Ask Your Question
0

ssl_client_cert header truncated

asked 2020-09-28 11:14:06 +0000

jes gravatar image

Some calls were failing when our application is looking for ssl_client_cert header. (flow: incoming-request --> (443>haproxy>4440) --> app_server:4440)

The current assumption is, haproxy fails to forward ssl_client_cert header sometimes.

Looking at the tcpdump, I see "[truncated]ssl_client_cert". This is while sending the packet to the backend server: question: what does it mean when a http header is marked as truncated?

Frame 6886: 2005 bytes on wire (16040 bits), 2005 bytes captured (16040 bits)
Ethernet II, Src: 02:4b:47:b5:28:12 (02:4b:47:b5:28:12), Dst: MS-NLB-PhysServer-07_38:d4:91:04 (02:07:38:d4:91:04)
Internet Protocol Version 4, Src: 192.168.53.159, Dst: 192.168.193.206
Transmission Control Protocol, Src Port: 57680, Dst Port: 4440, Seq: 1, Ack: 1, Len: 1939
Hypertext Transfer Protocol
    GET /commands/e869d1ed-a778-4b0e-a8c5-6b51ab0a7f4d HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET /commands/e869d1ed-a778-4b0e-a8c5-6b51ab0a7f4d HTTP/1.1\r\n]
            [GET /commands/e869d1ed-a778-4b0e-a8c5-6b51ab0a7f4d HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /commands/e869d1ed-a778-4b0e-a8c5-6b51ab0a7f4d
        Request Version: HTTP/1.1
    Accept: application/json,application/json\r\n
    User-Agent: Jersey/2.25.1 (HttpUrlConnection 11.0.8)\r\n
    Host: ken-qa.eu10.cp.abo.com\r\n
    ssl_client_user: kenAltId:e869d1ed-a778-4b0e-a8c5-6b51ab0a7f4d|gwayId:3|tenantId:8216199|instanceId:ken-qa\r\n
     **[truncated]ssl_client_cert:** MIIEZjCCA06gAwIBAgIOFnqoiLUHXIkQAQLoMIIEZjCCA06gAwIBAgIOFnqoiLUHXIkQAQLoMIIEZjCCA06gAwIBAgIOFnqoiLUHXIkQAQLoMIIEZjCCA06gAwIBAgIOFnqoiLUHXIkQAQLoMIIEZjCCA06gAwIBAgIOFnqoiLUHXIkQAQLo
    ssl_client_cert_used: 1\r\n
    X-Forwarded-Proto: https\r\n
    X-Forwarded-For: 217.191.10.72\r\n
    Connection: close\r\n
    \r\n
    [Full request URI: http://ken-qa.eu10.cp.abo.com/commands/e869d1ed-a778-4b0e-a8c5-6b51ab0a7f4d]
    [HTTP request 1/1]
    [Response in frame: 6887]
edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-09-28 13:33:06 +0000

Jaap gravatar image

This means that, in an effort of self preservation, Wireshark decides to not show all data in that field on this line because this would be excessively long (for an arbitrary value of excessive). Look in the packet bytes pane to see what is actually contained in the field, there is more data there.

edit flag offensive delete link more

Comments

Thank you for the clarification! and if the 'ssl_client_cert' header is missing, what does it tell? I'm confused because it was missing only on some packets (about 40%) probably due to large payloads.

jes gravatar imagejes ( 2020-09-28 14:02:16 +0000 )edit

That would be down to HAProxy and a support venue for that software would probably be your best bet.

grahamb gravatar imagegrahamb ( 2020-09-28 14:31:53 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-09-28 11:14:06 +0000

Seen: 959 times

Last updated: Sep 28 '20

Related questions

Client sends [RST,ACK] on client certificate authentication

Looking for a detailed explanation on the SSL debug file

Help to read this trace

How to verify what protocol was used in an encrypted file transfer?

Application data isn't decrypted whether I choose spdy, data, http or tcp as protocol.

Is it possible that wireshark doesn't recognize protocol?

Step by step SSL decrypt with wireshark

SSL/TLS Handshake Immediately Fails

Decryted SSL tab not visible/not appearing

Can't see encrypted application data in SSL session