Re: Suddenly, new types of SSL errors

[Jérôme Heil]

Hi

Le 02/08/2013 06:31, mett a écrit :
 Hi,

 Since 2, 3 weeks now, I'm getting some new types of log errors, related
 to SSL, on an Apache2 and Dovecot server I'm managing.

 --
 Apache2:
 [Fri Jul 26 09:47:39 2013] [error] [client 222.240.68.221] Invalid
 method in request \x16\x03\x01

 [Fri Jul 26 09:47:40 2013] [error]
 [client 222.240.68.221] rejecting client initiated renegotiation

 [Fri Jul 26 12:41:32 2013] [error] [client 115.205.7.94] rejecting
 client initiated renegotiation

 [Fri Jul 26 15:39:38 2013] [error] [client 24.14.226.8] Invalid method
 in request \x80w\x01\x03\x01

 [Fri Jul 26 18:41:33 2013] [error] [client 117.14.153.45] Invalid
 method in request \x16\x03\x01

 [Fri Jul 26 22:36:06 2013] [error] [client 175.17.208.60] Invalid
 method in request \x16\x03\x01

 [Fri Jul 26 22:36:07 2013] [error] [client 175.184.167.104] rejecting
 client initiated renegotiation
The last time I saw this was because I was using http instead of https
and talking plaintext to a SSL server. I think those errors are pretty
benign and there isn't much you can do about it.

Cheers,
Jérôme

Re: Suddenly, new types of SSL errors

[Jochen Spieker]

mett:
 
 Since 2, 3 weeks now, I'm getting some new types of log errors, related
 to SSL, on an Apache2 and Dovecot server I'm managing.

Don't worry about them as long as your services appear to work fine for
you. If you run a public server, it is normal that people send random
junk your server doesn't understand. Some of it may be malicious, some
if it is broken clients. You can't do anything against this except
blocking them at a lower protocol layer (just like you do with
fail2ban).

J.
-- 
Television advertisements are the apothesis of twentieth century culture.
[Agree]   [Disagree]
 http://www.slowlydownward.com/NODATA/data_enter2.html


signature.asc
Description: Digital signature

Re: Suddenly, new types of SSL errors

[Darac Marjal]

On Fri, Aug 02, 2013 at 09:06:41AM +0200, Jochen Spieker wrote:
 mett:
  
  Since 2, 3 weeks now, I'm getting some new types of log errors, related
  to SSL, on an Apache2 and Dovecot server I'm managing.
 
 Don't worry about them as long as your services appear to work fine for
 you. If you run a public server, it is normal that people send random
 junk your server doesn't understand. Some of it may be malicious, some
 if it is broken clients. You can't do anything against this except
 blocking them at a lower protocol layer (just like you do with
 fail2ban).

If you're worried, use a checker such as
https://www.ssllabs.com/ssltest/index.html to verify the robustness of
your server. It may be that, with new attacks such as BEAST and CRIME,
people are probing your server for vulnerabilities. If you get a good
rating on the tests, then you can be assured that those knocks on the
door won't get through.



signature.asc
Description: Digital signature

Re: Suddenly, new types of SSL errors

[mett]

On Fri, 2 Aug 2013 10:32:15 +0100
Darac Marjal mailingl...@darac.org.uk wrote:

 On Fri, Aug 02, 2013 at 09:06:41AM +0200, Jochen Spieker wrote:
  mett:
   
   Since 2, 3 weeks now, I'm getting some new types of log errors,
   related to SSL, on an Apache2 and Dovecot server I'm managing.
  
  Don't worry about them as long as your services appear to work fine
  for you. If you run a public server, it is normal that people send
  random junk your server doesn't understand. Some of it may be
  malicious, some if it is broken clients. You can't do anything
  against this except blocking them at a lower protocol layer (just
  like you do with fail2ban).
 
 If you're worried, use a checker such as
 https://www.ssllabs.com/ssltest/index.html to verify the robustness of
 your server. It may be that, with new attacks such as BEAST and CRIME,
 people are probing your server for vulnerabilities. If you get a good
 rating on the tests, then you can be assured that those knocks on the
 door won't get through.
 

Thanks a lot for all the answers. 
The link to ssllabs is a nice one. 



signature.asc
Description: PGP signature

Suddenly, new types of SSL errors

[mett]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi, 

Since 2, 3 weeks now, I'm getting some new types of log errors, related
to SSL, on an Apache2 and Dovecot server I'm managing.

- --
Apache2:
[Fri Jul 26 09:47:39 2013] [error] [client 222.240.68.221] Invalid
method in request \x16\x03\x01 

[Fri Jul 26 09:47:40 2013] [error]
[client 222.240.68.221] rejecting client initiated renegotiation 

[Fri Jul 26 12:41:32 2013] [error] [client 115.205.7.94] rejecting
client initiated renegotiation 

[Fri Jul 26 15:39:38 2013] [error] [client 24.14.226.8] Invalid method
in request \x80w\x01\x03\x01 

[Fri Jul 26 18:41:33 2013] [error] [client 117.14.153.45] Invalid
method in request \x16\x03\x01 

[Fri Jul 26 22:36:06 2013] [error] [client 175.17.208.60] Invalid
method in request \x16\x03\x01 

[Fri Jul 26 22:36:07 2013] [error] [client 175.184.167.104] rejecting
client initiated renegotiation

Dovecot:
Jul 27 06:28:34 HOSTNAME dovecot: imap-login: Disconnected (no auth
attempts): rip=112.80.210.152, lip=EXT.ERN.AL.IP, TLS: SSL_read()
failed: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert
unexpected message 

Jul 27 06:28:35 HOSTNAME dovecot: pop3-login:
Disconnected (no auth attempts): rip=59.53.131.117, lip=EXT.ERN.AL.IP,
TLS: SSL_read() failed: error:140943F2:SSL
routines:SSL3_READ_BYTES:sslv3 alert unexpected message
- --

The SSL config for A2 and Dovecot(imaps and pop3s) seems OK, 
as I do not get those errors on the only website using SSL on this
server, neither with Dovecot on port 993(imaps) and 995(pop3s).

Most of the IP addresses are from places I am not related with and
look like the IP addresses often getting caught into the Fail2ban net
running on this server.

According to openssl documentation:
UM/unexpected message

An inappropriate message was received. This alert is always fatal
and should never be observed in communication between proper
implementations.

I understood that it is an unexpected message, but I still do not
understand why is that happening.

Does somebody with a server on the net have seen this kind of logs or
have an idea about what can be the reason?

I am running an i686 Squeeze server with very few websites in http and
1 in https under A2, and a mail server with postfix and dovecot.

Thanks!

PS:In the meantime, I have set up some new rules on Fail2ban to ban
those IPs.

PS2:
Sometimes, at the same time on Apache and Dovecot, I got this request
from 3 different IP addresses, as below:
- 
---
Aug  2 01:37:46 HOSTNAME dovecot: imap-login: Disconnected (no auth
attempts): rip=117.14.149.176, lip=EXT.ERN.AL.IP, TLS: SSL_read()
failed: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert
unexpected message (Dovecot's info log) Aug  2 01:37:47 HOSTNAME
dovecot: pop3-login: Disconnected (no auth attempts):
rip=112.67.217.26, lip=EXT.ERN.AL.IP, TLS: SSL_read() failed:
error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected
message (Dovecot's info log)

[Fri Aug 02 01:37:46 2013] [error] [client 210.72.157.240] Invalid
method in request \x16\x03\x01 (Apache2's error log)
- 
---




Below are the logs of the tests I did to check my SSL configs.
- 
-
  mett@asus:~$ telnet EXT.ERN.AL.IP 443 (localhost works as well)
  Trying EXT.ERN.AL.IP... Connected to EXT.ERN.AL.IP.
Escape character is '^]'.
GET /


!DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN
htmlhead
title400 Bad Request/title
/headbody
h1Bad Request/h1
pYour browser sent a request that this server could not
understand.br / Reason: You're speaking plain HTTP to an SSL-enabled
server port.br / Instead use the HTTPS scheme to access this URL,
please.br / blockquoteHint: a
href=https://Dom.Main/;bhttps://Dom.Main//b/a/blockquote/p
hr addressApache Server at Dom.Main Port 443/address
/body/html
Connection closed by foreign host.
- - - -
- - -
- -
- 
---
- - - -
- - -
- -
- 
---
openssl s_client -connect EXT.ERN.AL.IP:443 (localhost works as well)
- - - - ---
(shortened)
- - - - ---
No client certificate CA names sent
- - - - ---
SSL handshake has read 1466 bytes and written 319 bytes
- - - - ---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher: