One thing I've noticed lately is that hitting NetWare SSL webpages gives me a 20-60 second lag if I hit them with Seamonkey or Firefox. IE6 doesn't give the same lag. In order to see what's happening at the network level I broke out Wireshark.
Weirdly, the IE6 trace has 6 packets until the SSLv3 Server Hello, and the Seamonkey trace is 16 packets (and a big delay) until then. Some other differences in the Seamonkey trace (firefox shows the same delay, so I'm assuming similar reasons):
Another difference in the traces is that the first SSLv3 Client Hello in the Seamonkey trace includes 28 Cipher Suites, to IE's 11. Wireshark can only identify 12 of them (for the curious, most of the identifiable ciphers are different than the IE ones). I can only suppose that the NetWare SSL provider gets this Hello and goes +++OUT OF CHEESE ERROR+++ and waits to get more sensible data.
This is a tricky one. Tomorrow I delve into the Novell KB database and see if I can find anything like it. And if that and delving the support forums fails, a call in.
PS: I'd post some packet traces, but wireshark here on openSUSE 10.2 is crashing hard everytime I try and bring up a 'browse files' window. This makes saving traces difficult.
Weirdly, the IE6 trace has 6 packets until the SSLv3 Server Hello, and the Seamonkey trace is 16 packets (and a big delay) until then. Some other differences in the Seamonkey trace (firefox shows the same delay, so I'm assuming similar reasons):
- Uniformly, packet 6 in the Seamonkey trace is a FIN, ACK from the client
- Packets 7-10 are connection tear-down
- Packets 11-13 are connection setup
- Packet 14 is an SSLv2 Client Hello (it was SSLv3 up there in packet 4)
- Packet 15 is an ACK from the server
- Packet 16 is the SSLv3 Server Hello
Another difference in the traces is that the first SSLv3 Client Hello in the Seamonkey trace includes 28 Cipher Suites, to IE's 11. Wireshark can only identify 12 of them (for the curious, most of the identifiable ciphers are different than the IE ones). I can only suppose that the NetWare SSL provider gets this Hello and goes +++OUT OF CHEESE ERROR+++ and waits to get more sensible data.
This is a tricky one. Tomorrow I delve into the Novell KB database and see if I can find anything like it. And if that and delving the support forums fails, a call in.
PS: I'd post some packet traces, but wireshark here on openSUSE 10.2 is crashing hard everytime I try and bring up a 'browse files' window. This makes saving traces difficult.
For now you can workaround this problem by disabling TLS 1.0 in Firefox (and probably SeaMonkey--no experience there). The problem is even worse with IE 7 on Vista, but again can be worked around by disabling TLS 1.0. I found out about this after complaints from home users with Vista trying to get into our GroupWise WebAccess and our NetStorage.It has been rumored that this will be fixed in NW65SP7. It has also been rumored that patch wsock6m (not yet released) will provide the fix in advance of SP7.