Welcome! Log In Create A New Profile

Advanced

SSL errors, verbosity level

Posted by shiz 
shiz
SSL errors, verbosity level
July 07, 2018 05:40PM
Hi,

I see those messages in my error logs daily.

```
2018/07/07 08:01:32 [crit] 31935#31935: *342781 SSL_do_handshake() failed
(SSL: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol) while SSL
handshaking, client: 173.208.91.177, server: 0.0.0.0:443
2018/07/07 08:06:24 [crit] 31939#31939: *343099 SSL_do_handshake() failed
(SSL: error:1420918C:SSL
routines:tls_early_post_process_client_hello:version too low) while SSL
handshaking, client: 141.212.122.16, server: 0.0.0.0:443
```

Is there a way to increase verbosity, i.e. which protocol is unsupported?
which version is too low?

Nginx 1.15.1, supporting TLSv1.2, TLSv1.3 draft 23, OpenSSL-1.1.1-pre2

Not sure if it could be done within nginx, maybe OpenSSL source has to be
edited?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,280446,280446#msg-280446

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sergey Kandaurov
Re: SSL errors, verbosity level
July 10, 2018 07:50PM
> On 7 Jul 2018, at 18:38, shiz <[email protected]> wrote:
>
> Hi,
>
> I see those messages in my error logs daily.
>
> ```
> 2018/07/07 08:01:32 [crit] 31935#31935: *342781 SSL_do_handshake() failed
> (SSL: error:14209102:SSL
> routines:tls_early_post_process_client_hello:unsupported protocol) while SSL
> handshaking, client: 173.208.91.177, server: 0.0.0.0:443
> 2018/07/07 08:06:24 [crit] 31939#31939: *343099 SSL_do_handshake() failed
> (SSL: error:1420918C:SSL
> routines:tls_early_post_process_client_hello:version too low) while SSL
> handshaking, client: 141.212.122.16, server: 0.0.0.0:443
> ```
>
> Is there a way to increase verbosity, i.e. which protocol is unsupported?
> which version is too low?
>
> Nginx 1.15.1, supporting TLSv1.2, TLSv1.3 draft 23, OpenSSL-1.1.1-pre2
>
> Not sure if it could be done within nginx, maybe OpenSSL source has to be
> edited?

This may be caused by TLSv1.3 version draft mismatch as found
in CH supported_versions. You may want to update OpenSSL.

--
Sergey Kandaurov

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
shiz
Re: SSL errors, verbosity level
July 10, 2018 08:20PM
> You may want to update OpenSSL.

Thanks but I did and almost zero browser was able to use draft 26 or 28.
Therefore I downgraded OpenSSL from 1.1.1-pre8 to 1.1.1-pre2 (draft 23).

Although TLS 1.3 has been finalized, Openssl 1.1.1 is still work in
progress.

Tested with latest Opera, Palemoon, Blackhawk, Vivaldi and Slimjet. I don't
use Chrome nor Firefox.

Had to disable CT too, generating way too much errors from older browsers.
Seems this project is unmaintained for a year.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,280446,280486#msg-280486

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Frank Liu
Re: SSL errors, verbosity level
July 11, 2018 02:20AM
Those unsupported ssl version messages should be in "info" level instead of
"crit", just like other SSL related errors.
Applying below patch should make your error log cleaner:

https://nginx.googlesource.com/nginx/+/6853c9c868504432ffadb8a7ca58ce8e50a83450%5E%21/

On Sat, Jul 7, 2018 at 8:38 AM, shiz <[email protected]rum.nginx.org> wrote:

> Hi,
>
> I see those messages in my error logs daily.
>
> ```
> 2018/07/07 08:01:32 [crit] 31935#31935: *342781 SSL_do_handshake() failed
> (SSL: error:14209102:SSL
> routines:tls_early_post_process_client_hello:unsupported protocol) while
> SSL
> handshaking, client: 173.208.91.177, server: 0.0.0.0:443
> 2018/07/07 08:06:24 [crit] 31939#31939: *343099 SSL_do_handshake() failed
> (SSL: error:1420918C:SSL
> routines:tls_early_post_process_client_hello:version too low) while SSL
> handshaking, client: 141.212.122.16, server: 0.0.0.0:443
> ```
>
> Is there a way to increase verbosity, i.e. which protocol is unsupported?
> which version is too low?
>
> Nginx 1.15.1, supporting TLSv1.2, TLSv1.3 draft 23, OpenSSL-1.1.1-pre2
>
> Not sure if it could be done within nginx, maybe OpenSSL source has to be
> edited?
>
> Posted at Nginx Forum: https://forum.nginx.org/read.
> php?2,280446,280446#msg-280446
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
shiz
Re: SSL errors, verbosity level
July 11, 2018 03:20PM
> Those unsupported ssl version messages should be in "info" level

That is a very useful patch, many thanks Frank

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,280446,280496#msg-280496

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Frank Liu
Re: SSL errors, verbosity level
July 11, 2018 06:30PM
Glad it works and thanks Piotr Sikora for the patch!

Since you are using newer openssl, you may want to apply this patch:
https://nginx.googlesource.com/nginx/+/ec0b8aad6ca3cb37e03d1c06e42f110e4737af1f%5E%21/


On Wed, Jul 11, 2018 at 6:18 AM, shiz <[email protected]> wrote:

> > Those unsupported ssl version messages should be in "info" level
>
> That is a very useful patch, many thanks Frank
>
> Posted at Nginx Forum: https://forum.nginx.org/read.
> php?2,280446,280496#msg-280496
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
shiz
Re: SSL errors, verbosity level
July 11, 2018 09:10PM
> Since you are using newer openssl, you may want to apply this patch

I agree, many thanks to Piotr Sikora and to you, Frank!

2nd patch applied as well.

My error log is a lot more readable now. I can see those real critical
messages without being cluttered by meaningless/unfixable SSL issues.

Any chance those are merged into nginx 1.15.2?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,280446,280504#msg-280504

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Richard Stanway
Re: SSL errors, verbosity level
July 13, 2018 01:20PM
I'd also like to voice support for having this patch upstream. I've been
using a similar patch ever since requiring TLS 1.2 as the error log is
filled with "critical" version errors otherwise.

On Wed, Jul 11, 2018 at 9:03 PM shiz <[email protected]> wrote:

> > Since you are using newer openssl, you may want to apply this patch
>
> I agree, many thanks to Piotr Sikora and to you, Frank!
>
> 2nd patch applied as well.
>
> My error log is a lot more readable now. I can see those real critical
> messages without being cluttered by meaningless/unfixable SSL issues.
>
> Any chance those are merged into nginx 1.15.2?
>
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,280446,280504#msg-280504
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Frank Liu
Re: SSL errors, verbosity level
July 17, 2018 01:10AM
Thanks Maxim and those two patches are now merged upstream:
http://mailman.nginx.org/pipermail/nginx-devel/2018-July/011287.html
http://mailman.nginx.org/pipermail/nginx-devel/2018-July/011288.html


On Fri, Jul 13, 2018 at 4:13 AM, Richard Stanway <[email protected]>
wrote:

> I'd also like to voice support for having this patch upstream. I've been
> using a similar patch ever since requiring TLS 1.2 as the error log is
> filled with "critical" version errors otherwise.
>
> On Wed, Jul 11, 2018 at 9:03 PM shiz <[email protected]> wrote:
>
>> > Since you are using newer openssl, you may want to apply this patch
>>
>> I agree, many thanks to Piotr Sikora and to you, Frank!
>>
>> 2nd patch applied as well.
>>
>> My error log is a lot more readable now. I can see those real critical
>> messages without being cluttered by meaningless/unfixable SSL issues.
>>
>> Any chance those are merged into nginx 1.15.2?
>>
>> Posted at Nginx Forum: https://forum.nginx.org/read.
>> php?2,280446,280504#msg-280504
>>
>> _______________________________________________
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login