-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
Since 2, 3 weeks now, I'm getting some new types of log errors, related
to SSL, on an Apache2 and Dovecot server I'm managing.
- --
Apache2:
[Fri Jul 26 09:47:39 2013] [error] [client 222.240.68.221] Invalid
method in request \x16\x03\x01
[Fri Jul 26 09:47:40 2013] [error]
[client 222.240.68.221] rejecting client initiated renegotiation
[Fri Jul 26 12:41:32 2013] [error] [client 115.205.7.94] rejecting
client initiated renegotiation
[Fri Jul 26 15:39:38 2013] [error] [client 24.14.226.8] Invalid method
in request \x80w\x01\x03\x01
[Fri Jul 26 18:41:33 2013] [error] [client 117.14.153.45] Invalid
method in request \x16\x03\x01
[Fri Jul 26 22:36:06 2013] [error] [client 175.17.208.60] Invalid
method in request \x16\x03\x01
[Fri Jul 26 22:36:07 2013] [error] [client 175.184.167.104] rejecting
client initiated renegotiation
Dovecot:
Jul 27 06:28:34 HOSTNAME dovecot: imap-login: Disconnected (no auth
attempts): rip=112.80.210.152, lip=EXT.ERN.AL.IP, TLS: SSL_read()
failed: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert
unexpected message
Jul 27 06:28:35 HOSTNAME dovecot: pop3-login:
Disconnected (no auth attempts): rip=59.53.131.117, lip=EXT.ERN.AL.IP,
TLS: SSL_read() failed: error:140943F2:SSL
routines:SSL3_READ_BYTES:sslv3 alert unexpected message
- --
The SSL config for A2 and Dovecot(imaps and pop3s) seems OK,
as I do not get those errors on the only website using SSL on this
server, neither with Dovecot on port 993(imaps) and 995(pop3s).
Most of the IP addresses are from places I am not related with and
look like the IP addresses often getting caught into the Fail2ban net
running on this server.
According to openssl documentation:
UM/unexpected message
An inappropriate message was received. This alert is always fatal
and should never be observed in communication between proper
implementations.
I understood that it is an unexpected message, but I still do not
understand why is that happening.
Does somebody with a server on the net have seen this kind of logs or
have an idea about what can be the reason?
I am running an i686 Squeeze server with very few websites in http and
1 in https under A2, and a mail server with postfix and dovecot.
Thanks!
PS:In the meantime, I have set up some new rules on Fail2ban to ban
those IPs.
PS2:
Sometimes, at the same time on Apache and Dovecot, I got this request
from 3 different IP addresses, as below:
-
---
Aug 2 01:37:46 HOSTNAME dovecot: imap-login: Disconnected (no auth
attempts): rip=117.14.149.176, lip=EXT.ERN.AL.IP, TLS: SSL_read()
failed: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert
unexpected message (Dovecot's info log) Aug 2 01:37:47 HOSTNAME
dovecot: pop3-login: Disconnected (no auth attempts):
rip=112.67.217.26, lip=EXT.ERN.AL.IP, TLS: SSL_read() failed:
error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected
message (Dovecot's info log)
[Fri Aug 02 01:37:46 2013] [error] [client 210.72.157.240] Invalid
method in request \x16\x03\x01 (Apache2's error log)
-
---
Below are the logs of the tests I did to check my SSL configs.
-
-
mett@asus:~$ telnet EXT.ERN.AL.IP 443 (localhost works as well)
Trying EXT.ERN.AL.IP... Connected to EXT.ERN.AL.IP.
Escape character is '^]'.
GET /
!DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN
htmlhead
title400 Bad Request/title
/headbody
h1Bad Request/h1
pYour browser sent a request that this server could not
understand.br / Reason: You're speaking plain HTTP to an SSL-enabled
server port.br / Instead use the HTTPS scheme to access this URL,
please.br / blockquoteHint: a
href=https://Dom.Main/;bhttps://Dom.Main//b/a/blockquote/p
hr addressApache Server at Dom.Main Port 443/address
/body/html
Connection closed by foreign host.
- - - -
- - -
- -
-
---
- - - -
- - -
- -
-
---
openssl s_client -connect EXT.ERN.AL.IP:443 (localhost works as well)
- - - - ---
(shortened)
- - - - ---
No client certificate CA names sent
- - - - ---
SSL handshake has read 1466 bytes and written 319 bytes
- - - - ---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher: