"web problems" "ssl issues"

Mailman List Mirror (Read Only)
1

Not sure if others are running into this or not, but we had a few vague support calls come in at once about browser 'ssl problems' and some issues with some websites 'taking forever to come up'... It looks like the common problem is bringing up pages that have

src="https://siteseal.thawte.com/cgi/server/thawte_seal_generator.exe">

embedded in the web page the end user goes to.

Depending on how the page is written, it can seem (to the end user anyways) as if the page is taking for ever to come up. The browser is blocking on talking to the site seal server.

e.g. from the first syn, it was almost 25 seconds before the verisign/thawte server responded.

10:37:18.894068 IP 199.212.134.18.65064 > 65.205.248.240.443: S 2515327385:2515327385(0) win 64240 <mss 1460,nop,wscale 0,nop,nop,sackOK>
10:37:21.860159 IP 199.212.134.18.65064 > 65.205.248.240.443: S 2515327385:2515327385(0) win 64240 <mss 1460,nop,wscale 0,nop,nop,sackOK>
10:37:27.794374 IP 199.212.134.18.65064 > 65.205.248.240.443: S 2515327385:2515327385(0) win 64240 <mss 1460,nop,wscale 0,nop,nop,sackOK>
10:37:39.865205 IP 199.212.134.18.62217 > 65.205.248.242.443: S 3464052443:3464052443(0) win 64240 <mss 1460,nop,wscale 0,nop,nop,sackOK>
10:37:42.881109 IP 199.212.134.18.62217 > 65.205.248.242.443: S 3464052443:3464052443(0) win 64240 <mss 1460,nop,wscale 0,nop,nop,sackOK>
10:37:42.961994 IP 65.205.248.242.443 > 199.212.134.18.62217: S 3993252659:3993252659(0) ack 3464052444 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 2>
10:37:42.962311 IP 199.212.134.18.62217 > 65.205.248.242.443: . ack 1 win 64240
10:37:42.962799 IP 199.212.134.18.62217 > 65.205.248.242.443: P 1:103(102) ack 1 win 64240
10:37:43.035470 IP 65.205.248.242.443 > 199.212.134.18.62217: . ack 103 win 1460
10:37:43.037779 IP 65.205.248.242.443 > 199.212.134.18.62217: . 1:1461(1460) ack 103 win 1460
10:37:43.041639 IP 65.205.248.242.443 > 199.212.134.18.62217: . 1461:2921(1460) ack 103 win 1460
10:37:43.042292 IP 199.212.134.18.62217 > 65.205.248.242.443: . ack 2921 win 64240
10:37:43.118203 IP 65.205.248.242.443 > 199.212.134.18.62217: P 2921:3967(1046) ack 103 win 1460
10:37:43.119345 IP 199.212.134.18.62217 > 65.205.248.242.443: P 103:285(182) ack 3967 win 63194

network connectivity to 65.205.248.0/24 is fine for me. It looks to be at the application layer at verisign ?

Just a heads up in case your helpdesk runs into this issue as well as it seems to be a rather obscure problem that sent us on a wild goose chase at first. Some browsers deal with it differently. on IE, most of the page does not display until the seal comes up or times out.

         ---Mike

2

I hadn't thought about this until now, when I had to use our SPKI account with Thawte. It's painfully slow processing anything.

I doesn't seem that anything's amiss with latency or network otherwise, but we're noticing this impact.

I'm also just West of you, so I'm curious if it's slightly geographic in nature, as nobody else has noted similar that I've seen here.

Not sure if others are running into this or not, but we had a few vague support calls come in at once about browser 'ssl problems' and some issues with some websites 'taking forever to come up'... It looks like the common problem is bringing up pages that have

src="https://siteseal.thawte.com/cgi/server/thawte_seal_generator.exe&quot;&gt;

embedded in the web page the end user goes to.

Depending on how the page is written, it can seem (to the end user anyways) as if the page is taking for ever to come up. The browser is blocking on talking to the site seal server.

<judicious snippage>

3

I hadn't thought about this until now, when I had to use our SPKI account
with Thawte. It's painfully slow processing anything.

I doesn't seem that anything's amiss with latency or network otherwise, but
we're noticing this impact.

I'm also just West of you, so I'm curious if it's slightly geographic in
nature, as nobody else has noted similar that I've seen here.

doubtful it's GEO related from both ATL and SAC and IAD I get the same
dns mappings:
;; ANSWER SECTION:
siteseal.thawte.com. 900 IN A 65.205.248.247
siteseal.thawte.com. 900 IN A 65.205.248.251
siteseal.thawte.com. 900 IN A 65.205.248.236
siteseal.thawte.com. 900 IN A 65.205.248.240
siteseal.thawte.com. 900 IN A 65.205.248.242
siteseal.thawte.com. 900 IN A 65.205.248.246

I don't, however, get any reasonable response on port 443 to these
ips... (they all seem to be in SJC-area fyi)

Perhaps Thawte/VS is experiencing some LB or load issues?

-Chris

4

If any verisign folks are around, it would make life a lot easier if an RST was sent instead of timing out like it is/was

         ---Mike

5

ask and yee shall recieve:
$ t siteseal.thawte.com 443
Trying 65.205.248.251...
telnet: connect to address 65.205.248.251: Connection refused
Trying 65.205.248.236...
telnet: connect to address 65.205.248.236: Connection refused
Trying 65.205.248.240...
telnet: connect to address 65.205.248.240: Connection refused
Trying 65.205.248.242...
telnet: connect to address 65.205.248.242: Connection refused
Trying 65.205.248.246...
telnet: connect to address 65.205.248.246: Connection refused
Trying 65.205.248.247...
telnet: connect to address 65.205.248.247: Connection refused
telnet: Unable to connect to remote host: Connection refused

that happens immediately now...