linkerd2: Transient OpenSSL errors when Linkerd is injected (no peer certificate available) (SSLv3/TLS write client hello)

Bug Report

What is the issue?

When Linkerd2 sidecar is injected, periodically requests to external endpoints fail with SSL errors.

  1. In Ruby the issue looks like: OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3/TLS write client hello

  2. In linkerd-debug no visible symptoms

  3. In openssl cli the error starts from the message no peer certificate available

How can it be reproduced?

Start a new pod with the injected sidecar with a command that does nothing (tail -f /dev/null). Exec inside and run the following script:

#!/usr/bin/env bash
echo "" > out_2
while :
do
  echo "*****" >> out_2
  echo "GET /" | openssl s_client -connect www.example.com:443 -no_tls1_1 >> out_2     # -no_tls1_1  is not required to reproduce the error
  # curl -vvv https://bing.com/ >> out_2 2>&1
  # wget -O- https://google.com >/dev/null
  ret=$?
  if [ $ret -ne 0 ]; then
    echo "!!!!!!" >> out_2
    exit
  fi
done

Logs, error output, etc

Here are output results from the script. A good result includes server certificate chain. A bad one includes no peer certificate available. https://gist.github.com/KIVagant/37b87245b27810f359acb22fdfa4c13b

When linkerd proxy is uninjected, the error never appears.

linkerd check output

# all is green, except the version is not the latest available
‼ control plane is up-to-date
    is running version 2.7.1 but the latest stable version is 2.8.1
    see https://linkerd.io/checks/#l5d-version-control for hints

Environment

  • Kubernetes Version: Server Version: version.Info{Major:"1", Minor:"14+", GitVersion:"v1.14.9-eks-f459c0"
  • Cluster Environment: EKS
  • Host OS: Amazon Linux
  • Linkerd version:
Client version: stable-2.7.1
Server version: stable-2.7.1

Possible solution

Additional context

We see the issue in many applications, it appears in many places hundreds of times a day randomly.

Also we never saw this with Linkerd v1

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 19 (16 by maintainers)

Most upvoted comments

A quick update: this appears to be a bug in an underlying library (tokio and/or mio) — I can reproduce it with code that uses tokio without Linkerd. Will investigate further and fix it upstream.

+2
hawkw on Aug 27, 2020

Hmm, the results with openssl/example.com is very different than curl/bing.

Proxy log 
[  3205.754274463s] TRACE ThreadId(23) outbound: linkerd2_proxy_transport::listen: Accepted peer.addr=10.42.0.80:44804 orig.addr=Some(V4(93.184.216.34:443))
[  3205.754282057s]  INFO ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}: linkerd2_app_core::serve: new
[  3205.754284432s]  INFO ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}: linkerd2_app_core::serve: enter
[  3205.754287798s]  INFO ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}: linkerd2_app_core::serve: exit
[  3205.754300231s]  INFO ThreadId(23) outbound: linkerd2_app: exit
[  3205.754303246s]  INFO ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}: linkerd2_app_core::serve: enter
[  3205.754308997s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}: linkerd2_stack_tracing: poll_ready
[  3205.754311952s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}: linkerd2_stack_tracing: ready=true
[  3205.754313976s] DEBUG ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}: linkerd2_app_outbound::prevent_loop: addr=93.184.216.34:443 self.port=4140
[  3205.754316340s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}: linkerd2_stack_tracing: make_service target=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }
[  3205.754321049s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_app_outbound: new
[  3205.754323263s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_app_outbound: enter
[  3205.754326128s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_app_outbound: exit
[  3205.754328262s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_app_outbound: enter
[  3205.754329785s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_stack_tracing: making
[  3205.754331648s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_stack_tracing: ready=true
[  3205.754334934s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_app_outbound: exit
[  3205.754337830s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}: linkerd2_stack_tracing: new_service target=Addrs { local: V4(10.42.0.80:44804), peer: V4(10.42.0.80:44804), orig_dst: Some(V4(93.184.216.34:443)) }
[  3205.754342238s]  INFO ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:source{target.addr=93.184.216.34:443}: linkerd2_app_outbound: new
[  3205.754343921s]  INFO ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:source{target.addr=93.184.216.34:443}: linkerd2_app_outbound: enter
[  3205.754346496s]  INFO ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:source{target.addr=93.184.216.34:443}: linkerd2_app_outbound: exit
[  3205.754360612s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}: linkerd2_io::peek: poll_peek=Ready(Ok(102))
[  3205.754363357s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}: linkerd2_io::peek: peeked.len=102
[  3205.754367084s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}: linkerd2_proxy_http::detect: Forwarding TCP
[  3205.754369198s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_app_outbound: enter
[  3205.754371382s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_stack_tracing: poll ready
[  3205.754372944s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_stack_tracing: ready=true
[  3205.754374708s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_app_outbound: exit
[  3205.754376471s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_app_outbound: enter
[  3205.754403431s] DEBUG ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_proxy_transport::tls::client: peer.identity=None(NotHttp)
[  3205.754406035s] DEBUG ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_proxy_transport::connect: Connecting peer.addr=93.184.216.34:443
[  3205.754410754s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_app_outbound: exit
[  3205.754413449s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_app_outbound: enter
[  3205.754415202s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_proxy_tcp::forward: in accept future!
[  3205.754418348s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}:connect: linkerd2_proxy_tcp::forward: new
[  3205.754421063s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}:connect: linkerd2_proxy_tcp::forward: enter
[  3205.754471045s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}:connect: linkerd2_proxy_tcp::forward: exit
[  3205.754474732s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_app_outbound: exit
[  3205.754476906s]  INFO ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44804}: linkerd2_app_core::serve: exit
[  3205.759538134s]  INFO ThreadId(22) outbound:accept{peer.addr=10.42.0.80:44800}: linkerd2_app_core::serve: enter
[  3205.759548122s] TRACE ThreadId(22) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_app_outbound: enter
[  3205.759552049s] TRACE ThreadId(22) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_duplex: poll
[  3205.759555375s] TRACE ThreadId(22) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_duplex: already shutdown
[  3205.759558732s] TRACE ThreadId(22) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_duplex: reading
[  3205.759560946s] TRACE ThreadId(22) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}:dst: linkerd2_proxy_tcp::forward: enter
[  3205.759566716s] TRACE ThreadId(22) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}:dst: linkerd2_io::instrumented: poll_read_buf=Ready(Ok(733))
[  3205.759572036s] TRACE ThreadId(22) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}:dst: linkerd2_proxy_tcp::forward: exit
[  3205.759575943s] TRACE ThreadId(22) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_duplex: read 733B
[  3205.759579309s] TRACE ThreadId(22) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_duplex: writing 733B
[  3205.759581584s] TRACE ThreadId(22) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}:src: linkerd2_proxy_tcp::forward: enter
[  3205.759605307s] TRACE ThreadId(22) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}:src: linkerd2_io::instrumented: poll_write_buf=Ready(Ok(733))
[  3205.759609054s] TRACE ThreadId(22) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}:src: linkerd2_proxy_tcp::forward: exit
[  3205.759611198s] TRACE ThreadId(22) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_duplex: wrote 733B
[  3205.759613823s] TRACE ThreadId(22) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_duplex: reading
[  3205.759615997s] TRACE ThreadId(22) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}:dst: linkerd2_proxy_tcp::forward: enter
[  3205.759620175s] TRACE ThreadId(22) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}:dst: linkerd2_io::instrumented: poll_read_buf=Pending
[  3205.759623090s] TRACE ThreadId(22) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}:dst: linkerd2_proxy_tcp::forward: exit
[  3205.759625444s] TRACE ThreadId(22) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_app_outbound: exit
[  3205.759629051s]  INFO ThreadId(22) outbound:accept{peer.addr=10.42.0.80:44800}: linkerd2_app_core::serve: exit
[  3205.759767356s]  INFO ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44800}: linkerd2_app_core::serve: enter
[  3205.759771914s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_app_outbound: enter
[  3205.759774088s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_duplex: poll
[  3205.759776583s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_duplex: already shutdown
[  3205.759779438s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_duplex: reading
[  3205.759781642s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}:dst: linkerd2_proxy_tcp::forward: enter
[  3205.759785319s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}:dst: linkerd2_io::instrumented: poll_read_buf=Ready(Ok(0))
[  3205.759788805s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}:dst: linkerd2_proxy_tcp::forward: exit
[  3205.759790909s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_duplex: read 0B
[  3205.759792772s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_duplex: eof
[  3205.759795037s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}: linkerd2_duplex: shutting down
[  3205.759798683s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}:src: linkerd2_proxy_tcp::forward: enter
[  3205.759803412s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}:src: linkerd2_io::instrumented: poll_shutdown=Ready(Err(Os { code: 107, kind: NotConnected, message: "Transport endpoint is not connected" }))
[  3205.759812579s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}:src: linkerd2_proxy_tcp::forward: exit
[  3205.759822146s] TRACE ThreadId(23) outbound:accept{peer.addr=10.42.0.80:44800}:tcp_forward{endpoint=TcpEndpoint { addr: V4(93.184.216.34:443), identity: None(NotHttp) }}:src: linkerd2_proxy_tcp::forward: close time.busy=452µs time.idle=28.5ms
OpenSSL client output (one good request prior to the failure): 
*****
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=California/L=Los Angeles/O=Internet Corporation for Assigned Names and Numbers/OU=Technology/CN=www.example.org
   i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHQDCCBiigAwIBAgIQD9B43Ujxor1NDyupa2A4/jANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgxMTI4MDAwMDAwWhcN
MjAxMjAyMTIwMDAwWjCBpTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
aWExFDASBgNVBAcTC0xvcyBBbmdlbGVzMTwwOgYDVQQKEzNJbnRlcm5ldCBDb3Jw
b3JhdGlvbiBmb3IgQXNzaWduZWQgTmFtZXMgYW5kIE51bWJlcnMxEzARBgNVBAsT
ClRlY2hub2xvZ3kxGDAWBgNVBAMTD3d3dy5leGFtcGxlLm9yZzCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANDwEnSgliByCGUZElpdStA6jGaPoCkrp9vV
rAzPpXGSFUIVsAeSdjF11yeOTVBqddF7U14nqu3rpGA68o5FGGtFM1yFEaogEv5g
rJ1MRY/d0w4+dw8JwoVlNMci+3QTuUKf9yH28JxEdG3J37Mfj2C3cREGkGNBnY80
eyRJRqzy8I0LSPTTkhr3okXuzOXXg38ugr1x3SgZWDNuEaE6oGpyYJIBWZ9jF3pJ
QnucP9vTBejMh374qvyd0QVQq3WxHrogy4nUbWw3gihMxT98wRD1oKVma1NTydvt
hcNtBfhkp8kO64/hxLHrLWgOFT/l4tz8IWQt7mkrBHjbd2XLVPkCAwEAAaOCA8Ew
ggO9MB8GA1UdIwQYMBaAFA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBRm
mGIC4AmRp9njNvt2xrC/oW2nvjCBgQYDVR0RBHoweIIPd3d3LmV4YW1wbGUub3Jn
ggtleGFtcGxlLmNvbYILZXhhbXBsZS5lZHWCC2V4YW1wbGUubmV0ggtleGFtcGxl
Lm9yZ4IPd3d3LmV4YW1wbGUuY29tgg93d3cuZXhhbXBsZS5lZHWCD3d3dy5leGFt
cGxlLm5ldDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMGsGA1UdHwRkMGIwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNv
bS9zc2NhLXNoYTItZzYuY3JsMC+gLaArhilodHRwOi8vY3JsNC5kaWdpY2VydC5j
b20vc3NjYS1zaGEyLWc2LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgG
CCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAEC
AjB8BggrBgEFBQcBAQRwMG4wJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2lj
ZXJ0LmNvbTBGBggrBgEFBQcwAoY6aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29t
L0RpZ2lDZXJ0U0hBMlNlY3VyZVNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAAMIIB
fwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdwCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb
37jjd80OyA3cEAAAAWdcMZVGAAAEAwBIMEYCIQCEZIG3IR36Gkj1dq5L6EaGVycX
sHvpO7dKV0JsooTEbAIhALuTtf4wxGTkFkx8blhTV+7sf6pFT78ORo7+cP39jkJC
AHYAh3W/51l8+IxDmV+9827/Vo1HVjb/SrVgwbTq/16ggw8AAAFnXDGWFQAABAMA
RzBFAiBvqnfSHKeUwGMtLrOG3UGLQIoaL3+uZsGTX3MfSJNQEQIhANL5nUiGBR6g
l0QlCzzqzvorGXyB/yd7nttYttzo8EpOAHYAb1N2rDHwMRnYmQCkURX/dxUcEdkC
wQApBo2yCJo32RMAAAFnXDGWnAAABAMARzBFAiEA5Hn7Q4SOyqHkT+kDsHq7ku7z
RDuM7P4UDX2ft2Mpny0CIE13WtxJAUr0aASFYZ/XjSAMMfrB0/RxClvWVss9LHKM
MA0GCSqGSIb3DQEBCwUAA4IBAQBzcIXvQEGnakPVeJx7VUjmvGuZhrr7DQOLeP4R
8CmgDM1pFAvGBHiyzvCH1QGdxFl6cf7wbp7BoLCRLR/qPVXFMwUMzcE1GLBqaGZM
v1Yh2lvZSLmMNSGRXdx113pGLCInpm/TOhfrvr0TxRImc8BdozWJavsn1N2qdHQu
N+UBO6bQMLCD0KHEdSGFsuX6ZwAworxTg02/1qiDu7zW7RyzHvFYA4IAjpzvkPIa
X6KjBtpdvp/aXabmL95YgBjT8WJ7pqOfrqhpcmOBZa6Cg6O1l4qbIFH/Gj9hQB5I
0Gs4+eH6F9h3SojmPTYkT+8KuZ9w84Mn+M8qBXUQoYoKgIjN
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Los Angeles/O=Internet Corporation for Assigned Names and Numbers/OU=Technology/CN=www.example.org
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4661 bytes and written 240 bytes
Verification: OK
---
New, TLSv1.0, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: CE02D51EF65AB1A33B6DEFE25E72A7186B1C7446EC9F6A0199A76A07FA26657A
    Session-ID-ctx:
    Master-Key: 7F982E4E2A869F4239337CC91A1496A939484B6F8307C0EF0B9093A989134430C2CE93C5DA64E2C2A986228133A5690C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 95 40 b4 c5 12 44 16 3b-8e eb d7 57 12 d0 44 b5   .@...D.;...W..D.
    0010 - 50 3b be 85 98 c0 90 cc-6d 26 32 c8 27 06 38 6f   P;......m&2.'.8o
    0020 - ec 00 a4 29 4d e2 73 38-f2 a4 ba e9 c6 84 1b 95   ...)M.s8........
    0030 - 24 d1 48 de 02 bd 69 18-be 29 a5 56 65 0a e8 30   $.H...i..).Ve..0
    0040 - 76 19 b7 6f 7b 3c 27 96-cd 03 ea 0f 9b 11 cf c3   v..o{<'.........
    0050 - 99 75 e3 dc f9 8f 89 06-97 6d 49 62 b6 ea 5c e3   .u.......mIb..\.
    0060 - 96 1c c3 a6 7e 1b cc c7-53 32 45 63 72 93 bb 89   ....~...S2Ecr...
    0070 - 4a 8e 28 98 f7 1c 04 60-3d a4 89 38 30 4a 57 70   J.(....`=..80JWp
    0080 - de 71 99 28 a8 04 cd 1a-dd 83 a8 f6 57 62 b3 1e   .q.(........Wb..
    0090 - 2d fa bf 02 fa 7b db 17-96 21 b7 43 e5 ed 84 ed   -....{...!.C....

    Start Time: 1598393617
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
*****
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 102 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1598393617
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
!!!!!!
tshark capture 
1035882 3202.183821121   10.42.0.80 → 10.43.0.10   DNS 103 Standard query 0x7e16 A www.example.com.default.svc.cluster.local
1035883 3202.183841699   10.42.0.80 → 10.43.0.10   DNS 103 Standard query 0x06ce AAAA www.example.com.default.svc.cluster.local
1035884 3202.183898283   10.43.0.10 → 10.42.0.80   DNS 196 Standard query response 0x06ce No such name AAAA www.example.com.default.svc.cluster.local SOA ns.dns.cluster.local
1035885 3202.183913852   10.43.0.10 → 10.42.0.80   DNS 196 Standard query response 0x7e16 No such name A www.example.com.default.svc.cluster.local SOA ns.dns.cluster.local
1035886 3202.183931564   10.42.0.80 → 10.43.0.10   DNS 95 Standard query 0xd0b7 A www.example.com.svc.cluster.local
1035887 3202.183938938   10.42.0.80 → 10.43.0.10   DNS 95 Standard query 0xc2a5 AAAA www.example.com.svc.cluster.local
1035888 3202.183981156   10.43.0.10 → 10.42.0.80   DNS 188 Standard query response 0xc2a5 No such name AAAA www.example.com.svc.cluster.local SOA ns.dns.cluster.local
1035889 3202.183999519   10.43.0.10 → 10.42.0.80   DNS 188 Standard query response 0xd0b7 No such name A www.example.com.svc.cluster.local SOA ns.dns.cluster.local
1035890 3202.184014567   10.42.0.80 → 10.43.0.10   DNS 91 Standard query 0x344a A www.example.com.cluster.local
1035891 3202.184022963   10.42.0.80 → 10.43.0.10   DNS 91 Standard query 0xd8f3 AAAA www.example.com.cluster.local
1035892 3202.184045674   10.43.0.10 → 10.42.0.80   DNS 184 Standard query response 0xd8f3 No such name AAAA www.example.com.cluster.local SOA ns.dns.cluster.local
1035893 3202.184065070   10.43.0.10 → 10.42.0.80   DNS 184 Standard query response 0x344a No such name A www.example.com.cluster.local SOA ns.dns.cluster.local
1035894 3202.184074457   10.42.0.80 → 10.43.0.10   DNS 77 Standard query 0xaa3d A www.example.com
1035895 3202.184080078   10.42.0.80 → 10.43.0.10   DNS 77 Standard query 0x288a AAAA www.example.com
1035896 3202.184105294   10.43.0.10 → 10.42.0.80   DNS 108 Standard query response 0xaa3d A www.example.com A 93.184.216.34
1035897 3202.184114872   10.43.0.10 → 10.42.0.80   DNS 120 Standard query response 0x288a AAAA www.example.com AAAA 2606:2800:220:1:248:1893:25c8:1946
1035898 3202.184187245   10.42.0.80 → 127.0.0.1    TCP 76 44796 → 4140 [SYN] Seq=0 Win=64860 Len=0 MSS=1410 SACK_PERM=1 TSval=765791812 TSecr=0 WS=128
1035899 3202.184194008 93.184.216.34 → 10.42.0.80   TCP 76 [TCP ACKed unseen segment] [TCP Retransmission] [TCP Port numbers reused] 443 → 44796 [SYN, ACK] Seq=2507374196 Ack=645700291 Win=65483 Len=0 MSS=65495 SACK_PERM=1 TSval=3305932945 TSecr=765791812 WS=128
1035900 3202.184198927   10.42.0.80 → 127.0.0.1    TCP 68 44796 → 4140 [ACK] Seq=1 Ack=1 Win=64896 Len=0 TSval=765791812 TSecr=3305932945
1035901 3202.184261432   10.42.0.80 → 127.0.0.1    TLSv1 170 Client Hello
1035902 3202.184265549 93.184.216.34 → 10.42.0.80   TCP 68 [TCP ACKed unseen segment] 443 → 44796 [ACK] Seq=2507374197 Ack=645700393 Win=65408 Len=0 TSval=3305932945 TSecr=765791812
1035903 3202.184420986   10.42.0.80 → 93.184.216.34 TCP 76 44798 → 443 [SYN] Seq=0 Win=64860 Len=0 MSS=1410 SACK_PERM=1 TSval=765791812 TSecr=0 WS=128
1035904 3202.188019561 93.184.216.34 → 10.42.0.80   TLSv1 760 Application Data, Application Data, Application Data, Application Data
1035905 3202.188025712   10.42.0.80 → 93.184.216.34 TCP 68 [TCP ACKed unseen segment] 44794 → 443 [ACK] Seq=365 Ack=5354 Win=497 Len=0 TSval=765791816 TSecr=3624231900
1035906 3202.188076776 93.184.216.34 → 10.42.0.80   TLSv1 760 [TCP ACKed unseen segment] [TCP Spurious Retransmission] , Application Data, Application Data, Application Data, Application Data
1035907 3202.188085162   10.42.0.80 → 127.0.0.1    TCP 56 44792 → 4140 [RST] Seq=365 Win=0 Len=0
1035908 3202.188120437 93.184.216.34 → 10.42.0.80   TLSv1 109 Encrypted Alert
1035909 3202.188123933   10.42.0.80 → 93.184.216.34 TCP 68 [TCP ACKed unseen segment] 44794 → 443 [ACK] Seq=365 Ack=5395 Win=502 Len=0 TSval=765791816 TSecr=3624231900
1035910 3202.188230850 93.184.216.34 → 10.42.0.80   TCP 68 443 → 44794 [FIN, ACK] Seq=1280797937 Ack=645267399 Win=67072 Len=0 TSval=3624231900 TSecr=765791809
1035911 3202.188235498   10.42.0.80 → 93.184.216.34 TCP 68 [TCP ACKed unseen segment] 44794 → 443 [ACK] Seq=365 Ack=5396 Win=502 Len=0 TSval=765791816 TSecr=3624231900
1035912 3202.191858058 93.184.216.34 → 10.42.0.80   TCP 76 443 → 44798 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=2407782645 TSecr=765791812 WS=512
1035913 3202.191865271   10.42.0.80 → 93.184.216.34 TCP 68 44798 → 443 [ACK] Seq=1 Ack=1 Win=64896 Len=0 TSval=765791819 TSecr=2407782645
1035914 3202.191962941   10.42.0.80 → 93.184.216.34 TLSv1 170 Client Hello
1035915 3202.199557753 93.184.216.34 → 10.42.0.80   TCP 68 443 → 44798 [ACK] Seq=1 Ack=103 Win=65536 Len=0 TSval=2407782653 TSecr=765791819
1035916 3202.203158812 93.184.216.34 → 10.42.0.80   TLSv1 1466 Server Hello
1035917 3202.203163721   10.42.0.80 → 93.184.216.34 TCP 68 44798 → 443 [ACK] Seq=103 Ack=1399 Win=63616 Len=0 TSval=765791831 TSecr=2407782656
1035918 3202.203247115 93.184.216.34 → 10.42.0.80   TLSv1 1466 [TCP ACKed unseen segment] [TCP Spurious Retransmission] , Encrypted Handshake Message
1035919 3202.203253537   10.42.0.80 → 127.0.0.1    TCP 68 44796 → 4140 [ACK] Seq=103 Ack=1399 Win=64256 Len=0 TSval=765791831 TSecr=3305932964
1035920 3202.203295173 93.184.216.34 → 10.42.0.80   TCP 1466 443 → 44798 [ACK] Seq=1399 Ack=103 Win=65536 Len=1398 TSval=2407782656 TSecr=765791819 [TCP segment of a reassembled PDU]
1035921 3202.203297287   10.42.0.80 → 93.184.216.34 TCP 68 44798 → 443 [ACK] Seq=103 Ack=2797 Win=63104 Len=0 TSval=765791831 TSecr=2407782656
1035922 3202.203362267 93.184.216.34 → 10.42.0.80   TCP 1466 [TCP ACKed unseen segment] [TCP Spurious Retransmission] 443 → 44796 [PSH, ACK] Seq=2507375595 Ack=645700393 Win=65536 Len=1398 TSval=3305932964 TSecr=765791831 [TCP segment of a reassembled PDU]
1035923 3202.203366364   10.42.0.80 → 127.0.0.1    TCP 68 44796 → 4140 [ACK] Seq=103 Ack=2797 Win=64256 Len=0 TSval=765791831 TSecr=3305932964
1035924 3202.203432747 93.184.216.34 → 10.42.0.80   TLSv1 1368 Certificate [TCP segment of a reassembled PDU]
1035925 3202.203434941   10.42.0.80 → 93.184.216.34 TCP 68 44798 → 443 [ACK] Seq=103 Ack=4097 Win=63104 Len=0 TSval=765791831 TSecr=2407782656
1035926 3202.203504459 93.184.216.34 → 10.42.0.80   TLSv1 1368 [TCP ACKed unseen segment] [TCP Spurious Retransmission] , Encrypted Handshake Message [TCP segment of a reassembled PDU]
1035927 3202.203508045   10.42.0.80 → 127.0.0.1    TCP 68 44796 → 4140 [ACK] Seq=103 Ack=4097 Win=64256 Len=0 TSval=765791831 TSecr=3305932964
1035928 3202.203544913 93.184.216.34 → 10.42.0.80   TLSv1 395 Server Key Exchange, Server Hello Done
1035929 3202.203547147   10.42.0.80 → 93.184.216.34 TCP 68 44798 → 443 [ACK] Seq=103 Ack=4424 Win=63104 Len=0 TSval=765791831 TSecr=2407782656
1035930 3202.203598502 93.184.216.34 → 10.42.0.80   TLSv1 395 [TCP ACKed unseen segment] [TCP Spurious Retransmission] , Encrypted Handshake Message, Encrypted Handshake Message
1035931 3202.203602389   10.42.0.80 → 127.0.0.1    TCP 68 44796 → 4140 [ACK] Seq=103 Ack=4424 Win=64128 Len=0 TSval=765791831 TSecr=3305932964
1035932 3202.204547319   10.42.0.80 → 127.0.0.1    TLSv1 206 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
1035933 3202.204552017 93.184.216.34 → 10.42.0.80   TCP 68 [TCP ACKed unseen segment] 443 → 44796 [ACK] Seq=2507378620 Ack=645700531 Win=65408 Len=0 TSval=3305932965 TSecr=765791832
1035934 3202.204595718   10.42.0.80 → 93.184.216.34 TLSv1 206 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
1035935 3202.212396580 93.184.216.34 → 10.42.0.80   TLSv1 306 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
1035936 3202.212402030   10.42.0.80 → 93.184.216.34 TCP 68 44798 → 443 [ACK] Seq=241 Ack=4662 Win=64128 Len=0 TSval=765791840 TSecr=2407782666
1035937 3202.212463192 93.184.216.34 → 10.42.0.80   TLSv1 306 [TCP ACKed unseen segment] [TCP Spurious Retransmission] , Encrypted Handshake Message, Change Cipher Spec, Encrypted Handshake Message
1035938 3202.212467981   10.42.0.80 → 127.0.0.1    TCP 68 44796 → 4140 [ACK] Seq=241 Ack=4662 Win=64256 Len=0 TSval=765791840 TSecr=3305932973
1035939 3202.212707201   10.42.0.80 → 127.0.0.1    TLSv1 150 Application Data, Application Data
1035940 3202.212711890 93.184.216.34 → 10.42.0.80   TCP 68 [TCP ACKed unseen segment] 443 → 44796 [ACK] Seq=2507378858 Ack=645700613 Win=65536 Len=0 TSval=3305932973 TSecr=765791840
1035941 3202.212730384   10.42.0.80 → 127.0.0.1    TLSv1 109 Encrypted Alert
1035942 3202.212733370 93.184.216.34 → 10.42.0.80   TCP 68 [TCP ACKed unseen segment] 443 → 44796 [ACK] Seq=2507378858 Ack=645700654 Win=65536 Len=0 TSval=3305932973 TSecr=765791840
1035943 3202.212742206   10.42.0.80 → 127.0.0.1    TCP 68 44796 → 4140 [FIN, ACK] Seq=364 Ack=4662 Win=64256 Len=0 TSval=765791840 TSecr=3305932973
1035944 3202.212770017   10.42.0.80 → 93.184.216.34 TLSv1 191 Application Data, Application Data, Encrypted Alert
1035945 3202.212825900   10.42.0.80 → 93.184.216.34 TCP 68 44798 → 443 [FIN, ACK] Seq=364 Ack=4662 Win=64256 Len=0 TSval=765791840 TSecr=2407782666
1035946 3202.215321164   10.42.0.80 → 10.43.0.10   DNS 103 Standard query 0xacf2 A www.example.com.default.svc.cluster.local
1035947 3202.215345619   10.42.0.80 → 10.43.0.10   DNS 103 Standard query 0x9a88 AAAA www.example.com.default.svc.cluster.local
1035948 3202.215435534   10.43.0.10 → 10.42.0.80   DNS 196 Standard query response 0x9a88 No such name AAAA www.example.com.default.svc.cluster.local SOA ns.dns.cluster.local
1035949 3202.215457004   10.43.0.10 → 10.42.0.80   DNS 196 Standard query response 0xacf2 No such name A www.example.com.default.svc.cluster.local SOA ns.dns.cluster.local
1035950 3202.215473745   10.42.0.80 → 10.43.0.10   DNS 95 Standard query 0xa804 A www.example.com.svc.cluster.local
1035951 3202.215481529   10.42.0.80 → 10.43.0.10   DNS 95 Standard query 0xb884 AAAA www.example.com.svc.cluster.local
1035952 3202.215528996   10.43.0.10 → 10.42.0.80   DNS 188 Standard query response 0xa804 No such name A www.example.com.svc.cluster.local SOA ns.dns.cluster.local
1035953 3202.215544685   10.43.0.10 → 10.42.0.80   DNS 188 Standard query response 0xb884 No such name AAAA www.example.com.svc.cluster.local SOA ns.dns.cluster.local
1035954 3202.215556778   10.42.0.80 → 10.43.0.10   DNS 91 Standard query 0x62dc A www.example.com.cluster.local
1035955 3202.215563530   10.42.0.80 → 10.43.0.10   DNS 91 Standard query 0x2a37 AAAA www.example.com.cluster.local
1035956 3202.215590199   10.43.0.10 → 10.42.0.80   DNS 184 Standard query response 0x2a37 No such name AAAA www.example.com.cluster.local SOA ns.dns.cluster.local
1035957 3202.215600468   10.43.0.10 → 10.42.0.80   DNS 184 Standard query response 0x62dc No such name A www.example.com.cluster.local SOA ns.dns.cluster.local
1035958 3202.215611078   10.42.0.80 → 10.43.0.10   DNS 77 Standard query 0xe6bd A www.example.com
1035959 3202.215616918   10.42.0.80 → 10.43.0.10   DNS 77 Standard query 0x2847 AAAA www.example.com
1035960 3202.215652975   10.43.0.10 → 10.42.0.80   DNS 120 Standard query response 0x2847 AAAA www.example.com AAAA 2606:2800:220:1:248:1893:25c8:1946
1035961 3202.215670797   10.43.0.10 → 10.42.0.80   DNS 108 Standard query response 0xe6bd A www.example.com A 93.184.216.34
1035962 3202.215740496   10.42.0.80 → 127.0.0.1    TCP 76 44800 → 4140 [SYN] Seq=0 Win=64860 Len=0 MSS=1410 SACK_PERM=1 TSval=765791843 TSecr=0 WS=128
1035963 3202.215747479 93.184.216.34 → 10.42.0.80   TCP 76 443 → 44800 [SYN, ACK] Seq=0 Ack=1 Win=65483 Len=0 MSS=65495 SACK_PERM=1 TSval=3305932976 TSecr=765791843 WS=128
1035964 3202.215752889   10.42.0.80 → 127.0.0.1    TCP 68 44800 → 4140 [ACK] Seq=1 Ack=1 Win=64896 Len=0 TSval=765791843 TSecr=3305932976
1035965 3202.215815915   10.42.0.80 → 127.0.0.1    TLSv1 170 Client Hello
1035966 3202.215820273 93.184.216.34 → 10.42.0.80   TCP 68 443 → 44800 [ACK] Seq=1 Ack=103 Win=65408 Len=0 TSval=3305932976 TSecr=765791843
1035967 3202.215951374   10.42.0.80 → 93.184.216.34 TCP 76 44802 → 443 [SYN] Seq=0 Win=64860 Len=0 MSS=1410 SACK_PERM=1 TSval=765791843 TSecr=0 WS=128
1035968 3202.219721084 93.184.216.34 → 10.42.0.80   TLSv1 760 Application Data, Application Data, Application Data, Application Data
1035969 3202.219727015   10.42.0.80 → 93.184.216.34 TCP 68 44798 → 443 [ACK] Seq=365 Ack=5354 Win=63616 Len=0 TSval=765791847 TSecr=2407782673
1035970 3202.219772749 93.184.216.34 → 10.42.0.80   TLSv1 760 [TCP ACKed unseen segment] [TCP Spurious Retransmission] , Application Data, Application Data, Application Data, Application Data
1035971 3202.219780944   10.42.0.80 → 127.0.0.1    TCP 56 44796 → 4140 [RST] Seq=365 Win=0 Len=0
1035972 3202.219821810 93.184.216.34 → 10.42.0.80   TLSv1 109 Encrypted Alert
1035973 3202.219825737   10.42.0.80 → 93.184.216.34 TCP 68 44798 → 443 [ACK] Seq=365 Ack=5395 Win=64256 Len=0 TSval=765791847 TSecr=2407782673
1035974 3202.219933094 93.184.216.34 → 10.42.0.80   TCP 68 443 → 44798 [FIN, ACK] Seq=5395 Ack=364 Win=67072 Len=0 TSval=2407782673 TSecr=765791840
1035975 3202.219936591   10.42.0.80 → 93.184.216.34 TCP 68 44798 → 443 [ACK] Seq=365 Ack=5396 Win=64256 Len=0 TSval=765791847 TSecr=2407782673
1035976 3202.219934317 93.184.216.34 → 10.42.0.80   TCP 68 443 → 44798 [ACK] Seq=5396 Ack=365 Win=67072 Len=0 TSval=2407782673 TSecr=765791840
1035977 3202.222844314 93.184.216.34 → 10.42.0.80   TCP 76 443 → 44802 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=2087024196 TSecr=765791843 WS=512
1035978 3202.222850004   10.42.0.80 → 93.184.216.34 TCP 68 44802 → 443 [ACK] Seq=1 Ack=1 Win=64896 Len=0 TSval=765791850 TSecr=2087024196
1035979 3202.222943517   10.42.0.80 → 93.184.216.34 TLSv1 170 Client Hello
1035980 3202.230483147 93.184.216.34 → 10.42.0.80   TCP 68 443 → 44802 [ACK] Seq=1 Ack=103 Win=65536 Len=0 TSval=2087024204 TSecr=765791850
1035981 3202.233792430 93.184.216.34 → 10.42.0.80   TLSv1 1466 Server Hello
1035982 3202.233797790   10.42.0.80 → 93.184.216.34 TCP 68 44802 → 443 [ACK] Seq=103 Ack=1399 Win=63616 Len=0 TSval=765791861 TSecr=2087024206
1035983 3202.233879029 93.184.216.34 → 10.42.0.80   TLSv1 1466 Server Hello
1035984 3202.233885451   10.42.0.80 → 127.0.0.1    TCP 68 44800 → 4140 [ACK] Seq=103 Ack=1399 Win=64256 Len=0 TSval=765791861 TSecr=3305932994
1035985 3202.233928651 93.184.216.34 → 10.42.0.80   TCP 1466 443 → 44802 [ACK] Seq=1399 Ack=103 Win=65536 Len=1398 TSval=2087024206 TSecr=765791850 [TCP segment of a reassembled PDU]
1035986 3202.233930995   10.42.0.80 → 93.184.216.34 TCP 68 44802 → 443 [ACK] Seq=103 Ack=2797 Win=63104 Len=0 TSval=765791861 TSecr=2087024206
1035987 3202.234019368 93.184.216.34 → 10.42.0.80   TCP 1466 443 → 44800 [PSH, ACK] Seq=1399 Ack=103 Win=65536 Len=1398 TSval=3305932995 TSecr=765791861 [TCP segment of a reassembled PDU]
1035988 3202.234024447   10.42.0.80 → 127.0.0.1    TCP 68 44800 → 4140 [ACK] Seq=103 Ack=2797 Win=64256 Len=0 TSval=765791862 TSecr=3305932995
1035989 3202.234060804 93.184.216.34 → 10.42.0.80   TLSv1 1368 Certificate [TCP segment of a reassembled PDU]
1035990 3202.234062998   10.42.0.80 → 93.184.216.34 TCP 68 44802 → 443 [ACK] Seq=103 Ack=4097 Win=63104 Len=0 TSval=765791862 TSecr=2087024206
1035991 3202.234139028 93.184.216.34 → 10.42.0.80   TLSv1 1368 Certificate [TCP segment of a reassembled PDU]
1035992 3202.234142975   10.42.0.80 → 127.0.0.1    TCP 68 44800 → 4140 [ACK] Seq=103 Ack=4097 Win=64256 Len=0 TSval=765791862 TSecr=3305932995
1035993 3202.234168663 93.184.216.34 → 10.42.0.80   TLSv1 395 Server Key Exchange, Server Hello Done
1035994 3202.234170376   10.42.0.80 → 93.184.216.34 TCP 68 44802 → 443 [ACK] Seq=103 Ack=4424 Win=63104 Len=0 TSval=765791862 TSecr=2087024206
1035995 3202.234251525 93.184.216.34 → 10.42.0.80   TLSv1 395 Server Key Exchange, Server Hello Done
1035996 3202.234255643   10.42.0.80 → 127.0.0.1    TCP 68 44800 → 4140 [ACK] Seq=103 Ack=4424 Win=64128 Len=0 TSval=765791862 TSecr=3305932995
1035997 3202.235118391   10.42.0.80 → 127.0.0.1    TLSv1 206 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
1035998 3202.235124482 93.184.216.34 → 10.42.0.80   TCP 68 443 → 44800 [ACK] Seq=4424 Ack=241 Win=65408 Len=0 TSval=3305932996 TSecr=765791863
1035999 3202.235185074   10.42.0.80 → 93.184.216.34 TLSv1 206 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
1036000 3202.243302869 93.184.216.34 → 10.42.0.80   TLSv1 306 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
1036001 3202.243309381   10.42.0.80 → 93.184.216.34 TCP 68 44802 → 443 [ACK] Seq=241 Ack=4662 Win=64128 Len=0 TSval=765791871 TSecr=2087024217
1036002 3202.243383067 93.184.216.34 → 10.42.0.80   TLSv1 306 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
1036003 3202.243388046   10.42.0.80 → 127.0.0.1    TCP 68 44800 → 4140 [ACK] Seq=241 Ack=4662 Win=64256 Len=0 TSval=765791871 TSecr=3305933004
1036004 3202.243565422   10.42.0.80 → 127.0.0.1    TLSv1 150 Application Data, Application Data
1036005 3202.243569370 93.184.216.34 → 10.42.0.80   TCP 68 443 → 44800 [ACK] Seq=4662 Ack=323 Win=65536 Len=0 TSval=3305933004 TSecr=765791871
1036006 3202.243583576   10.42.0.80 → 127.0.0.1    TLSv1 109 Encrypted Alert
1036007 3202.243585740 93.184.216.34 → 10.42.0.80   TCP 68 443 → 44800 [ACK] Seq=4662 Ack=364 Win=65536 Len=0 TSval=3305933004 TSecr=765791871
1036008 3202.243592302   10.42.0.80 → 127.0.0.1    TCP 68 44800 → 4140 [FIN, ACK] Seq=364 Ack=4662 Win=64256 Len=0 TSval=765791871 TSecr=3305933004
1036009 3202.243659646   10.42.0.80 → 93.184.216.34 TLSv1 191 Application Data, Application Data, Encrypted Alert
1036010 3202.243718013   10.42.0.80 → 93.184.216.34 TCP 68 44802 → 443 [FIN, ACK] Seq=364 Ack=4662 Win=64256 Len=0 TSval=765791871 TSecr=2087024217
1036011 3202.245897195   10.42.0.80 → 10.43.0.10   DNS 103 Standard query 0x20eb A www.example.com.default.svc.cluster.local
1036012 3202.245917723   10.42.0.80 → 10.43.0.10   DNS 103 Standard query 0xe878 AAAA www.example.com.default.svc.cluster.local
1036013 3202.245966192   10.43.0.10 → 10.42.0.80   DNS 196 Standard query response 0xe878 No such name AAAA www.example.com.default.svc.cluster.local SOA ns.dns.cluster.local
1036014 3202.245985658   10.43.0.10 → 10.42.0.80   DNS 196 Standard query response 0x20eb No such name A www.example.com.default.svc.cluster.local SOA ns.dns.cluster.local
1036015 3202.246002399   10.42.0.80 → 10.43.0.10   DNS 95 Standard query 0xd6da A www.example.com.svc.cluster.local
1036016 3202.246009832   10.42.0.80 → 10.43.0.10   DNS 95 Standard query 0xec40 AAAA www.example.com.svc.cluster.local
1036017 3202.246047973   10.43.0.10 → 10.42.0.80   DNS 188 Standard query response 0xec40 No such name AAAA www.example.com.svc.cluster.local SOA ns.dns.cluster.local
1036018 3202.246061457   10.43.0.10 → 10.42.0.80   DNS 188 Standard query response 0xd6da No such name A www.example.com.svc.cluster.local SOA ns.dns.cluster.local
1036019 3202.246072979   10.42.0.80 → 10.43.0.10   DNS 91 Standard query 0xdaca A www.example.com.cluster.local
1036020 3202.246079130   10.42.0.80 → 10.43.0.10   DNS 91 Standard query 0x3258 AAAA www.example.com.cluster.local
1036021 3202.246102964   10.43.0.10 → 10.42.0.80   DNS 184 Standard query response 0x3258 No such name AAAA www.example.com.cluster.local SOA ns.dns.cluster.local
1036022 3202.246122830   10.43.0.10 → 10.42.0.80   DNS 184 Standard query response 0xdaca No such name A www.example.com.cluster.local SOA ns.dns.cluster.local
1036023 3202.246133540   10.42.0.80 → 10.43.0.10   DNS 77 Standard query 0xd662 A www.example.com
1036024 3202.246139471   10.42.0.80 → 10.43.0.10   DNS 77 Standard query 0xb46f AAAA www.example.com
1036025 3202.246171380   10.43.0.10 → 10.42.0.80   DNS 120 Standard query response 0xb46f AAAA www.example.com AAAA 2606:2800:220:1:248:1893:25c8:1946
1036026 3202.246185356   10.43.0.10 → 10.42.0.80   DNS 108 Standard query response 0xd662 A www.example.com A 93.184.216.34
1036027 3202.246249684   10.42.0.80 → 127.0.0.1    TCP 76 [TCP Port numbers reused] 44804 → 4140 [SYN] Seq=0 Win=64860 Len=0 MSS=1410 SACK_PERM=1 TSval=765791874 TSecr=0 WS=128
1036028 3202.246256657 93.184.216.34 → 10.42.0.80   TCP 76 [TCP Previous segment not captured] [TCP Port numbers reused] 443 → 44804 [SYN, ACK] Seq=645801769 Ack=645801819 Win=65483 Len=0 MSS=65495 SACK_PERM=1 TSval=3305933007 TSecr=765791874 WS=128
1036029 3202.246261325   10.42.0.80 → 127.0.0.1    TCP 68 44804 → 4140 [ACK] Seq=1 Ack=1 Win=64896 Len=0 TSval=765791874 TSecr=3305933007
1036030 3202.246313411   10.42.0.80 → 127.0.0.1    TLSv1 170 Client Hello
1036031 3202.246317228 93.184.216.34 → 10.42.0.80   TCP 68 443 → 44804 [ACK] Seq=645801770 Ack=645801921 Win=65408 Len=0 TSval=3305933007 TSecr=765791874
1036032 3202.246466694   10.42.0.80 → 93.184.216.34 TCP 76 [TCP Port numbers reused] 44806 → 443 [SYN] Seq=0 Win=64860 Len=0 MSS=1410 SACK_PERM=1 TSval=765791874 TSecr=0 WS=128
+1
hawkw on Aug 25, 2020

nervous

It’s like reading a Stephen King novel!

+1
Parad0X on Aug 25, 2020
Read more comments on GitHub
← linkerd2: Thanos Query cannot connect to Prometheus with Linkerd
linkerd2: Unable to use Linkerd-CNI →