-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Since 2, 3 weeks now, I'm getting some new types of log errors, related
to SSL, on an Apache2 and Dovecot server I'm managing.
- ------------------------------------------------------------------------------
Apache2:
[Fri Jul 26 09:47:39 2013] [error] [client 222.240.68.221] Invalid
method in request \x16\x03\x01
[Fri Jul 26 09:47:40 2013] [error]
[client 222.240.68.221] rejecting client initiated renegotiation
[Fri Jul 26 12:41:32 2013] [error] [client 115.205.7.94] rejecting
client initiated renegotiation
[Fri Jul 26 15:39:38 2013] [error] [client 24.14.226.8] Invalid method
in request \x80w\x01\x03\x01
[Fri Jul 26 18:41:33 2013] [error] [client 117.14.153.45] Invalid
method in request \x16\x03\x01
[Fri Jul 26 22:36:06 2013] [error] [client 175.17.208.60] Invalid
method in request \x16\x03\x01
[Fri Jul 26 22:36:07 2013] [error] [client 175.184.167.104] rejecting
client initiated renegotiation
Dovecot:
Jul 27 06:28:34 HOSTNAME dovecot: imap-login: Disconnected (no auth
attempts): rip=112.80.210.152, lip=EXT.ERN.AL.IP, TLS: SSL_read()
failed: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert
unexpected message
Jul 27 06:28:35 HOSTNAME dovecot: pop3-login:
Disconnected (no auth attempts): rip=59.53.131.117, lip=EXT.ERN.AL.IP,
TLS: SSL_read() failed: error:140943F2:SSL
routines:SSL3_READ_BYTES:sslv3 alert unexpected message
- ------------------------------------------------------------------------------
The SSL config for A2 and Dovecot(imaps and pop3s) seems OK,
as I do not get those errors on the only website using SSL on this
server, neither with Dovecot on port 993(imaps) and 995(pop3s).
Most of the IP addresses are from places I am not related with and
look like the IP addresses often getting caught into the Fail2ban net
running on this server.
According to openssl documentation:
"UM"/"unexpected message"
An inappropriate message was received. This alert is always fatal
and should never be observed in communication between proper
implementations.
I understood that it is an unexpected message, but I still do not
understand why is that happening.
Does somebody with a server on the net have seen this kind of logs or
have an idea about what can be the reason?
I am running an i686 Squeeze server with very few websites in http and
1 in https under A2, and a mail server with postfix and dovecot.
Thanks!
PS:In the meantime, I have set up some new rules on Fail2ban to ban
those IPs.
PS2:
Sometimes, at the same time on Apache and Dovecot, I got this request
from 3 different IP addresses, as below:
-
---------------------------------------------------------------------------------------------------------------------------------------------------------------
Aug 2 01:37:46 HOSTNAME dovecot: imap-login: Disconnected (no auth
attempts): rip=117.14.149.176, lip=EXT.ERN.AL.IP, TLS: SSL_read()
failed: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert
unexpected message (Dovecot's info log) Aug 2 01:37:47 HOSTNAME
dovecot: pop3-login: Disconnected (no auth attempts):
rip=112.67.217.26, lip=EXT.ERN.AL.IP, TLS: SSL_read() failed:
error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected
message (Dovecot's info log)
[Fri Aug 02 01:37:46 2013] [error] [client 210.72.157.240] Invalid
method in request \x16\x03\x01 (Apache2's error log)
-
---------------------------------------------------------------------------------------------------------------------------------------------------------------
Below are the logs of the tests I did to check my SSL configs.
-
-----------------------------------------------------------------------------------------
mett@asus:~$ telnet EXT.ERN.AL.IP 443 (localhost works as well)
Trying EXT.ERN.AL.IP... Connected to EXT.ERN.AL.IP.
Escape character is '^]'.
GET /
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not
understand.<br /> Reason: You're speaking plain HTTP to an SSL-enabled
server port.<br /> Instead use the HTTPS scheme to access this URL,
please.<br /> <blockquote>Hint: <a
href="https://Dom.Main/";><b>https://Dom.Main/</b></a></blockquote></p>
<hr> <address>Apache Server at Dom.Main Port 443</address>
</body></html>
Connection closed by foreign host.
- - - -
- - -
- -
-
---------------------------------------------------------------------------------------
- - - -
- - -
- -
-
---------------------------------------------------------------------------------------
openssl s_client -connect EXT.ERN.AL.IP:443 (localhost works as well)
- - - - ---
(shortened)
- - - - ---
No client certificate CA names sent
- - - - ---
SSL handshake has read 1466 bytes and written 319 bytes
- - - - ---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
66B2ACB65D2703674D688E0FA68BB79FA104BD4FB21CABC6A76D1A3732F56527
Session-ID-ctx: Master-Key:
5BEBB7B864BDD2F7BD9883A0A268EEFE39DD674502463E2912D337BBA57ED3FF2CDBFB1C4769B6B5AF6B1EAF664704B0
Key-Arg : None Start Time: 1374893309
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
- - - -
- - -
- -
-
--------------------------------------------------------------------------------------
- - - -
- - -
- -
-
---------------------------------------------------------------------------------------
openssl s_client -connect EXT.ERN.AL.IP:993 (localhost and port 995
work as well)
- - - - ---
(shortened)
- - - - ---
No client certificate CA names sent
- - - - ---
SSL handshake has read 1751 bytes and written 319 bytes
- - - - ---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
65F922921530B8F83EDA1374F418F74158A09F22AF5E4BFE7708E297CE34F134
Session-ID-ctx: Master-Key:
23C0360B61B7CD0B5FB29D6559746501C2F65F9BD5B302B828F6EEB5ADB93785C3E9E54005D6B6050BFF6087AB4ACD47
Key-Arg : None Start Time: 1374894278
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
- - - - ---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
a logout
* BYE Logging out
a OK Logout completed.
- ------------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJR+zYzAAoJELURjTtpxqLubvUIALgzYpxL6kLwdQWyvgn51TFY
hOZv2SYfS+7lS2rLfm4QgJQRaaZxddazEW7Yb8kz1SO/4t5mZasqu117B6yJJ6f6
Wc3zyReA8Ogdsrlw5yII9W9wJrMvj6/t7+Dclqo1DiKtE61Vqh/TPMyh7PFvPN2P
d04ercdc9fpZAmN4Zl8De2lgy0s2bAi/xmIsnmkJbkHL3WIT8mihlmDPRyKiQwM5
zyvZILY9cy3/S2A23WRpArwTeWX8N/Dchex0+9EOhLx2Q0LmjC/8S4cnQ0f+vTXC
vCar1I2RQcBzZK2xbkirM/hLI8zVo3kJB9BINQkOLZALumH1ZBwfbwmbIIqt2kI=
=YoLs
-----END PGP SIGNATURE-----
