• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5244
  • Last Modified:

mod_ssl, "SSL handshake failed" on error_log

I'm running Oracle HTTP-server (which basically is just Apache 1.3.?) with mod_ssl on Win32-platform.

HTTPS seems to be working quite well with my self signed certificate. However, my error_log is filling with lines like this:

[Wed Oct 10 15:56:43 2007] [error] mod_ssl: SSL handshake failed (server xxx.xxx.xxx:443, client xxx.xxx.xxx.xxx) (OpenSSL library error follows)
[Wed Oct 10 15:56:43 2007] [error] OpenSSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Since everything seems to be working, I'm not inclined to spend too much time figuring this out myself, so I thought of turning to the experts instead.

The question is; what is happening, and how (if there is a way) can I get rid of it?
0
DiscoNova
Asked:
DiscoNova
  • 6
  • 3
1 Solution
 
DiscoNovaAuthor Commented:
Perhaps it is also woth mentioning that the server is behind a firewall and there is NAT in place. However, the firewall used (SmoothWall) has been configured to pass port 443 directly to my computer.
0
 
rbkumaranCommented:
There is a mismatch in the SSL versions between the server/client.

If I'm right, your server is running SSL3 while the client is trying to authenticate with V2 or less.
0
 
DiscoNovaAuthor Commented:
Ok, is there a way to control this in Apache, so that it'd default to V2 instead of "something else"?

Because unfortunately, I can not control the client environtment (as it is whatever the browser vendors choose to include:) .... or should I just blissfully ignore the error messages in the log?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
rbkumaranCommented:
Ok. In apache, the directives (config) for the https site will have something similar to "SSLEngine On"

Look for the directive and add a new line "SSLProtocol all"

Restart your webserver. That should help.
0
 
DiscoNovaAuthor Commented:
I implemented this suggestion and the server got up as nicely as ever. Now I'll need to wait for a while to see if this had any effect.

I can't know when the next user which would've triggered this enters, but usually there have been multile tries in an hour, so I'll wait at least a couple before deciding whether this is the accepted solution or not.
0
 
DiscoNovaAuthor Commented:
Unfortunately it seems like the errors still keep appearing.

The strange thing is that the errors mention IP-addresses that are something I'd never expect to connect to the server - it is a development test server, and I know geographically quite precisely where our testers will be connecting from ... however the error logs show that the connections come from all over the world (a fact, which in itself is somewhat unnerving).
0
 
DiscoNovaAuthor Commented:
It turned out that the error messages are caused by script-kiddies attempting to use a known security vulnerability of Apache+mod_ssl (openssl-too-open, http://www.symantec.com/avcenter/attack_sigs/s20343.html and http://www.oracle.com/technology/deploy/security/htdocs/opensslAlert.html offer more detailed information) for which exploit code is readily available.

My findings mean that no matter what I do, the error messages won't be going away from the error logs before the script-kiddies are eradicated from the planet. Somehow I don't see that happening any day soon.
0
 
DiscoNovaAuthor Commented:
For the record, I would like to comment, that I accepted rbkumaran's answer even though it was *not* the correct _this_time_ based on that I believe - had my problem not been caused by script-kiddies (but instead real users with differing protocol version implemented in their browser as the error messages suggested), his answer would have been the correct one. I definetly wanted to award the effort and since someone else may find his solution to a another, similar problem with the same symptoms... I see no problem in doing so.
0
 
rbkumaranCommented:
Well, there is certainly a security implication in using SSL V2 and hence there is a chance of someone taking chance with the vulberability.

Otherwise, I think if the error is from a legal IP then the solution is to enable the client requested protocol version. Although, the best would be to get the user to upgrade the browser but again there comes the question of ho many user to advise???

If I were you, I personally would disable the V2 protocol against taking chance by enabling the vulnerable protocol.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now