OPNsense Forum
Archive => 16.1 Legacy Series => Topic started by: jonkersa on May 17, 2016, 09:05:19 pm
-
Dear all,
Every minute the same three lines - displayed below - are recorded in the system log.
May 17 20:51:22 lighttpd[47368]: (connections.c.1550) SSL: 1 -1 error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
May 17 20:51:22 lighttpd[47368]: (connections.c.291) SSL: 1 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
May 17 20:51:22 lighttpd[47368]: (connections.c.291) SSL: 1 error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
I don't have a clue why and what can be done to resolve it.
The version I'm running is:
OPNsense 16.1.13-amd64
FreeBSD 10.2-RELEASE-p14
OpenSSL 1.0.2h 3 May 2016
What other information could be usefull? I'm running OpenVPN (client) with OpenSSL created by a Debian Wheezy PKI.
Opnsense administration (web)site is protected with a public certificate signed by StartCom Class 1 Primary Intermediate Server CA.
All services are functioning perfectly. Still I'm wondering what the log messages are telling me and how to solve them.
Thanks for any help.
Regards,
Jonkers A.
-
Hi there,
I think this is a remnant of the ABI breakage introduced by CVE-2016-0701[1][2] in January in both LibreSSL and OpenSSL (although LibreSSL was not affected they also adapted the code).
This will be fixed upstream eventually although it's just a spurious warning message.
Cheers,
Franco
--
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0701
[2] http://arstechnica.com/security/2016/01/high-severity-bug-in-openssl-allows-attackers-to-decrypt-https-traffic/
-
It looks like at least LibreSSL 2.3.x update fixes this, it's queued up for 16.1.15, but I don't know the state of OpenSSL.
-
*Some* of the noise can be disabled in lighttpd with debug.log-ssl-noise = "disable" added to lighttpd.conf
Had this been reported to lighttpd developers (https://redmine.lighttpd.net/projects/lighttpd/issues/new) in addition to this forum, lighttpd might have been able to work around additional openssl noise in the lighttpd 1.4.41, just released 2016-07-31.
-
Hi gstrauss,
Neat, this week's 16.7.1 has a pending update for 1.4.40, not entirely sure we'll make it to 1.4.41 as we want critical components to "sink in" a bit after release. Should be in 16.7.2 tops. Thanks!
Cheers,
Franco
-
Hi franco, et al!
I highly recommend lighttpd 1.4.41 over 1.4.40. lighttpd 1.4.41 specifically addresses security issues like httpoxy, and bugs introduced in lighttpd 1.4.40.
-
FYI: it appears this added noise might be related to changes in openssl 1.0.2f. What version of openssl are you using?
nginx addressed a similar issue in https://trac.nginx.org/nginx/ticket/901
-
Then we'll skip 1.4.40, because I don't feel comfortable porting 1.4.41 to FreeBSD. Let's wait.
-
It is fair to wait a bit to get a better sense of stability. Overall, 1.4.40 and 1.4.41 addressed hundreds of reported issues in lighttpd, and so 1.4.41 is expected to be much better than 1.4.39.
lighttpd works on FreeBSD. What "porting" do you mean with "I don't feel comfortable porting 1.4.41 to FreeBSD"?
-
@jonkersa wrote
> Every minute the same three lines - displayed below - are recorded in the system log.
That is possibly caused by something performing a health-check each minute by making a TCP connection and then closing it, without negotiating TLS.
As mentioned above, please add debug.log-ssl-noise = "disable" to lighttpd.conf. That should quiet some of the warnings you are seeing. For the last remaining warning, "SSL routines:SSL_shutdown:shutdown while in init", a change has been pushed to lighttpd git master (post lighttpd 1.4.41) to skip SSL_shutdown() if TLS handshake has not yet completed. https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/156bea38597ced5de7521ada2e85fb67aead21db You'll have to backport that one-line patch to lighttpd 1.4.39, or upgrade to lighttpd 1.4.41 (highly recommended) and apply the patch.
It would be nice to get some feedback if this resolves the issue for you. Thank you.
@franco: please review https://www.lighttpd.net/2016/7/31/1.4.41/ for security fixes and other limited changes made in lighttpd 1.4.41. If you were planning to upgrade to lighttpd 1.4.40, you should hopefully be eager to upgrade to lighttpd 1.4.41 instead of staying on lighttpd 1.4.39 for another 6 months. (For all the improvements in lighttpd 1.4.40, see https://www.lighttpd.net/2016/7/16/1.4.40/ )
-
We're not going to stay on 1.4.39 for 6 months. It's just a matter of a week or two. :)
What I mean by porting is that FreeBSD's port seems overly complex. This was the update to 1.4.40:
https://github.com/opnsense/ports/commit/b150c5d1cd2403b1c23e679f991a14f265eb397e
Since there are some patches there it's not trivial to upgrade. I honestly never tried it myself and it's a bit too late for experiments as we have 16.7.1 coming up to help with IPS mode in the kernel itself.
-
FYI: I have been working with pkubaj, the FreeBSD package maintainer. lighttpd 1.4.40 incorporates all existing patches added by FreeBSD except for those patches specific to the mysql auth (optional) feature. The reason why the FreeBSD 1.4.40 patch you linked is so large is that the *generated* Makefile is part of the patch, and that there are many removed lines due to removal of patch files that are now integrated into lighttpd 1.4.40. [edit] The largest part of that FreeBSD patch is that pkubaj renamed one of the mysql auth patch files.
-
Thanks for the explanation. A trivial update for 1.4.41 was posted a few hours ago, but sets for tomorrow are already being built so it has to wait for 16.7.2. Sorry, I shall update tomorrow and see to an immediate test deployment of the latest version.
-
FYI: lighttpd 1.4.44 was released a few days ago. If you have any feedback, please post to #lighttpd on freenode or lighttpd forums https://redmine.lighttpd.net/projects/lighttpd/boards