suite: Unknown (0xc00f)
                Cipher Suite: Unknown (0xc005)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: Unknown (0xc007)
                Cipher Suite: Unknown (0xc009)
                Cipher Suite: Unknown (0xc011)
                Cipher Suite: Unknown (0xc013)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                Cipher Suite: Unknown (0xc00c)
                Cipher Suite: Unknown (0xc00e)
                Cipher Suite: Unknown (0xc002)
                Cipher Suite: Unknown (0xc004)
                Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: Unknown (0xc008)
                Cipher Suite: Unknown (0xc012)
                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                Cipher Suite: Unknown (0xc00d)
                Cipher Suite: Unknown (0xc003)
                Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 50
            Extension: server_name
                Type: server_name (0x0000)
                Length: 28
                Data (28 bytes)
            Extension: Unknown 10
                Type: Unknown (0x000a)
                Length: 8
                Data (8 bytes)
            Extension: Unknown 11
                Type: Unknown (0x000b)
                Length: 2
                Data (2 bytes)
Reply With Quote
  #2 (permalink)  
Old 04-16-2008, 08:02 PM
Moderator
  
Posts: 511
Default
We are seeing the same thing.

FF3b5 on OpenSuSE 10.3 connecting to 64-bit ZCS 5.0.4NE on SLES10, w/ http mode set to "redirect".

If I hit the FF3 "stop" button immediately followed by the "reload" button, the https login screen loads instantly.

If I log out of ZCS but keep the browser open, subsequent connects to ZCS have the login window appear near instantly.

Hope that helps,
Mark

P.S. If anyone form Zimbra wants logs, Wireshark packet captures, etc., just let me know.
__________________
___________________________________
L. Mark Stone, CIO


"Uptime. All the time."

477 Congress Street | Portland, ME 04101-3431 | (207) 772-5678

proactive maintenance and monitoring | technology consulting
Zimbra groupware | EMR implementations | data storage
Reply With Quote
  #3 (permalink)  
Old 04-22-2008, 01:57 PM
Member
  
Posts: 14
Question bump
So, just to follow-up:

Are LMStone and myself crazy, or are other administrators seeing this as well?

FF3 beta appears to be wildly popular, especially for Mac users. I can't be the only admin with users jumping aboard in droves.
Reply With Quote
  #4 (permalink)  
Old 04-22-2008, 02:09 PM
Moderator
  
Posts: 511
Default
Quote:
Originally Posted by irvingpop View Post
So, just to follow-up:

Are LMStone and myself crazy, or are other administrators seeing this as well?

FF3 beta appears to be wildly popular, especially for Mac users. I can't be the only admin with users jumping aboard in droves.
Thanks for the compliment! Usually I'm just called "different"...

Yes, we are seeing lots of non-tech users download/install FF3B5 primarily because it so much noticeably faster than FF2.

Hope that helps,
Mark
__________________
___________________________________
L. Mark Stone, CIO


"Uptime. All the time."

477 Congress Street | Portland, ME 04101-3431 | (207) 772-5678

proactive maintenance and monitoring | technology consulting
Zimbra groupware | EMR implementations | data storage
Reply With Quote
  #5 (permalink)  
Old 04-22-2008, 02:27 PM
New Member
  
Posts: 3
Default
Quote:
Originally Posted by irvingpop View Post
So, just to follow-up:

Are LMStone and myself crazy, or are other administrators seeing this as well?

FF3 beta appears to be wildly popular, especially for Mac users. I can't be the only admin with users jumping aboard in droves.
Yes, seeing this here with FF3b5 as well. Cross-platform.

Unable to reproduce with previous FF3 beta releases.
Reply With Quote
  #6 (permalink)  
Old 04-25-2008, 09:24 PM
Intermediate Member
  
Posts: 20
Default
I've notice this also with just FF3b5. b4 and previous builds didn't do this.

I've also noticed the same connection speedups when reconnected a different zimbra session in the same browser session.

Edit :: my was a self compiled on 64bit Linux
Last edited by Insanity5902 : 04-25-2008 at 11:16 PM.
Reply With Quote
  #7 (permalink)  
Old 04-25-2008, 10:51 PM
Loyal Member
  
Posts: 78
Default
I have seen the same thing. Both for the Mac 10.5 and 64 bit Vista.
Reply With Quote
  #8 (permalink)  
Old 04-25-2008, 11:18 PM
Senior Member
  
Posts: 60
Default
Has anyone submitted a bug report to Zimbra on this, as the GA release of Firefox 3 is not that far away
__________________
Cheers
Bigmudcake

I am running:
Zimbra 5.0.7 Open Source Edition on openSUSE 10.2
Zimbra 5.0.7 Open Source Edition on openSUSE 10.3 inside VirtualBox
Zimbra 5.0.7 Open Source Edition on Ubuntu Server 8.04 LTS inside VirtualBox 1.6.2
Currently testing 5.0.8 on openSUSE 11
Reply With Quote
  #9 (permalink)  
Old 04-25-2008, 11:21 PM
Intermediate Member
  
Posts: 20
Default
No b/c Firefox 3 is still in too much flux imho. It worked fine during all the other alpha and beta releases. This is the first one that it hasn't. I would wait until the RC hit's. Even this beta5 included a new JS engine.

That and I am not sure it is Zimbra's/Jetty's fault. At least wait until beta 6 comes out
Reply With Quote
  #10 (permalink)  
Old 04-28-2008, 07:09 AM
Moderator
  
Posts: 438
Default
I'm also seeing this just starting with FF3 b5. Was fine in b4.
Reply With Quote
Reply
Page 1 of 3 1 23

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

Zimbrablog.com


Home - Blog - Contact Us - Archive - Top


 

Search Engine Optimization by vBSEO 3.1.0