Unexpected TLS ClientHello on clear port

Started by pkejval, March 03, 2022, 07:02:31 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 03, 2022, 07:02:31 AM
Since 22.1 I have many and many messages like this in console:

Code Select
2022-03-03T06:58:20.424022+01:00 <fw hostname> lighttpd 23685 - - (connections.c 717) unexpected TLS ClientHello on clear port (<client IP>)

It's on my VLAN with CaptivePortal mostly with Android phones connected. Captive portal doesn't have "Transparent proxy" enabled. What can be root of this "problem"?
August 12, 2022, 03:08:20 PM #1
It looks just a device trying to access the landing page using https.
Rgds
January 12, 2023, 07:08:38 PM #2 Last Edit: January 12, 2023, 07:19:01 PM by mukky
I have the same problem,
In my case, same problem appears when Captive portal are active. but if i de-activated captive portal, that problem disapear. This happen when any of device are connected to the wifi via captive portal for both android and pc.

Is there any solution suggestion yet ?

Thx
January 12, 2023, 07:26:26 PM #3
To which problem? Turning off all wifi devices might help...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
January 12, 2023, 07:40:23 PM #4 Last Edit: January 12, 2023, 07:44:32 PM by mukky
dear @chemlud,
thank you for your reply

turning off all of AP or wifi devices or turning off the captive portal will stop the message on the opnsense screen for sure.
but when i enable the captive portal again, and let some device connected via captive portal that message are begin to appears again, even i have been restart the opnsense several times. However all wifi devices connected are working perfect.. including captive portal are working perfect as well...   

I just wondering how to solve that error msg ?..

thx
January 13, 2023, 09:33:46 AM #5
It is no error. It's just your shitty devices saying "hello" to each and everybody. What do you expect? How should the NSA generate your moving profile without this trash? ;-)
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
January 13, 2023, 09:48:53 AM #6
dear @chemlud,
thank you for your kind explaination... this is my first experience using captive portal on opnsense.

what i learn from this behavior are, when a shitty device try to connect to wifi captive portal, all of sudden will appear those msg on opnsense monitor screen, and when the shitty device has success login then those msg disapear from opnsense monitor screen.

since it wasn't error and it just kind a informative message, Is it any possible way to make those msg not showing on the opnsense monitor screen ?...

Thx.
June 16, 2023, 10:06:30 PM #7
Hi!
Sorry to bump this, but I have had the same issue just now. My Android 11 phone tried to open the Captive Portal page, which didn't load and the message appeared in the console as described by OP.

My fix: Removing the "Hostname" option from the Captive Portal Zone (Services: Captive Portal: Administration -> Zones). It's less elegant showing guests the IP instead of a hostname, but it is what it is.
July 08, 2023, 08:12:28 PM #8
I have latest 23.1 and I had even no hostname under captive portal and I still had this issue. I also had all log options (under system / settings / logging) unchecked. 

My solution has been to replace VGA as Primary console to Serial console under System / settings / administration. I have low depth supermicro 1U server and I have serial console DB9 connector. I can then use standard Cisco (and essentially everyone else uses the same) serial console cable with a DB9 null modem adapter that I had lying around. Many new servers / network appliances will have RJ45 styled serial console, then no such adapter should be needed.

I verified that the unexpected TLS clientHello noise that was appearing on VGA console, no longer is redirected to serial console, or for that matter to SSH console.
July 08, 2023, 11:29:03 PM #9
My proposed solution also did not work for me. After I did a reboot, the issue reappeared. Hopefully this will be resolved in some near future update / patch. It is potentially to do with BSD or lighttpd that needs to fix this issue. There does not seem to be an option under lighttpd conf files for curtailing this unwanted noise sent to console. For now, I simply selected mute console. It will be rare to use a console after setup unless GUI plus SSH became inaccessible (and that will be if firewall rules are messed up). As long as a current config backup is available, and same version of OS is also kept, in worst situations, spinning the USD disk again and importing the configuration back should stop the need to maintain console and incessant barrage of TLS clientHello messages don't have to be dealt with.
Print
Go Up Pages1
User actions