General discussion


SSL/TCP Connection termination results in RST

By TechDictator ·
My company is working with VeriFone and TSys to isolate issues we've seen with SSL transactions. We're being told that once one side sends a FIN, that terminates the entire conversation and indeed the other side still has data to send and when it performs a PSH, it's ignored and ultimately the connection is RST. I'm being told by both sides that this is normal. I don't believe it is. I have packet captures, but I'm not sure how to post them or share them out.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

TCP flags

by SYNner In reply to SSL/TCP Connection termin ...

The FIN flag doesn't teardown a connection. It is used to signify that there is no more data from the device sending the FIN flag. Once the device sends this flag, it enters into a FIN-WAIT state and does not send any more data but can receive data. The conversation does not get terminated until both devices have sent their FINs and both FINs have been ACK.

If what you are describing is correct, then the TCP/IP stack of one or possibly both of those systems are not implemented according to RFC 793.

Collapse -

Response to Vendor

by TechDictator In reply to TCP flags

What would be a good response to our vendor that would have them take ownership of the issue and quit blaming anything else?

Collapse -

Client not closing SSL session properly

by TechDictator In reply to TCP flags

As I look more at the traces, it appears the VeriFone terminal (client) does a TCP close. It does not do an SSL close_notify, as it should. The server attempts to push some final TCP data, but is ignored, it finally does its own encrypted alert, which is message type 21. I'm not sure, but I think that's decryption_failed, but that doesn't seem right, since it's a TLS message and this is SSL. After numerous attempts it finally does a close_notify & FIN which prompts the VeriFone terminal to do a RST. It appears that the VeriFone is doing a TCP close, without closing the SSL session and then doesn't allow the other side to close it's TCP session. I've since found out that the VeriFone terminal runs a firewall made by McAfee. I wonder if it's their application, IP Stack, or firewall that's causing all these problems.

Related Discussions

Related Forums