Bug #2865
closed(open)SSL errors in lighttpd/1.4.48
Description
I've recently spun up a copy of lighty on one of our servers, and while I'm new to lighty, I think I have a good enough grasp on how to operate it correctly. :-)
To the point; In using this, the server I'm using it on serves up 4 domains off a single IP.
Only 2 of the domains use Certs, and even if only serving 1 domain over port 443, the same errors occur in the logs:
(mod_openssl.c.1496) SSL: 1 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
This was probably the client.
(mod_openssl.c.1496) SSL: 1 error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
That could be either server, or client (or both)
(mod_openssl.c.1496) SSL: 1 error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
Either server/openssl, or both. There is some indication that openssl may be to blame
(https://mta.openssl.org/pipermail/openssl-dev/2015-September/002836.html)
But this is from some time ago, and we're on OpenSSL 1.0.2n. So I think not.
The following conditions are set for HTTPS/443:
ssl.disable-client-renegotiation = "enable"
$SERVER["socket"] == "WW.XX.YY.ZZ:443" {
ssl.engine = "enable"
ssl.pemfile = conf_dir + "/certs/domain.tld.pem"
ssl.dh-file = "/usr/local/share/certs/dhparam.pem"
ssl.ec-curve = "secp384r1"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
$HTTP["host"] =~ "(^|\.)domain\.tld$" {
server.document-root = server_root + "/domain.tld"
ssl.pemfile = conf_dir + "/certs/domain.tld.pem"
ssl.ca-file = conf_dir + "/certs/fullchain1.pem"
accesslog.filename = log_root + "/domain-tld-SSLaccess.log"
}
}
domain.tld represents the the server (HOST) itself, and is the test case when attempting to determine whether it's a config problem (user error) or whether it's lighty/openssl.IOW the errors appear whether there is one, or several HOSTS/domains involved in the (lighty) config.
Any thoughts, or suggestions?
Thanks!
Updated by avij about 6 years ago
I hope you don't have an additional ssl.engine = "enable" outside that $SERVER["socket"] == "WW.XX.YY.ZZ:443" block. Otherwise lighttpd would enable TLS support for port 80 traffic, and that's not going to end well.
Updated by chris.h about 6 years ago
avij wrote:
I hope you don't have an additional ssl.engine = "enable" outside that $SERVER["socket"] "WW.XX.YY.ZZ:443" block. Otherwise lighttpd would enable TLS support for port 80 traffic, and that's not going to end well.
Well, that'd be pretty dumb. Now wouldn't it? :-()
Nope. Only within the $SERVER["socket"] "WW.XX.YY.ZZ:443" block. :-)
--Chris
Updated by gstrauss about 6 years ago
I've recently spun up a copy of lighty on one of our servers, and while I'm new to lighty, I think I have a good enough grasp on how to operate it correctly. :-)
...
Any thoughts, or suggestions?
Well, by your post, you seem to be implying that everyone, or at least many people, using lighttpd with SSL should be experiencing this since you filed this as a bug. Hint: that's probably not the case, and since you're new to lighttpd, please consider asking questions like "did I do it right?" in the forums, not as (poorly filled out) bug reports. Case in point: you did not tell us what client you are using. Did you try using multiple different clients to see what results you get with different clients? Maybe try with 'openssl s_client ...' ?
Also, basic troubleshooting steps include trying as simple a config as possible before adding things back and trying again. Try (temporarily) commenting out all ssl.* lines except ssl.engine, ssl.pemfile, and ssl.ca-file
Updated by gstrauss about 6 years ago
- Status changed from New to Invalid
- Target version deleted (
1.4.x)
I see no errors when testing this configuration on my system with openssl 1.1.0g and using openssl s_client -connect 127.0.0.1:8443 Besides openssl version, my configuration is different from the above in port number (8443), no ssl.dh-file, and (obviously) uses a different cert.
Also available in: Atom