Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
518
Views
0
Helpful
0
Replies

CSCvw54424 - Remove unnecessary reverse DNS timing from critical TLS handshaking

wireman84
Level 1
Level 1

‎11-30-2020 10:57 AM - edited ‎11-30-2020 01:27 PM

Recommended Bug ID Text Provided.  Posted here for reference to Cisco BU/DE and Community:

 

Title:

Remove unnecessary reverse DNS timing from critical TLS handshaking

Description:

If DNS does not return quickly when unnecessary reverse DNS is performed, the client timeout can expire and CGR resets TCP connection before TLS handshake is complete.  This happens in TPS and FND. 

 

Failure if this occurs is very hard to diagnose since it is before any logging of the connection at FND or TPS.

 

Changes in infrastructure, a removed DNS server, etc. can cause total failure of CGR to FND/TPS TLS communications.  Although the CGR to FND/TLS communication and DNS are seemingly unrelated.

 

Hopefully, the below references provide insight into issue and fix.

 

References:

Unnecessary reverse DNS query when connecting by IP with SSL #993

From <https://github.com/spray/spray/issues/993>

Looks like issue is described, but never fixed in jboss due complexity and existence of workarounds.

 

How to disable Java's SSL Reverse DNS Lookup

From <https://stackoverflow.com/questions/3193936/how-to-disable-javas-ssl-reverse-dns-lookup>

A method of coding that avoids the reverse DNS all together.

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents