{"id":3098,"date":"2019-11-11T11:38:57","date_gmt":"2019-11-11T10:38:57","guid":{"rendered":"https:\/\/esferas.org\/msqlu\/?p=3098"},"modified":"2019-11-11T11:38:58","modified_gmt":"2019-11-11T10:38:58","slug":"resuelto-el-problema-con-las-conexiones-tls-eternas","status":"publish","type":"post","link":"https:\/\/esferas.org\/msqlu\/2019\/11\/11\/resuelto-el-problema-con-las-conexiones-tls-eternas\/","title":{"rendered":"Resuelto el problema con las conexiones TLS eternas"},"content":{"rendered":"<div class='__iawmlf-post-loop-links' style='display:none;' data-iawmlf-post-links='[{&quot;id&quot;:533,&quot;href&quot;:&quot;https:\\\/\\\/blog.confirm.ch\\\/using-pppoe-on-linux&quot;,&quot;archived_href&quot;:&quot;&quot;,&quot;redirect_href&quot;:&quot;&quot;,&quot;checks&quot;:[],&quot;broken&quot;:false,&quot;last_checked&quot;:null,&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:534,&quot;href&quot;:&quot;http:\\\/\\\/en.wikipedia.org\\\/wiki\\\/Black_hole_(networking)#PMTUD_black_holes&quot;,&quot;archived_href&quot;:&quot;&quot;,&quot;redirect_href&quot;:&quot;https:\\\/\\\/en.wikipedia.org\\\/wiki\\\/Black_hole_(networking)&quot;,&quot;checks&quot;:[],&quot;broken&quot;:false,&quot;last_checked&quot;:null,&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:535,&quot;href&quot;:&quot;https:\\\/\\\/www.cisco.com\\\/c\\\/en\\\/us\\\/support\\\/docs\\\/long-reach-ethernet-lre-digital-subscriber-line-xdsl\\\/asymmetric-digital-subscriber-line-adsl\\\/12918-router-mtu.html&quot;,&quot;archived_href&quot;:&quot;https:\\\/\\\/web-wp.archive.org\\\/web\\\/20260415131435\\\/https:\\\/\\\/www.cisco.com\\\/c\\\/en\\\/us\\\/support\\\/docs\\\/long-reach-ethernet-lre-digital-subscriber-line-xdsl\\\/asymmetric-digital-subscriber-line-adsl\\\/12918-router-mtu.html&quot;,&quot;redirect_href&quot;:&quot;&quot;,&quot;checks&quot;:[],&quot;broken&quot;:false,&quot;last_checked&quot;:null,&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:536,&quot;href&quot;:&quot;https:\\\/\\\/www.cyberciti.biz\\\/faq\\\/linux-iptables-insert-rule-at-top-of-tables-prepend-rule&quot;,&quot;archived_href&quot;:&quot;&quot;,&quot;redirect_href&quot;:&quot;&quot;,&quot;checks&quot;:[],&quot;broken&quot;:false,&quot;last_checked&quot;:null,&quot;process&quot;:&quot;done&quot;},{&quot;id&quot;:537,&quot;href&quot;:&quot;https:\\\/\\\/samuel.kadolph.com\\\/2015\\\/02\\\/mtu-and-tcp-mss-when-using-pppoe-2&quot;,&quot;archived_href&quot;:&quot;https:\\\/\\\/web-wp.archive.org\\\/web\\\/20260415131436\\\/https:\\\/\\\/samuel.kadolph.com\\\/2015\\\/02\\\/mtu-and-tcp-mss-when-using-pppoe-2\\\/&quot;,&quot;redirect_href&quot;:&quot;https:\\\/\\\/samuel.kadolph.com\\\/2015\\\/02\\\/mtu-and-tcp-mss-when-using-pppoe-2\\\/&quot;,&quot;checks&quot;:[],&quot;broken&quot;:false,&quot;last_checked&quot;:null,&quot;process&quot;:&quot;done&quot;}]'><\/div>\n<p>Han sido dos semanas espantosas. Pocas veces me he encontrado con tan poca ayuda en la red, aunque supongo que el problema era rarito. <\/p>\n\n\n\n<!--more-->\n\n\n\n<p>En la <a href=\"https:\/\/esferas.org\/msqlu\/2019\/11\/04\/realizando-conexion-tls\/\">entrada anterior<\/a> me lamentaba de un problema que ten\u00edamos con las conexiones seguras con algunas p\u00e1ginas web porque los navegadores, de todo pelaje y condici\u00f3n, se quedaban atascados en las mismas mientras que en otras iban tan fluidas como siempre. <\/p>\n\n\n\n<p>Dada la variedad de sistemas operativos y navegadores sospechaba que el problema estar\u00eda en el punto de salida a Internet. Un ordenador con la versi\u00f3n estable de Debian (con Linux pues) que llevaba haciendo esa tarea varios a\u00f1os. <\/p>\n\n\n\n<p>Lo que hab\u00eda cambiado era que el router del ISP (Movistar) se hab\u00eda muerto y decid\u00ed hace unas semanas <a href=\"https:\/\/esferas.org\/msqlu\/2019\/08\/17\/asimilando-un-router-de-fibra-optica-de-movistar\/\">integrar su funcionalidad<\/a> dentro del sistema con varias tarjetas de red. <\/p>\n\n\n\n<p>Al hacerlo segu\u00ed las instrucciones de <a href=\"https:\/\/blog.confirm.ch\/using-pppoe-on-linux\/\">esta p\u00e1gina <\/a>pero me olvid\u00e9 de un detalle importante. Bueno, no me olvid\u00e9 de ponerlo, me olvid\u00e9 de que sobreviviera a un reinicio del sistema por lo que lo di por hecho y no volv\u00ed a fijarme m\u00e1s. Hasta el reinicio todo funcion\u00f3 correctamente, despu\u00e9s aparecieron los problemas y aunque revis\u00e9 los registros no inspeccion\u00e9 correctamente los cambios. <\/p>\n\n\n\n<p>La soluci\u00f3n estaba en a\u00f1adir la siguiente regla al cortafuegos:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu<\/code><\/pre>\n\n\n\n<p>O dejar que el programa que lo configura (<em>shorewall<\/em>) lo haga por ti cambiando su configuraci\u00f3n en <em>\/etc\/shorewall\/shorewall.conf<\/em>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>CLAMPMSS=Yes<\/code><\/pre>\n\n\n\n<p>No puedo decir que entienda exactamente cu\u00e1l es el problema real con la conexi\u00f3n porque no soy experto en redes, no a ese nivel ni muchos menos,  pero al parecer existe la posibilidad de que los paquetes TCP en una conexi\u00f3n se pierdan porque son demasiado grandes para pasar debido a que no se ha calculado correctamente el valor m\u00e1ximo para ese tipo de medio. Pueden crearse conexiones pero no ir m\u00e1s all\u00e1 y entrar en lo que se denomina una <a href=\"http:\/\/en.wikipedia.org\/wiki\/Black_hole_(networking)#PMTUD_black_holes\">conexi\u00f3n de agujero negro <\/a>de la que no se vuelve a saber m\u00e1s. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Referencias<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.cisco.com\/c\/en\/us\/support\/docs\/long-reach-ethernet-lre-digital-subscriber-line-xdsl\/asymmetric-digital-subscriber-line-adsl\/12918-router-mtu.html\">Troubleshooting MTU Size in PPPoE Dialin Connectivity<\/a><\/li><li><a href=\"https:\/\/www.cyberciti.biz\/faq\/linux-iptables-insert-rule-at-top-of-tables-prepend-rule\/\">Iptables insert rule at top of tables ( PREPEND rule on Linux )<\/a><\/li><li><a href=\"https:\/\/samuel.kadolph.com\/2015\/02\/mtu-and-tcp-mss-when-using-pppoe-2\/\">MTU and TCP MSS when using PPPoE<\/a><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Han sido dos semanas espantosas. Pocas veces me he encontrado con tan poca ayuda en la red, aunque supongo que el problema era rarito.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_import_markdown_pro_load_document_selector":0,"_import_markdown_pro_submit_text_textarea":"","webmentions_disabled_pings":false,"webmentions_disabled":false,"footnotes":""},"categories":[5],"tags":[19,906,52,896,493,512],"class_list":["post-3098","post","type-post","status-publish","format-standard","hentry","category-hardware","tag-errores","tag-iptables","tag-mi-lugar-de-trabajo","tag-pppoe","tag-shorewall","tag-tls"],"_links":{"self":[{"href":"https:\/\/esferas.org\/msqlu\/wp-json\/wp\/v2\/posts\/3098","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/esferas.org\/msqlu\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/esferas.org\/msqlu\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/esferas.org\/msqlu\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/esferas.org\/msqlu\/wp-json\/wp\/v2\/comments?post=3098"}],"version-history":[{"count":1,"href":"https:\/\/esferas.org\/msqlu\/wp-json\/wp\/v2\/posts\/3098\/revisions"}],"predecessor-version":[{"id":3099,"href":"https:\/\/esferas.org\/msqlu\/wp-json\/wp\/v2\/posts\/3098\/revisions\/3099"}],"wp:attachment":[{"href":"https:\/\/esferas.org\/msqlu\/wp-json\/wp\/v2\/media?parent=3098"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/esferas.org\/msqlu\/wp-json\/wp\/v2\/categories?post=3098"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/esferas.org\/msqlu\/wp-json\/wp\/v2\/tags?post=3098"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}