Disclaimer: Yeah, yeah, I know FF3 is still in beta. I'm posting this for the public good.


Firefox 3 users may have already noticed a 20-30 second delay when connecting to Zimbra via https, both to the zimbra and ZimbraAdmin services.

From what I've found, Firefox 3 is sending a TLS Client Hello message, but the server (Jetty) never responds with a TLS Server Hello message. After about 20-30 seconds, Firefox3 gives up and drops back to SSLv3. SSLv3 works as normal.

I haven't noticed any TLS issues like this between FF3 and Apache or Tomcat. Other browsers are using TLS to Jetty just fine. My assumption is that there must be something funny that FF3 is sending in the TLS Client Hello message that Jetty doesn't like.

Any pointers on how to debug this further to provide a usable bug report to the faulting party?



Packet capture from ethereal.
Notice the time jump between packets 5 and 6, with no TLS Server Hello message. At packet 10, SSLv3 initiates just fine.

Code:
1   0.000000 172.16.20.147 -> 172.16.20.51 TCP 59247 > https [SYN] Seq=0 Ack=0 Win=8192 Len=0 MSS=1460 WS=2
2   0.016308 172.16.20.51 -> 172.16.20.147 TCP https > 59247 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=2
3   0.019622 172.16.20.147 -> 172.16.20.51 TCP 59247 > https [ACK] Seq=1 Ack=1 Win=65700 Len=0
4   0.023145 172.16.20.147 -> 172.16.20.51 TLS Client Hello
5   0.023171 172.16.20.51 -> 172.16.20.147 TCP https > 59247 [ACK] Seq=1 Ack=173 Win=6912 Len=0
6  27.941715 172.16.20.147 -> 172.16.20.51 TCP 59247 > https [FIN, ACK] Seq=173 Ack=1 Win=65700 Len=0
7  27.943256 172.16.20.147 -> 172.16.20.51 TCP 59249 > https [SYN] Seq=0 Ack=0 Win=8192 Len=0 MSS=1460 WS=2
8  27.943391 172.16.20.51 -> 172.16.20.147 TCP https > 59249 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=2
9  27.943411 172.16.20.147 -> 172.16.20.51 TCP 59249 > https [ACK] Seq=1 Ack=1 Win=65700 Len=0
10  27.946558 172.16.20.147 -> 172.16.20.51 SSLv2 Client Hello
11  27.946734 172.16.20.51 -> 172.16.20.147 TCP https > 59249 [ACK] Seq=1 Ack=82 Win=5840 Len=0
12  27.964218 172.16.20.51 -> 172.16.20.147 TCP https > 59247 [FIN, ACK] Seq=1 Ack=174 Win=6912 Len=0
13  27.964886 172.16.20.147 -> 172.16.20.51 TCP 59247 > https [ACK] Seq=174 Ack=2 Win=65700 Len=0
14  28.017420 172.16.20.51 -> 172.16.20.147 SSLv3 Server Hello, Certificate, Server Key Exchange, Server Hello Done
15  28.023431 172.16.20.147 -> 172.16.20.51 SSLv3 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
16  28.023463 172.16.20.51 -> 172.16.20.147 TCP https > 59249 [ACK] Seq=1216 Ack=264 Win=6912 Len=0
17  28.037937 172.16.20.51 -> 172.16.20.147 SSLv3 Change Cipher Spec
18  28.038197 172.16.20.51 -> 172.16.20.147 SSLv3 Encrypted Handshake Message
Ethereal output of FF3's TLS Client Hello message

Code:
Secure Socket Layer
    SSL Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 167
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 163
            Version: TLS 1.0 (0x0301)
            Random.gmt_unix_time: Jan  6, 1970 12:46:38.000000000
            Random.bytes
            Session ID Length: 0
            Cipher Suites Length: 68
            Cipher Suites (34 suites)
                Cipher Suite: Unknown (0xc00a)
                Cipher Suite: Unknown (0xc014)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
                Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                Cipher Suite: Unknown (0xc00f)
                Cipher Suite: Unknown (0xc005)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: Unknown (0xc007)
                Cipher Suite: Unknown (0xc009)
                Cipher Suite: Unknown (0xc011)
                Cipher Suite: Unknown (0xc013)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
                Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                Cipher Suite: Unknown (0xc00c)
                Cipher Suite: Unknown (0xc00e)
                Cipher Suite: Unknown (0xc002)
                Cipher Suite: Unknown (0xc004)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
                Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: Unknown (0xc008)
                Cipher Suite: Unknown (0xc012)
                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                Cipher Suite: Unknown (0xc00d)
                Cipher Suite: Unknown (0xc003)
                Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 54
            Extension: server_name
                Type: server_name (0x0000)
                Length: 28
                Data (28 bytes)
            Extension: Unknown 10
                Type: Unknown (0x000a)
                Length: 8
                Data (8 bytes)
            Extension: Unknown 11
                Type: Unknown (0x000b)
                Length: 2
                Data (2 bytes)
            Extension: EAP-FAST PAC-Opaque
                Type: EAP-FAST PAC-Opaque (0x0023)
                Length: 0
                Data (0 bytes)

TLS Client Hello message from FF2, for posterity

Code:
Secure Socket Layer
    SSL Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 151
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 147
            Version: TLS 1.0 (0x0301)
            Random.gmt_unix_time: Dec 31, 1969 22:50:13.000000000
            Random.bytes
            Session ID Length: 0
            Cipher Suites Length: 56
            Cipher Suites (28 suites)
                Cipher Suite: Unknown (0xc00a)
                Cipher Suite: Unknown (0xc014)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                Cipher Suite: Unknown (0xc00f)
                Cipher Suite: Unknown (0xc005)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: Unknown (0xc007)
                Cipher Suite: Unknown (0xc009)
                Cipher Suite: Unknown (0xc011)
                Cipher Suite: Unknown (0xc013)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                Cipher Suite: Unknown (0xc00c)
                Cipher Suite: Unknown (0xc00e)
                Cipher Suite: Unknown (0xc002)
                Cipher Suite: Unknown (0xc004)
                Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: Unknown (0xc008)
                Cipher Suite: Unknown (0xc012)
                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                Cipher Suite: Unknown (0xc00d)
                Cipher Suite: Unknown (0xc003)
                Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 50
            Extension: server_name
                Type: server_name (0x0000)
                Length: 28
                Data (28 bytes)
            Extension: Unknown 10
                Type: Unknown (0x000a)
                Length: 8
                Data (8 bytes)
            Extension: Unknown 11
                Type: Unknown (0x000b)
                Length: 2
                Data (2 bytes)