Solved pf TLS (https) Secure Connection Failed

chucklz1515

chucklz1515

Hi All,

I have an issue with pf that I have not seen documented.

Upon attempting to create a secure connection, I have often received a "Secure connection failed" message in Firefox. This is duplicated in Android (on apps such as Facebook Messenger when it attempts to create a secure connection, which failsover to http). I have attempted to restart the pf service which seemed to solve the issue temporarily, but did not resolve it (the issue restarted shortly after the pf service restart).

I imagine that it is a problem with my pf.conf or another issue, but nothing has changed since I upgraded this server from 11.1-RELEASE to 11.2-RELEASE. I did, however, run into an issue with the upgrade where libdl.so was not installed correctly (required for bind912 service to start correctly) so I restarted the upgrade with the following parameters (run after already upgrading to 11.2-RELEASE):

freebsd-update -r 11.2-RELEASE --currently-running 11.1-RELEASE

Perhaps this could be related to an issue upgrading to 11.2-RELEASE?

Thanks
chucklz
 
Just to follow up, the issue appears to be intermittent. ie. I can reach freebsd.org by HTTPS, but none of the custom fonts (for inbox, alerts, search) are showing up correctly. Upon investigation, it appears that the css for freebsd.org did not response in < 1s (I would attach a screenshot, but apparently that functionality is broken with my Lenovo T61).
 
Are you sure the issue is with pf? I had this happen recently after updating a relative's FreeBSD router to 11.2, where mobile devices (Android/iPhone) couldn't get to sites over HTTPS, but desktops could. Ultimately I found the issue was their ISP (Charter) was giving out a weird MTU, something just below 600 bytes, and the IP packets from the phones were well over that and had the DNF bit set.

I think in the past dhclient(8) ignored MTU as delivered over DHCP, but it now honors it by default. To make a long story short, I overrode Charter's insanely small MTU in the dhclient.conf file to be back to the standard Ethernet value of 1500, and everything's peachy again.

So, check your ifconfig output first and pay close attention to MTU.
 
Thank you so much for the info! I did an ifconfig and my external interface shows an MTU below 600. I will try updating dhclient.conf to see if that helps.
 
Just following up:

After changing this MTU value (and informing my ISP, who was suprisingly happy that I pointed this out as they were experiencing network issues to which they couldn't find the cause) and after many reboots (to test new dhclient.conf) my connection appears to be working correctly.

Thank you `Orum for your help!
 
You must log in or register to reply here.
Back
Top