OPNsense Forum
Archive => 22.1 Legacy Series => Topic started by: pkejval on March 03, 2022, 07:02:31 am
-
Since 22.1 I have many and many messages like this in console:
2022-03-03T06:58:20.424022+01:00 <fw hostname> lighttpd 23685 - - (connections.c 717) unexpected TLS ClientHello on clear port (<client IP>)
It's on my VLAN with CaptivePortal mostly with Android phones connected. Captive portal doesn't have "Transparent proxy" enabled. What can be root of this "problem"?
-
It looks just a device trying to access the landing page using https.
Rgds
-
I have the same problem,
In my case, same problem appears when Captive portal are active. but if i de-activated captive portal, that problem disapear. This happen when any of device are connected to the wifi via captive portal for both android and pc.
Is there any solution suggestion yet ?
Thx
-
To which problem? Turning off all wifi devices might help...
-
dear @chemlud,
thank you for your reply
turning off all of AP or wifi devices or turning off the captive portal will stop the message on the opnsense screen for sure.
but when i enable the captive portal again, and let some device connected via captive portal that message are begin to appears again, even i have been restart the opnsense several times. However all wifi devices connected are working perfect.. including captive portal are working perfect as well...
I just wondering how to solve that error msg ?..
thx
-
It is no error. It's just your shitty devices saying "hello" to each and everybody. What do you expect? How should the NSA generate your moving profile without this trash? ;-)
-
dear @chemlud,
thank you for your kind explaination... this is my first experience using captive portal on opnsense.
what i learn from this behavior are, when a shitty device try to connect to wifi captive portal, all of sudden will appear those msg on opnsense monitor screen, and when the shitty device has success login then those msg disapear from opnsense monitor screen.
since it wasn't error and it just kind a informative message, Is it any possible way to make those msg not showing on the opnsense monitor screen ?...
Thx.
-
Hi!
Sorry to bump this, but I have had the same issue just now. My Android 11 phone tried to open the Captive Portal page, which didn't load and the message appeared in the console as described by OP.
My fix: Removing the "Hostname" option from the Captive Portal Zone (Services: Captive Portal: Administration -> Zones). It's less elegant showing guests the IP instead of a hostname, but it is what it is.
-
I have latest 23.1 and I had even no hostname under captive portal and I still had this issue. I also had all log options (under system / settings / logging) unchecked.
My solution has been to replace VGA as Primary console to Serial console under System / settings / administration. I have low depth supermicro 1U server and I have serial console DB9 connector. I can then use standard Cisco (and essentially everyone else uses the same) serial console cable with a DB9 null modem adapter that I had lying around. Many new servers / network appliances will have RJ45 styled serial console, then no such adapter should be needed.
I verified that the unexpected TLS clientHello noise that was appearing on VGA console, no longer is redirected to serial console, or for that matter to SSH console.
-
My proposed solution also did not work for me. After I did a reboot, the issue reappeared. Hopefully this will be resolved in some near future update / patch. It is potentially to do with BSD or lighttpd that needs to fix this issue. There does not seem to be an option under lighttpd conf files for curtailing this unwanted noise sent to console. For now, I simply selected mute console. It will be rare to use a console after setup unless GUI plus SSH became inaccessible (and that will be if firewall rules are messed up). As long as a current config backup is available, and same version of OS is also kept, in worst situations, spinning the USD disk again and importing the configuration back should stop the need to maintain console and incessant barrage of TLS clientHello messages don't have to be dealt with.