We Keep Coding

How to differentiate tls content type in tcpdump output?

I have a tcpdump command that captures tcp handshake (0x16) and cipher change (0x14) packets. I'd like to be able to look at the output and see which ones are the handshake and which ones are the cipher change. Is there any way to alter the format of the output to show that information?
I could save it to a file and look at it in wireshark but I want to see that information in the CLI output.
tcpdump -i eth -nn -v port 48240 and '((tcp[((tcp[12] & 0xf0) >>2)] = 0x16) or (tcp[((tcp[12] & 0xf0) >>2)] = 0x14))'
dropped privs to tcpdump
tcpdump: listening on eth, link-type EN10MB (Ethernet), capture size 262144 bytes
10:03:31.999584 IP (tos 0x0, ttl 64, id 57840, offset 0, flags [DF], proto TCP (6), length 85)
10.118.192.12.2182 > 10.118.192.11.48240: Flags [P.], cksum 0x93d2 (correct), seq 3711068413:3711068446, ack 1143145831, win 16993, options [nop,nop,TS val 1192314306 ecr 1000785770], length 33
10:03:32.000338 IP (tos 0x0, ttl 64, id 4324, offset 0, flags [DF], proto TCP (6), length 326)
10.118.192.11.48240 > 10.118.192.12.2182: Flags [P.], cksum 0x96d4 (incorrect -> 0x8a16), seq 1:275, ack 33, win 16923, options [nop,nop,TS val 1000786035 ecr 1192314306], length 274
10:03:32.000802 IP (tos 0x0, ttl 64, id 57842, offset 0, flags [DF], proto TCP (6), length 190)
10.118.192.12.2182 > 10.118.192.11.48240: Flags [P.], cksum 0x2745 (correct), seq 33:171, ack 275, win 16993, options [nop,nop,TS val 1192314307 ecr 1000786035], length 138
10:03:32.000903 IP (tos 0x0, ttl 64, id 57843, offset 0, flags [DF], proto TCP (6), length 82)
10.118.192.12.2182 > 10.118.192.11.48240: Flags [P.], cksum 0x3df9 (correct), seq 171:201, ack 275, win 16993, options [nop,nop,TS val 1192314307 ecr 1000786035], length 30
10:03:32.000961 IP (tos 0x0, ttl 64, id 57844, offset 0, flags [DF], proto TCP (6), length 97)
10.118.192.12.2182 > 10.118.192.11.48240: Flags [P.], cksum 0x10ed (correct), seq 201:246, ack 275, win 16993, options [nop,nop,TS val 1192314307 ecr 1000786035], length 45
10:03:32.001095 IP (tos 0x0, ttl 64, id 4326, offset 0, flags [DF], proto TCP (6), length 82)
10.118.192.11.48240 > 10.118.192.12.2182: Flags [P.], cksum 0x95e0 (incorrect -> 0x796b), seq 275:305, ack 246, win 16923, options [nop,nop,TS val 1000786036 ecr 1192314307], length 30
10:03:32.001135 IP (tos 0x0, ttl 64, id 4327, offset 0, flags [DF], proto TCP (6), length 97)
10.118.192.11.48240 > 10.118.192.12.2182: Flags [P.], cksum 0x95ef (incorrect -> 0x6ae6), seq 305:350, ack 246, win 16923, options [nop,nop,TS val 1000786036 ecr 1192314307], length 45
10:07:43.518141 IP (tos 0x0, ttl 64, id 6012, offset 0, flags [DF], proto TCP (6), length 26896)
10.118.192.11.48240 > 10.118.192.12.2182: Flags [.], cksum 0xfe9e (incorrect -> 0x208f), seq 3235659:3262503, ack 3057000, win 16923, options [nop,nop,TS val 1001037553 ecr 1192565825], length 26844

Early SSL Termination

SSL works from a VPN client but fails over the GCP-PaloAlto VPN tunnel.
The server is an on-prem Keycloak (version 13.0.0)
Attempt from VPN Client (Successful)
# openssl s_client -connect fqdn:443 -servername fqdn -tls1_2 --prexit
CONNECTED(00000005)
[...]
depth=0 CN = <fqdn>
verify return:1
---
Certificate chain
0 s:CN = <fqdn>
[...]
---
Server certificate
[...]
subject=CN = <fqdn>
issuer=C = US, O = Let's Encrypt, CN = R3
---
[...]
---
SSL handshake has read 4672 bytes and written 311 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
[...]
---
closed
---
Certificate chain
0 s:CN = <fqdn>
[...]
---
Server certificate
[...]
subject=CN = <fqdn>
issuer=C = US, O = Let's Encrypt, CN = R3
[...]
tcpdump from the working client
19:32:09.582389 IP CLIENT.51013 > SERVER.https: Flags [S], seq 3647907685, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 350978343 ecr 0,sackOK,eol], length 0
19:32:09.582551 IP SERVER.https > CLIENT.51013: Flags [S.], seq 3495009322, ack 3647907686, win 65160, options [mss 1460,sackOK,TS val 2099619205 ecr 350978343,nop,wscale 7], length 0
19:32:09.596385 IP CLIENT.51013 > SERVER.https: Flags [.], ack 1, win 2064, options [nop,nop,TS val 350978356 ecr 2099619205], length 0
19:32:09.596385 IP CLIENT.51013 > SERVER.https: Flags [P.], seq 1:219, ack 1, win 2064, options [nop,nop,TS val 350978356 ecr 2099619205], length 218
19:32:09.596502 IP SERVER.https > CLIENT.51013: Flags [.], ack 219, win 508, options [nop,nop,TS val 2099619219 ecr 350978356], length 0
19:32:09.596976 IP SERVER.https > CLIENT.51013: Flags [P.], seq 1:2697, ack 219, win 508, options [nop,nop,TS val 2099619219 ecr 350978356], length 2696
19:32:09.597009 IP SERVER.https > CLIENT.51013: Flags [P.], seq 2697:4097, ack 219, win 508, options [nop,nop,TS val 2099619219 ecr 350978356], length 1400
19:32:09.599161 IP SERVER.https > CLIENT.51013: Flags [P.], seq 4097:4415, ack 219, win 508, options [nop,nop,TS val 2099619221 ecr 350978356], length 318
19:32:09.612262 IP CLIENT.51013 > SERVER.https: Flags [.], ack 1349, win 2043, options [nop,nop,TS val 350978368 ecr 2099619219], length 0
19:32:09.612262 IP CLIENT.51013 > SERVER.https: Flags [.], ack 2697, win 2022, options [nop,nop,TS val 350978368 ecr 2099619219], length 0
19:32:09.612262 IP CLIENT.51013 > SERVER.https: Flags [.], ack 4045, win 2000, options [nop,nop,TS val 350978368 ecr 2099619219], length 0
19:32:09.612262 IP CLIENT.51013 > SERVER.https: Flags [.], ack 4097, win 2000, options [nop,nop,TS val 350978368 ecr 2099619219], length 0
19:32:09.612262 IP CLIENT.51013 > SERVER.https: Flags [.], ack 4097, win 2048, options [nop,nop,TS val 350978368 ecr 2099619219], length 0
19:32:09.614194 IP CLIENT.51013 > SERVER.https: Flags [.], ack 4415, win 2043, options [nop,nop,TS val 350978369 ecr 2099619221], length 0
19:32:09.614194 IP CLIENT.51013 > SERVER.https: Flags [P.], seq 219:312, ack 4415, win 2048, options [nop,nop,TS val 350978370 ecr 2099619221], length 93
19:32:09.614248 IP SERVER.https > CLIENT.51013: Flags [.], ack 312, win 508, options [nop,nop,TS val 2099619236 ecr 350978370], length 0
19:32:09.614711 IP SERVER.https > CLIENT.51013: Flags [P.], seq 4415:4673, ack 312, win 508, options [nop,nop,TS val 2099619237 ecr 350978370], length 258
19:32:09.626178 IP CLIENT.51013 > SERVER.https: Flags [.], ack 4673, win 2043, options [nop,nop,TS val 350978384 ecr 2099619237], length 0
19:33:09.651599 IP SERVER.https > CLIENT.51013: Flags [P.], seq 4673:4704, ack 312, win 508, options [nop,nop,TS val 2099679274 ecr 350978384], length 31
19:33:09.651690 IP SERVER.https > CLIENT.51013: Flags [F.], seq 4704, ack 312, win 508, options [nop,nop,TS val 2099679274 ecr 350978384], length 0
19:33:09.678658 IP CLIENT.51013 > SERVER.https: Flags [.], ack 4704, win 2047, options [nop,nop,TS val 351038150 ecr 2099679274], length 0
19:33:09.678806 IP CLIENT.51013 > SERVER.https: Flags [.], ack 4705, win 2047, options [nop,nop,TS val 351038150 ecr 2099679274], length 0
19:33:09.680749 IP CLIENT.51013 > SERVER.https: Flags [P.], seq 312:343, ack 4705, win 2048, options [nop,nop,TS val 351038150 ecr 2099679274], length 31
19:33:09.680749 IP CLIENT.51013 > SERVER.https: Flags [F.], seq 343, ack 4705, win 2048, options [nop,nop,TS val 351038150 ecr 2099679274], length 0
19:33:09.680824 IP SERVER.https > CLIENT.51013: Flags [R], seq 3495014027, win 0, length 0
19:33:09.680888 IP SERVER.https > CLIENT.51013: Flags [R], seq 3495014027, win 0, length 0
Attempt from GCP Instance (Unsuccessful)
# openssl s_client -connect fqdn:443 -servername fqdn -tls1_2 --prexit
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 212 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
[...]
SSL-Session:
Protocol : TLSv1.2
[...]
---
tcpdump from the client that doesn't work
19:36:01.818130 IP CLIENT.55282 > SERVER.https: Flags [S], seq 3880590205, win 65320, options [mss 1350,sackOK,TS val 3904950778 ecr 0,nop,wscale 7], length 0
19:36:01.818241 IP SERVER.https > CLIENT.55282: Flags [S.], seq 1198318204, ack 3880590206, win 65160, options [mss 1460,sackOK,TS val 2676835275 ecr 3904950778,nop,wscale 7], length 0
19:36:01.829890 IP CLIENT.55282 > SERVER.https: Flags [.], ack 1, win 511, options [nop,nop,TS val 3904950791 ecr 2676835275], length 0
19:37:01.890295 IP SERVER.https > CLIENT.55282: Flags [F.], seq 1, ack 1, win 510, options [nop,nop,TS val 2676895347 ecr 3904950791], length 0
19:37:02.105125 IP SERVER.https > CLIENT.55282: Flags [F.], seq 1, ack 1, win 510, options [nop,nop,TS val 2676895562 ecr 3904950791], length 0
19:37:02.321181 IP SERVER.https > CLIENT.55282: Flags [F.], seq 1, ack 1, win 510, options [nop,nop,TS val 2676895778 ecr 3904950791], length 0
19:37:02.753156 IP SERVER.https > CLIENT.55282: Flags [F.], seq 1, ack 1, win 510, options [nop,nop,TS val 2676896210 ecr 3904950791], length 0
19:37:03.617211 IP SERVER.https > CLIENT.55282: Flags [F.], seq 1, ack 1, win 510, options [nop,nop,TS val 2676897074 ecr 3904950791], length 0
19:37:05.345180 IP SERVER.https > CLIENT.55282: Flags [F.], seq 1, ack 1, win 510, options [nop,nop,TS val 2676898802 ecr 3904950791], length 0
19:37:08.769186 IP SERVER.https > CLIENT.55282: Flags [F.], seq 1, ack 1, win 510, options [nop,nop,TS val 2676902226 ecr 3904950791], length 0
19:37:15.681150 IP SERVER.https > CLIENT.55282: Flags [F.], seq 1, ack 1, win 510, options [nop,nop,TS val 2676909138 ecr 3904950791], length 0
Not sure if it matters, but a difference I have observed is the MTU of the networks.
VPN Client can ping the server with up to size 1372
GCP node can ping the server with up to size 1362

Turns out, it was a case of asynchronous routing. Two on-prem sites were advertising the same route but only one of them had the network.
In summary:
SYN: GCP -> SITE A
ACK, SYN: SITE A -> GCP
ACK: GCP -(through SITE B)-> SITE A
FIN: SITE A doesn't like that the ACK came though a different tunnel then the one used to send the SYN.
Terminates the connection and sends a FIN.

Cannot connect to redis server running in a different network namespace

Setup:
created a network namespace.
created a veth pair vetha and vethb with vethb end in the
namespace and other in the host.
added an ip 192.168.122.50 to the vethb
Started a redis server in a container in that network namespace
Sending requests to the redis server directly from the client running on same host named as secondaryvm. However, it throws : Failed to connect to Redis: Connection timed out error. Cannot understand why is this happening, so looked at tcpdump stream by sniffing on vetha, same is posted below:
21:48:33.764967 IP (tos 0x0, ttl 64, id 31361, offset 0, flags [DF], proto TCP (6), length 60)
secondaryvm.34540 > 192.168.122.50.6379: Flags [S], cksum 0x75d6 (incorrect -> 0xe169), seq 3863373484, win 64240, options [mss 1460,sackOK,TS val 3417390465 ecr 0,nop,wscale 7], length 0
21:48:38.884975 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.122.50 tell secondaryvm, length 28
21:48:38.885101 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.122.50 is-at 1a:8c:7f:8b:4d:e0 (oui Unknown), length 28
21:49:16.138726 IP (tos 0x0, ttl 64, id 29195, offset 0, flags [DF], proto TCP (6), length 60)
secondaryvm.34544 > 192.168.122.50.6379: Flags [S], cksum 0x75d6 (incorrect -> 0xe563), seq 550142628, win 64240, options [mss 1460,sackOK,TS val 3417432839 ecr 0,nop,wscale 7], length 0
21:49:17.156952 IP (tos 0x0, ttl 64, id 29196, offset 0, flags [DF], proto TCP (6), length 60)
secondaryvm.34544 > 192.168.122.50.6379: Flags [S], cksum 0x75d6 (incorrect -> 0xe169), seq 550142628, win 64240, options [mss 1460,sackOK,TS val 3417433857 ecr 0,nop,wscale 7], length 0
21:49:19.173031 IP (tos 0x0, ttl 64, id 29197, offset 0, flags [DF], proto TCP (6), length 60)
secondaryvm.34544 > 192.168.122.50.6379: Flags [S], cksum 0x75d6 (incorrect -> 0xd989), seq 550142628, win 64240, options [mss 1460,sackOK,TS val 3417435873 ecr 0,nop,wscale 7], length 0
21:49:22.405182 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.122.50 tell secondaryvm, length 28
21:49:22.405262 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.122.50 is-at 1a:8c:7f:8b:4d:e0 (oui Unknown), length 28
21:49:23.429054 IP (tos 0x0, ttl 64, id 29198, offset 0, flags [DF], proto TCP (6), length 60)
secondaryvm.34544 > 192.168.122.50.6379: Flags [S], cksum 0x75d6 (incorrect -> 0xc8e9), seq 550142628, win 64240, options [mss 1460,sackOK,TS val 3417440129 ecr 0,nop,wscale 7], length 0
21:49:31.621030 IP (tos 0x0, ttl 64, id 29199, offset 0, flags [DF], proto TCP (6), length 60)
secondaryvm.34544 > 192.168.122.50.6379: Flags [S], cksum 0x75d6 (incorrect -> 0xa8e9), seq 550142628, win 64240, options [mss 1460,sackOK,TS val 3417448321 ecr 0,nop,wscale 7], length 0
21:49:47.749024 IP (tos 0x0, ttl 64, id 29200, offset 0, flags [DF], proto TCP (6), length 60)
secondaryvm.34544 > 192.168.122.50.6379: Flags [S], cksum 0x75d6 (incorrect -> 0x69e9), seq 550142628, win 64240, options [mss 1460,sackOK,TS val 3417464449 ecr 0,nop,wscale 7], length 0
21:50:20.261084 IP (tos 0x0, ttl 64, id 29201, offset 0, flags [DF], proto TCP (6), length 60)
secondaryvm.34544 > 192.168.122.50.6379: Flags [S], cksum 0x75d6 (incorrect -> 0xeae8), seq 550142628, win 64240, options [mss 1460,sackOK,TS val 3417496961 ecr 0,nop,wscale 7], length 0
21:50:25.381045 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.122.50 tell secondaryvm, length 28
21:50:25.381176 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.122.50 is-at 1a:8c:7f:8b:4d:e0 (oui Unknown), length 28
Redis server is up and the client is getting connected to it according to the terminal output but not according to the tcpdump output. according to tcpdump output, client is trying to connect but didn't achieve the connection establishment successfully.
Terminal output at the client side:
========================100==================================================
terminate called after throwing an instance of 'sw::redis::TimeoutError'
what(): Failed to connect to Redis: Connection timed out
Aborted (core dumped)
Client's code(written in redis-plus-plus):
int main(){
auto redis = Redis("tcp://192.168.122.50:6379);
sleep(5);
int ep = 100;
while(true){
cout<<"===================="<<ep<<"======================\n";
auto pipe = redis.pipeline(false);
for(int i=1; i<=500; i++){
string s = to_string(i);
if(i%2 == 1){
pipe.set(s, s);
}
else {
string st = to_string(i-1);
pipe.get(st);
}
}
auto pipe_replies = pipe.exec();
pipe.discard();
}
According to the terminal's output, it successfully established the connection.
Cannot understand what is happening here.
Is it like line auto redis = Redis("tcp://192.168.122.50:6379"); doesn't establish the connection?
redis-server is surely up then why the connection is not established looking at the tcp stream?
Redis version 6.0.9 and IT IS running on port 6379.
How to prevent this error?
EDIT:
I've followed below steps/commands to set up network namespace:
#!/bin/bash
sudo ip netns ls
sudo ip netns add alpine_network
sudo ip link add name veth-host type veth peer name veth-alpine
sudo ip link set veth-alpine netns alpine_network
sudo ip netns exec alpine_network ip addr add 192.168.122.50/24 dev veth-alpine
sudo ip netns exec alpine_network ip link set veth-alpine up
sudo ip netns exec alpine_network ip link set lo up
sudo ip link set veth-host up
sudo ip route add 192.168.122.50/32 dev veth-host
sudo ip netns exec alpine_network ip route add default via 192.168.122.50 dev veth-alpine

Checksum incorrect while doing ssh [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
Suddenly I was not able to ssh to any machine. I thought it to be my router/network issue & I tried it with different network but the result was same. I took tcp dump on both server & client and found that the checksum is incorrect. Client is on MacOS 10.12.6 & server is running Ubuntu.
Below is the TCP dump of both server and client.
server
sudo tcpdump -n -vvv -n dst host 59.90.xxx.xxx
06:51:41.285561 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.128.x.xx.22 > 59.90.xxx.xxx.54341: Flags [S.], cksum 0xb1fb (incorrect -> 0x0b7d), seq 1875710046, ack 3542782445, win 28160, options [mss 1420,sackOK,TS val 1107257724 ecr 875004811,nop,wscale 7], length 0
06:51:42.287868 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.128.x.xx.22 > 59.90.xxx.xxx.54341: Flags [S.], cksum 0xb1fb (incorrect -> 0x0a82), seq 1875710046, ack 3542782445, win 28160, options [mss 1420,sackOK,TS val 1107257975 ecr 875004811,nop,wscale 7], length 0
06:51:42.288005 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.128.x.xx.22 > 59.90.xxx.xxx.54341: Flags [S.], cksum 0xb1fb (incorrect -> 0x0a82), seq 1875710046, ack 3542782445, win 28160, options [mss 1420,sackOK,TS val 1107257975 ecr 875004811,nop,wscale 7], length 0
06:51:43.361309 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.128.x.xx.22 > 59.90.xxx.xxx.54341: Flags [S.], cksum 0xb1fb (incorrect -> 0x0976), seq 1875710046, ack 3542782445, win 28160, options [mss 1420,sackOK,TS val 1107258243 ecr 875004811,nop,wscale 7], length 0
06:51:44.343178 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.128.x.xx.22 > 59.90.xxx.xxx.54341: Flags [S.], cksum 0xb1fb (incorrect -> 0x0881), seq 1875710046, ack 3542782445, win 28160, options [mss 1420,sackOK,TS val 1107258488 ecr 875004811,nop,wscale 7], length 0
06:51:45.302310 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.128.x.xx.22 > 59.90.xxx.xxx.54341: Flags [S.], cksum 0xb1fb (incorrect -> 0x0791), seq 1875710046, ack 3542782445, win 28160, options [mss 1420,sackOK,TS val 1107258728 ecr 875004811,nop,wscale 7], length 0
06:51:46.302969 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.128.x.xx.22 > 59.90.xxx.xxx.54341: Flags [S.], cksum 0xb1fb (incorrect -> 0x0697), seq 1875710046, ack 3542782445, win 28160, options [mss 1420,sackOK,TS val 1107258978 ecr 875004811,nop,wscale 7], length 0
06:51:48.303906 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.128.x.xx.22 > 59.90.xxx.xxx.54341: Flags [S.], cksum 0xb1fb (incorrect -> 0x04a2), seq 1875710046, ack 3542782445, win 28160, options [mss 1420,sackOK,TS val 1107259479 ecr 875004811,nop,wscale 7], length 0
06:51:48.316328 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.128.x.xx.22 > 59.90.xxx.xxx.54341: Flags [S.], cksum 0xb1fb (incorrect -> 0x049f), seq 1875710046, ack 3542782445, win 28160, options [mss 1420,sackOK,TS val 1107259482 ecr 875004811,nop,wscale 7], length 0
06:51:52.367888 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.128.x.xx.22 > 59.90.xxx.xxx.54341: Flags [S.], cksum 0xb1fb (incorrect -> 0x00aa), seq 1875710046, ack 3542782445, win 28160, options [mss 1420,sackOK,TS val 1107260495 ecr 875004811,nop,wscale 7], length 0
Client
sudo tcpdump -n -vvv port 22
12:21:41.114101 IP (tos 0x0, ttl 64, id 53772, offset 0, flags [DF], proto TCP (6), length 64)
192.168.1.5.54341 > 35.193.xx.xx.22: Flags [S], cksum 0x3816 (correct), seq 3542782444, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 875004811 ecr 0,sackOK,eol], length 0
12:21:42.117525 IP (tos 0x0, ttl 64, id 29056, offset 0, flags [DF], proto TCP (6), length 64)
192.168.1.5.54341 > 35.193.xx.xx.22: Flags [S], cksum 0x342e (correct), seq 3542782444, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 875005811 ecr 0,sackOK,eol], length 0
12:21:43.123706 IP (tos 0x0, ttl 64, id 27897, offset 0, flags [DF], proto TCP (6), length 64)
192.168.1.5.54341 > 35.193.xx.xx.22: Flags [S], cksum 0x3046 (correct), seq 3542782444, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 875006811 ecr 0,sackOK,eol], length 0
12:21:44.126723 IP (tos 0x0, ttl 64, id 15522, offset 0, flags [DF], proto TCP (6), length 64)
192.168.1.5.54341 > 35.193.xx.xx.22: Flags [S], cksum 0x2c5e (correct), seq 3542782444, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 875007811 ecr 0,sackOK,eol], length 0
12:21:45.130005 IP (tos 0x0, ttl 64, id 52435, offset 0, flags [DF], proto TCP (6), length 64)
192.168.1.5.54341 > 35.193.xx.xx.22: Flags [S], cksum 0x2876 (correct), seq 3542782444, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 875008811 ecr 0,sackOK,eol], length 0
12:21:46.133002 IP (tos 0x0, ttl 64, id 39289, offset 0, flags [DF], proto TCP (6), length 64)
192.168.1.5.54341 > 35.193.xx.xx.22: Flags [S], cksum 0x248e (correct), seq 3542782444, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 875009811 ecr 0,sackOK,eol], length 0
12:21:48.143329 IP (tos 0x0, ttl 64, id 36640, offset 0, flags [DF], proto TCP (6), length 64)
192.168.1.5.54341 > 35.193.xx.xx.22: Flags [S], cksum 0x1cbe (correct), seq 3542782444, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 875011811 ecr 0,sackOK,eol], length 0
I noticed that the length is different (60 vs 64). Can this be the cause of wrong checksum?

Nifi secure connection no ciphers

I'm using nifi and I started to configure it for https in order to enable users. Nifi does not work, jetty Web server fails saying there are not ciphers. No idea how to debug this, any hint?
The same certificates have been tested on my computers and they work.
Any help appreciated
Update
Well... I enabled the SSL logging.
The biggest difference is about the Java environment, on the production server is java-1.8.0-openjdk, on my local machine is java-8-oracle.
There are still some important differences between the logs.
As ssl negotiation reference see this POST about how the protocol is supposed to work and the sessions involved.
The most dramatic differences are
no *** ECDH ServerKeyExchange session on production host.
Log starting from ClientHello is much different between the two machines:
Local ( I truncated too long lines and reported only little log session )
*** ClientHello, TLSv1.2
RandomCookie: GMT: 2028150611 bytes = { 31, 20, 137, 167, 52, 224, 12, 129, 113, 59, 113, 45, 161, 54, 164, 147, 115, 148
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_2
cc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, T
TH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RS
Compression Methods: { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Unsupported extension type_23, data:
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA2
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1}
***
%% Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL]
%% Initialized: [Session-2, SSL_NULL_WITH_NULL_NULL]
matching alias: 1
matching alias: 1
matching alias: 1
matching alias: 1
%% Negotiating: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
%% Negotiating: [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
*** ServerHello, TLSv1.2
*** ServerHello, TLSv1.2
RandomCookie: RandomCookie: GMT: 1459404759 bytes = { GMT: 1459404759 bytes = { 196, 84, 148, 21, 202, 175, 156, 35, 50,
2 }
Session ID: {87, 253, 192, 215, 210, 220, 163, 93, 88, 20, 237, 50, 37, 61, 50, 192, 225, 180, 252, 8, 19, 154, 0, 18, 13
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
47, 15, 107, 214, 199, 60, 245, 207, 215, 148, 102, 224, 0, 41, 172, 70, 101, 85, 85, 173, 79, 238, 15, 167, 136, 20, 14,
Session ID: {87, 253, 192, 215, 117, 67, 238, 169, 141, 93, 171, 129, 181, 146, 239, 178, 242, 31, 104, 115, 209, 119, 20
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=*.buongiorno.com, OU=PTY-SYS, O=BUONGIORNO SPA, L=Parma, ST=Parma, C=IT
***
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
public x coord: 75079925706380992652797512247021193282035431148032843217618352685456618206389
public y coord: 43896241059818662260698096293954076915685388487376127769285950062051599700758
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA,
Cert Authorities:
<CN=thawte SSL CA - G2, O="thawte, Inc.", C=US>
*** ServerHelloDone
NiFi Web Server-21, WRITE: TLSv1.2 Handshake, length = 1753
NiFi Web Server-21, called closeInbound()
NiFi Web Server-21, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
%% Invalidated: [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
NiFi Web Server-21, SEND TLSv1.2 ALERT: fatal, description = internal_error
NiFi Web Server-21, WRITE: TLSv1.2 Alert, length = 2
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
public x coord: 115351230770955196648507742599468345245507684591583302635044967727219906604428
public y coord: 93087459299146270258246635135187638789539141095594448725666354447366218509864
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA,
....
On production things are differents:
( I truncated too long lines and reported only little log session )
*** ClientHello, TLSv1.2
RandomCookie: GMT: -1695295875 bytes = { 197, 207, 66, 60, 4, 242, 21, 101, 190, 160, 124, 185, 72, 238, 141, 237, 251
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_12
ES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES
CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TL
H_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: [type=host_name (0), value=nifi-dev.buongiorno.com]
Unsupported extension type_23, data:
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, S
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 29, java.security.spec.ECParameterSpec#7862cc21, java.security.s
***
%% Initialized: [Session-4, SSL_NULL_WITH_NULL_NULL]
matching alias: 1
%% Negotiating: [Session-4, TLS_RSA_WITH_AES_256_GCM_SHA384]
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1459415539 bytes = { 67, 58, 139, 150, 47, 53, 247, 222, 255, 192, 141, 66, 114, 19, 171, 52, 6, 18
Session ID: {87, 253, 234, 243, 97, 92, 182, 14, 121, 224, 54, 149, 111, 196, 87, 79, 36, 149, 33, 51, 182, 47, 184, 6
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name:
***
Cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=*.buongiorno.com, OU=PTY-SYS, O=BUONGIORNO SPA, L=Parma, ST=Parma, C=IT
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
:
.
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDS
withECDSA, SHA1withRSA, SHA1withDSA
Cert Authorities:
<CN=thawte SSL CA - G2, O="thawte, Inc.", C=US>
*** ServerHelloDone
NiFi Web Server-16, WRITE: TLSv1.2 Handshake, length = 1428
NiFi Web Server-21, READ: TLSv1.2 Handshake, length = 7
*** Certificate chain
<Empty>
***
UPDATE 2
I asked to install Java 8 and now keyexchange works, at this point my problems are going go vanish.

If you can provide the output (sanitized, if necessary) of your $NIFI_HOME/logs/nifi-app.log and $NIFI_HOME/logs/nifi-bootstrap.log, as well as the hardware, OS, JRE, and NiFi version you are using, that will help diagnose. Here are a couple common causes:
The certificate in the keystore is invalid (expired, not yet valid, can't validate the chain) and thus the available cipher suites that depend on an RSA/DSA key for signature or encryption are skipped by Jetty. You can check this by adding a new argument in $NIFI_HOME/conf/bootstrap.conf: java.arg.15=-Djavax.net.debug=ssl,handshake (where the argument number is updated to ensure it does not conflict with an existing argument). This will add substantial output to your log file covering the truststore configuration and every TLS handshake negotiation, including which cipher suites Jetty sees as available.
There was a minor issue where dynamically-generated certificates loaded into a keystore could not be used to provide TLSv1.1 cipher suites in test cases. See NIFI-1688 PR 624
The JRE running NiFi does not make any cipher suites available that the browser will accept. This is less common, but JRE 7 makes TLSv1.0 the default, and some browsers (nightly builds, etc.) may restrict TLS to TLSv1.1 or TLSv1.2 only. You can verify this by running the following command: $ openssl s_client -connect <host:port> -debug -state -cert <path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile <path_to_your_CA_cert.pem>. NiFi 0.x can run on Java 7, but NiFi 1.x requires Java 8+. If you are restricted to Java 7, you can explicitly enable these protocols via another Java argument: java.arg.16=-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2.