On Sun, Apr 13, 2008 at 04:07:42PM +0200, Sake Blok wrote:
> On Sun, Apr 13, 2008 at 09:27:41AM -0400, Sheahan, John wrote:
> > this is actually code that runs on several servers that exchanges XML
> > data over HTTPS using the proxy. I didn't see the Encrypted Alert but
> > I'm going to recheck for that. I have enclosed the trace of one
> > conversation.
>
[...]
> frame 50: Proxy sees data *after* the client has acknowledged the TCP
> session teardown (ACK=23504 in frame 47) and sends RST
I just remembered your comment about the high ACK number for the RST
packet and took another look at it. Frame 50 also doesn't have the
ACK flag set. This is also not according to RFC and indeed it does
have a sequence number that does not belong to this tcp session.
Are you sure it's the proxy that sent this packet? Couldn't it have
been an Intrusion Detection and Prevention System (IDP) that generated
this packet?
Cheers,
Sake