Hello.

My provider apparently wound up in my HTTPS certificates, on the statistics website, superfluous, from which I began to receive (on computers for NAT) a message from the Opera "cannot complete the secured transaction". Something similar gives and IE, though he still offers to choose a certificate. (Everything crashes on TLS with Handshake Failure error).

Actually, I have an idea why this is so, namely because of NAT + IP certificate verification, but I don’t have a solution to this problem.

NAT from iptables on CentOS. Not using NAT will not work. The router connects three networks (two providers and a home one) plus a network from pptp clients.

They hang, respectively, on the following interfaces:

  1. Home - eth0
  2. Internet provider - eth2
  3. Backup provider - eth1 (temporarily used only as network resources)
  4. Pptp - ppp0 clients

Routes:

  1. vpn.mydomain * 255.255.255.255 UH 0 0 0 ppp0
  2. prov1.pool gate.prov1 255.255.255.0 UG 0 0 0 eth1
  3. ...
  4. prov2.pool * 255.255.192.0 U 0 0 0 eth2
  5. default gate.prov2 0.0.0.0 UG 0 0 0 eth2

NAT table:

  1. target prot opt in out source destination
  2. MASQUERADE all -- any eth2 self.mydomain anywhere
  3. MASQUERADE all -- any eth2 vpn.mydomain anywhere

I think that the rest of the data from the NAT table is not worth the attention.

Messages from UPD browsers:

  1. FF (Код ошибки: ssl_error_handshake_failure_alert)
  2. Opera не удаётся завершить защищённую транзакцию
  3. Chrome first said "The site's security certificate is not trusted!", After the "Continue" button - Ошибка 107 (net::ERR_SSL_PROTOCOL_ERROR): Ошибка протокола SSL.
  4. IE generally stupid Internet Explorer не может отобразить эту веб-страницу

Please tell me how to solve?

    3 answers 3

    In general, the problem was found where I did not search for it. The DNS server was previously configured statically, and quite recently I added forward addresses from the provider to it, but forgot to remove the static. And after the provider changed the IP address of the server, or rather https outweighed to another interface, this situation came out.

      In general, HTTPS should work behind a NAT out of the box. Rather, the problem is to configure the firewall, not NAT'a. It is also interesting how other browsers work.

      • With other browsers the same trouble. In the firewall (Router) I have bans only on tcp dpt: 10,000, tcp dpt: 3306, tcp dpt: 135, tcp dpt: 143, tcp dpt: 139 and tcp dpt: 445. Firewalls on computers are disabled. See UPD - Dex

      Another option: an incomplete chain of certificates, i.e. there may be no intermediate and / or root certificate (if purchased certificate).