Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 2826 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL / TLS inspection, "Server did not respond to client hello" message meaning

Petr Odvarka1

Hello,

I found this discussion : https://community.sophos.com/sophos-xg-firewall/f/discussions/129553/ssl-inspection-microsoft-stream-server-did-not-respond-to-client-hello

but this does not give answer for question what message "Server did not respond to client hello" means and why it happens.

I tried to investigate reason of problems with bad opening of several web pages - they were opening partially. I had to use refresh of opening several times before whole page opened.  And I saw message "Server did not respond to client hello" connected with some of them. Decrease of MSS did not help. Suppose that decrease of MSS is equivalent of decrease of MTU (for TCP only of course). I verified it by sniffing. I set MSS to 1350 at external interface of XG and see packet with size of 1404 bytes with 1350 size of TCP packet.

But I still see many error events with reason "Server did not respond to client hello". For instance :

SSL/TLS inspection
2021-08-25 12:27:23
Do not decrypt
19004
2
Maximum compatibility
192.168.105.50
104.208.16.90
Information Technology
browser.pipe.aria.microsoft.com
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL/TLS inspection
2021-08-25 12:19:59
Error
19006
2
Maximum compatibility
192.168.105.50
52.182.143.208
Information Technology
browser.pipe.aria.microsoft.com
Dropped due to TLS engine error: FLOW_TIMEOUT[5]
SSL/TLS inspection
2021-08-25 12:19:26
Error
19006
2
Maximum compatibility
192.168.105.50
52.182.143.208
Information Technology
browser.pipe.aria.microsoft.com
Dropped due to TLS engine error: FLOW_TIMEOUT[5]
SSL/TLS inspection
2021-08-25 12:15:31
Do not decrypt
19004
2
Maximum compatibility
192.168.105.50
20.50.201.200
Information Technology
browser.pipe.aria.microsoft.com
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL/TLS inspection
2021-08-25 12:06:33
Do not decrypt
19004
2
Maximum compatibility
192.168.105.50
104.208.16.90
Information Technology
browser.pipe.aria.microsoft.com
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL/TLS inspection
2021-08-25 12:06:30
Error
19017
2
Maximum compatibility
192.168.105.50
104.208.16.90
Information Technology
browser.pipe.aria.microsoft.com
Server did not respond to client hello
SSL/TLS inspection
2021-08-25 12:06:30
Error
19017
2
Maximum compatibility
192.168.105.50
104.208.16.90
Information Technology
browser.pipe.aria.microsoft.com
Server did not respond to client hello
SSL/TLS inspection
2021-08-25 11:34:26

 

Strange is, that some traffic to the same URL is Log subtype Do not decrypt, and some are Error with different reasons.

I see this event with these FQDNs : 

www.sophos.com

browser.pipe.aria.microsoft.com
ic3.events.data.microsoft.com
self.events.data.microsoft.com
v10.events.data.microsoft.com

mobile.pipe.aria.microsoft.com
teams.events.data.microsoft.com
browser.events.data.msn.com

but with several else. 

I do not know whether is the indication of problem, but I would like to just now what can cause this message.

Best regards,

Petr



This thread was automatically locked due to age.
  • 0

    Generally speaking the DPI engine does not get any answer to the Client Hello.

    Here you see the TLS Handshake: https://tls.ulfheim.net/

    And nobody seems to reply to the client hello.

  • 0 in reply to LuCar Toni

    thank you Toni; do I undestand it well that from side of firewall this message is only info and problem is between server and client ?

    I made some more detailed investigation and I saw briefly three different cases : 

    1. case - no problem at XG; sequence of packets is next :

       3way handshake
       Client hello from client
       ACK from server
       Server hello from server
       Change cipher from client
       ACK from server
       continuous traffic

    2. case - message Server did not respond to client hello at XG and real problem in sniff; sequence is next :

       3way handshake
       Client hello from client
       ACK from server
       FIN or RST from server (probably due to version of TLS)

    3. case (the stragest one) - message Server did not respond to client hello at XG and standard sequence in sniff; it is next one : 

       3way handshake
       Client hello from client
       ACK from server
       Server hello from server
       Change cipher from client
       ACK from server
       Application data from server
       ACK from client
       FIN from client

    see pictures :

    Petr

  • 0 in reply to Petr Odvarka1

    You should create a case to get this investigated.