Suddenly, new types of SSL errors

To: debian-user@lists.debian.org
Subject: Suddenly, new types of SSL errors
From: mett <mett@pmars.jp>
Date: Fri, 2 Aug 2013 13:31:47 +0900
Message-id: <[🔎] 20130802133147.65f81ee9@asus.tamerr>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, 

Since 2, 3 weeks now, I'm getting some new types of log errors, related
to SSL, on an Apache2 and Dovecot server I'm managing.

- ------------------------------------------------------------------------------
Apache2:
[Fri Jul 26 09:47:39 2013] [error] [client 222.240.68.221] Invalid
method in request \x16\x03\x01 

[Fri Jul 26 09:47:40 2013] [error]
[client 222.240.68.221] rejecting client initiated renegotiation 

[Fri Jul 26 12:41:32 2013] [error] [client 115.205.7.94] rejecting
client initiated renegotiation 

[Fri Jul 26 15:39:38 2013] [error] [client 24.14.226.8] Invalid method
in request \x80w\x01\x03\x01 

[Fri Jul 26 18:41:33 2013] [error] [client 117.14.153.45] Invalid
method in request \x16\x03\x01 

[Fri Jul 26 22:36:06 2013] [error] [client 175.17.208.60] Invalid
method in request \x16\x03\x01 

[Fri Jul 26 22:36:07 2013] [error] [client 175.184.167.104] rejecting
client initiated renegotiation

Dovecot:
Jul 27 06:28:34 HOSTNAME dovecot: imap-login: Disconnected (no auth
attempts): rip=112.80.210.152, lip=EXT.ERN.AL.IP, TLS: SSL_read()
failed: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert
unexpected message 

Jul 27 06:28:35 HOSTNAME dovecot: pop3-login:
Disconnected (no auth attempts): rip=59.53.131.117, lip=EXT.ERN.AL.IP,
TLS: SSL_read() failed: error:140943F2:SSL
routines:SSL3_READ_BYTES:sslv3 alert unexpected message
- ------------------------------------------------------------------------------

The SSL config for A2 and Dovecot(imaps and pop3s) seems OK, 
as I do not get those errors on the only website using SSL on this
server, neither with Dovecot on port 993(imaps) and 995(pop3s).

Most of the IP addresses are from places I am not related with and
look like the IP addresses often getting caught into the Fail2ban net
running on this server.

According to openssl documentation:
"UM"/"unexpected message"

    An inappropriate message was received. This alert is always fatal
    and should never be observed in communication between proper
    implementations.

I understood that it is an unexpected message, but I still do not
understand why is that happening.

Does somebody with a server on the net have seen this kind of logs or
have an idea about what can be the reason?

I am running an i686 Squeeze server with very few websites in http and
1 in https under A2, and a mail server with postfix and dovecot.

Thanks!

PS:In the meantime, I have set up some new rules on Fail2ban to ban
those IPs.

PS2:
Sometimes, at the same time on Apache and Dovecot, I got this request
from 3 different IP addresses, as below:
- ---------------------------------------------------------------------------------------------------------------------------------------------------------------
Aug  2 01:37:46 HOSTNAME dovecot: imap-login: Disconnected (no auth
attempts): rip=117.14.149.176, lip=EXT.ERN.AL.IP, TLS: SSL_read()
failed: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert
unexpected message (Dovecot's info log) Aug  2 01:37:47 HOSTNAME
dovecot: pop3-login: Disconnected (no auth attempts):
rip=112.67.217.26, lip=EXT.ERN.AL.IP, TLS: SSL_read() failed:
error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected
message (Dovecot's info log)

[Fri Aug 02 01:37:46 2013] [error] [client 210.72.157.240] Invalid
method in request \x16\x03\x01 (Apache2's error log)
- ---------------------------------------------------------------------------------------------------------------------------------------------------------------




Below are the logs of the tests I did to check my SSL configs.
- -----------------------------------------------------------------------------------------
  mett@asus:~$ telnet EXT.ERN.AL.IP 443 (localhost works as well)
  Trying EXT.ERN.AL.IP... Connected to EXT.ERN.AL.IP.
Escape character is '^]'.
GET /


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not
understand.<br /> Reason: You're speaking plain HTTP to an SSL-enabled
server port.<br /> Instead use the HTTPS scheme to access this URL,
please.<br /> <blockquote>Hint: <a
href="https://Dom.Main/";><b>https://Dom.Main/</b></a></blockquote></p>    
<hr> <address>Apache Server at Dom.Main Port 443</address>
</body></html>
Connection closed by foreign host.
- - - -
- - -
- -
- ---------------------------------------------------------------------------------------
- - - -
- - -
- -
- ---------------------------------------------------------------------------------------
openssl s_client -connect EXT.ERN.AL.IP:443 (localhost works as well)
- - - - ---
(shortened)
- - - - ---
No client certificate CA names sent
- - - - ---
SSL handshake has read 1466 bytes and written 319 bytes
- - - - ---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
66B2ACB65D2703674D688E0FA68BB79FA104BD4FB21CABC6A76D1A3732F56527
Session-ID-ctx: Master-Key:
5BEBB7B864BDD2F7BD9883A0A268EEFE39DD674502463E2912D337BBA57ED3FF2CDBFB1C4769B6B5AF6B1EAF664704B0
Key-Arg   : None Start Time: 1374893309
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
- - - -
- - -
- -
- --------------------------------------------------------------------------------------
- - - -
- - -
- -
- ---------------------------------------------------------------------------------------
openssl s_client -connect EXT.ERN.AL.IP:993 (localhost and port 995
work as well)
- - - - ---					    	
(shortened)
- - - - ---
No client certificate CA names sent
- - - - ---
SSL handshake has read 1751 bytes and written 319 bytes
- - - - ---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
65F922921530B8F83EDA1374F418F74158A09F22AF5E4BFE7708E297CE34F134
Session-ID-ctx: Master-Key:
23C0360B61B7CD0B5FB29D6559746501C2F65F9BD5B302B828F6EEB5ADB93785C3E9E54005D6B6050BFF6087AB4ACD47
Key-Arg   : None Start Time: 1374894278
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
- - - - ---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=PLAIN AUTH=LOGIN] Dovecot ready. 
a logout
* BYE Logging out
a OK Logout completed.
- ------------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJR+zYzAAoJELURjTtpxqLubvUIALgzYpxL6kLwdQWyvgn51TFY
hOZv2SYfS+7lS2rLfm4QgJQRaaZxddazEW7Yb8kz1SO/4t5mZasqu117B6yJJ6f6
Wc3zyReA8Ogdsrlw5yII9W9wJrMvj6/t7+Dclqo1DiKtE61Vqh/TPMyh7PFvPN2P
d04ercdc9fpZAmN4Zl8De2lgy0s2bAi/xmIsnmkJbkHL3WIT8mihlmDPRyKiQwM5
zyvZILY9cy3/S2A23WRpArwTeWX8N/Dchex0+9EOhLx2Q0LmjC/8S4cnQ0f+vTXC
vCar1I2RQcBzZK2xbkirM/hLI8zVo3kJB9BINQkOLZALumH1ZBwfbwmbIIqt2kI=
=YoLs
-----END PGP SIGNATURE-----
Reply to:
Follow-Ups:
- Re: Suddenly, new types of SSL errors
  - From: Jérôme Heil <jerome.heil@actimage.com>
- Re: Suddenly, new types of SSL errors
  - From: Jochen Spieker <ml@well-adjusted.de>
Prev by Date: Re: root.root and netdev group for /dev/net/tun ?
Next by Date: Re: Twitter client for debian ?
Previous by thread: Re: root.root and netdev group for /dev/net/tun ?
Next by thread: Re: Suddenly, new types of SSL errors
Index(es):
- Date
- Thread