Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
16.1 Legacy Series
»
lighttpd SSL error records logged every minute in system log.
« previous
next »
Print
Pages: [
1
]
Author
Topic: lighttpd SSL error records logged every minute in system log. (Read 32354 times)
jonkersa
Newbie
Posts: 1
Karma: 0
lighttpd SSL error records logged every minute in system log.
«
on:
May 17, 2016, 09:05:19 pm »
Dear all,
Every minute the same three lines - displayed below - are recorded in the system log.
May 17 20:51:22 lighttpd[47368]: (connections.c.1550) SSL: 1 -1 error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
May 17 20:51:22 lighttpd[47368]: (connections.c.291) SSL: 1 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
May 17 20:51:22 lighttpd[47368]: (connections.c.291) SSL: 1 error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
I don't have a clue why and what can be done to resolve it.
The version I'm running is:
OPNsense 16.1.13-amd64
FreeBSD 10.2-RELEASE-p14
OpenSSL 1.0.2h 3 May 2016
What other information could be usefull? I'm running OpenVPN (client) with OpenSSL created by a Debian Wheezy PKI.
Opnsense administration (web)site is protected with a public certificate signed by StartCom Class 1 Primary Intermediate Server CA.
All services are functioning perfectly. Still I'm wondering what the log messages are telling me and how to solve them.
Thanks for any help.
Regards,
Jonkers A.
Logged
franco
Administrator
Hero Member
Posts: 17718
Karma: 1618
Re: lighttpd SSL error records logged every minute in system log.
«
Reply #1 on:
May 18, 2016, 08:04:10 am »
Hi there,
I think this is a remnant of the ABI breakage introduced by CVE-2016-0701[1][2] in January in both LibreSSL and OpenSSL (although LibreSSL was not affected they also adapted the code).
This will be fixed upstream eventually although it's just a spurious warning message.
Cheers,
Franco
--
[1]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0701
[2]
http://arstechnica.com/security/2016/01/high-severity-bug-in-openssl-allows-attackers-to-decrypt-https-traffic/
Logged
franco
Administrator
Hero Member
Posts: 17718
Karma: 1618
Re: lighttpd SSL error records logged every minute in system log.
«
Reply #2 on:
May 23, 2016, 09:03:45 am »
It looks like at least LibreSSL 2.3.x update fixes this, it's queued up for 16.1.15, but I don't know the state of OpenSSL.
Logged
gstrauss
Newbie
Posts: 21
Karma: 4
Re: lighttpd SSL error records logged every minute in system log.
«
Reply #3 on:
August 02, 2016, 08:14:43 am »
*Some* of the noise can be disabled in lighttpd with debug.log-ssl-noise = "disable" added to lighttpd.conf
Had this been reported to lighttpd developers (
https://redmine.lighttpd.net/projects/lighttpd/issues/new
) in addition to this forum, lighttpd might have been able to work around additional openssl noise in the lighttpd 1.4.41, just released 2016-07-31.
Logged
franco
Administrator
Hero Member
Posts: 17718
Karma: 1618
Re: lighttpd SSL error records logged every minute in system log.
«
Reply #4 on:
August 02, 2016, 08:39:39 am »
Hi gstrauss,
Neat, this week's 16.7.1 has a pending update for 1.4.40, not entirely sure we'll make it to 1.4.41 as we want critical components to "sink in" a bit after release. Should be in 16.7.2 tops. Thanks!
Cheers,
Franco
Logged
gstrauss
Newbie
Posts: 21
Karma: 4
Re: lighttpd SSL error records logged every minute in system log.
«
Reply #5 on:
August 02, 2016, 11:15:53 pm »
Hi franco, et al!
I highly recommend lighttpd 1.4.41 over 1.4.40. lighttpd 1.4.41 specifically addresses security issues like httpoxy, and bugs introduced in lighttpd 1.4.40.
Logged
gstrauss
Newbie
Posts: 21
Karma: 4
Re: lighttpd SSL error records logged every minute in system log.
«
Reply #6 on:
August 02, 2016, 11:18:45 pm »
FYI: it appears this added noise might be related to changes in openssl 1.0.2f. What version of openssl are you using?
nginx addressed a similar issue in
https://trac.nginx.org/nginx/ticket/901
Logged
franco
Administrator
Hero Member
Posts: 17718
Karma: 1618
Re: lighttpd SSL error records logged every minute in system log.
«
Reply #7 on:
August 03, 2016, 12:09:38 am »
Then we'll skip 1.4.40, because I don't feel comfortable porting 1.4.41 to FreeBSD. Let's wait.
Logged
gstrauss
Newbie
Posts: 21
Karma: 4
Re: lighttpd SSL error records logged every minute in system log.
«
Reply #8 on:
August 03, 2016, 02:10:59 am »
It is fair to wait a bit to get a better sense of stability. Overall, 1.4.40 and 1.4.41 addressed hundreds of reported issues in lighttpd, and so 1.4.41 is expected to be much better than 1.4.39.
lighttpd works on FreeBSD. What "porting" do you mean with "I don't feel comfortable porting 1.4.41 to FreeBSD"?
Logged
gstrauss
Newbie
Posts: 21
Karma: 4
Re: lighttpd SSL error records logged every minute in system log.
«
Reply #9 on:
August 03, 2016, 06:50:06 am »
@jonkersa wrote
> Every minute the same three lines - displayed below - are recorded in the system log.
That is possibly caused by something performing a health-check each minute by making a TCP connection and then closing it, without negotiating TLS.
As mentioned above, please add debug.log-ssl-noise = "disable" to lighttpd.conf. That should quiet some of the warnings you are seeing. For the last remaining warning, "SSL routines:SSL_shutdown:shutdown while in init", a change has been pushed to lighttpd git master (post lighttpd 1.4.41) to skip SSL_shutdown() if TLS handshake has not yet completed.
https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/156bea38597ced5de7521ada2e85fb67aead21db
You'll have to backport that one-line patch to lighttpd 1.4.39, or upgrade to lighttpd 1.4.41 (highly recommended) and apply the patch.
It would be nice to get some feedback if this resolves the issue for you. Thank you.
@franco: please review
https://www.lighttpd.net/2016/7/31/1.4.41/
for security fixes and other limited changes made in lighttpd 1.4.41. If you were planning to upgrade to lighttpd 1.4.40, you should hopefully be eager to upgrade to lighttpd 1.4.41 instead of staying on lighttpd 1.4.39 for another 6 months. (For all the improvements in lighttpd 1.4.40, see
https://www.lighttpd.net/2016/7/16/1.4.40/
)
Logged
franco
Administrator
Hero Member
Posts: 17718
Karma: 1618
Re: lighttpd SSL error records logged every minute in system log.
«
Reply #10 on:
August 03, 2016, 07:43:05 am »
We're not going to stay on 1.4.39 for 6 months. It's just a matter of a week or two.
What I mean by porting is that FreeBSD's port seems overly complex. This was the update to 1.4.40:
https://github.com/opnsense/ports/commit/b150c5d1cd2403b1c23e679f991a14f265eb397e
Since there are some patches there it's not trivial to upgrade. I honestly never tried it myself and it's a bit too late for experiments as we have 16.7.1 coming up to help with IPS mode in the kernel itself.
Logged
gstrauss
Newbie
Posts: 21
Karma: 4
Re: lighttpd SSL error records logged every minute in system log.
«
Reply #11 on:
August 03, 2016, 07:31:06 pm »
FYI: I have been working with pkubaj, the FreeBSD package maintainer. lighttpd 1.4.40 incorporates all existing patches added by FreeBSD except for those patches specific to the mysql auth (optional) feature. The reason why the FreeBSD 1.4.40 patch you linked is so large is that the *generated* Makefile is part of the patch, and that there are many removed lines due to removal of patch files that are now integrated into lighttpd 1.4.40. [edit] The largest part of that FreeBSD patch is that pkubaj renamed one of the mysql auth patch files.
«
Last Edit: August 03, 2016, 07:34:19 pm by gstrauss
»
Logged
franco
Administrator
Hero Member
Posts: 17718
Karma: 1618
Re: lighttpd SSL error records logged every minute in system log.
«
Reply #12 on:
August 03, 2016, 07:43:21 pm »
Thanks for the explanation. A trivial update for 1.4.41 was posted a few hours ago, but sets for tomorrow are already being built so it has to wait for 16.7.2. Sorry, I shall update tomorrow and see to an immediate test deployment of the latest version.
Logged
gstrauss
Newbie
Posts: 21
Karma: 4
Re: lighttpd SSL error records logged every minute in system log.
«
Reply #13 on:
December 29, 2016, 10:30:56 am »
FYI: lighttpd 1.4.44 was released a few days ago. If you have any feedback, please post to #lighttpd on freenode or lighttpd forums
https://redmine.lighttpd.net/projects/lighttpd/boards
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
16.1 Legacy Series
»
lighttpd SSL error records logged every minute in system log.