All, I have an HP VuGen client that is using 2 TCP/IP connections to do the TLS v1.2 handshake with my server when mutual authentication is enabled.
According to Wireshark, the sequence is approximately this:
- Client SYN
- TLS v1.2 client hello
- Server sends server hello, certificate, server key exchange, certificate request, server hello done
- Client FIN's the old connection
- Client SYN's a new connection
- Server handshake failure on the old connection (out of order packet)
- TLS v1.2 client hello
- Server hello, certificate, server key exchange, certificate request, server hello done
- (everything is ok after this)
Neither OpenSSL nor a standalone java client exhibits this same behavior. When the server asks for the client certificate the first time, they send it.
With VuGen, I can't see anything different about the two client hello message, nor the server responses. There are definitely two connections, though, because there are 2 FIN's from the client using 2 different outbound ports.
I would like to prevent this because I don't think our production clients do this (since neither OpenSSL nor a java app do it.)
FWIW, it doesn't matter whether I go through a load balancer or not. I get the same behavior.
I believe this has something to do with the server asking for the client certificate because the same server has another non-MA port open that is otherwise configured the same and the VuGen client only makes a single connection there.
Thanks