Project

General

Profile

[Solved] mod_openssl.c ssl3_get_record:wrong version number; tls_early_post_process_client_hello:version too low

Added by lcn about 1 month ago

My browser started to give me messages as in below screen shots:

Above error doesn't always occur to every page visit, but from time to time.

I did set SSL/TLS mode set to Full in Cloudflare, indicating this lighttpd server to communicate with Cloudflare Encrypts end-to-end, using a self signed certificate on the server as follows:

lighttpd.conf :

server.port=443
ssl.engine="enable" 
ssl.pemfile="/etc/lighttpd/ssl.pem" 

Debian Bullseye
openssl version 1.1.1k

error.log

2022-05-30 22:18:56: server.c.1976) server stopped by UID = 0 PID = 1
2022-05-30 22:18:57: server.c.1513) server started (lighttpd/1.4.59)
2022-05-30 23:19:21: mod_openssl.c.3095) SSL: 1 error:1408F10B:SSL routines:ssl3_get_record:wrong version number
2022-05-30 23:19:21: mod_openssl.c.3095) SSL: 1 error:1408F10B:SSL routines:ssl3_get_record:wrong version number
2022-05-30 23:29:09: mod_openssl.c.3095) SSL: 1 error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low
2022-05-30 23:29:54: mod_openssl.c.3095) SSL: 1 error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
2022-05-30 23:31:57: mod_openssl.c.3095) SSL: 1 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
2022-05-30 23:31:58: mod_openssl.c.3095) SSL: 1 error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher
2022-05-30 23:31:58: mod_openssl.c.3095) SSL: 1 error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share
2022-05-31 00:00:01: server.c.1787) logfiles cycled UID = 0 PID = 828011
2022-05-31 01:58:27: mod_openssl.c.3095) SSL: 1 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
2022-05-31 04:13:17: mod_openssl.c.3095) SSL: 1 error:1408F10B:SSL routines:ssl3_get_record:wrong version number
2022-05-31 05:25:57: mod_openssl.c.3095) SSL: 1 error:1408F09C:SSL routines:ssl3_get_record:http request
2022-05-31 06:28:39: mod_openssl.c.3095) SSL: 1 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
2022-05-31 07:24:51: mod_openssl.c.3095) SSL: 1 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
2022-05-31 07:24:52: mod_openssl.c.3095) SSL: 1 error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher
2022-05-31 07:24:53: mod_openssl.c.3095) SSL: 1 error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share
2022-05-31 11:09:50: mod_openssl.c.3095) SSL: 1 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
2022-05-31 14:14:34: mod_openssl.c.3095) SSL: 1 error:1408F10B:SSL routines:ssl3_get_record:wrong version number
2022-05-31 15:01:22: mod_openssl.c.3095) SSL: 1 error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low
2022-05-31 15:01:59: mod_openssl.c.3095) SSL: 1 error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
2022-05-31 15:02:21: mod_openssl.c.3095) SSL: 1 error:1408F09C:SSL routines:ssl3_get_record:http request
2022-05-31 15:04:16: mod_openssl.c.3095) SSL: 1 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
2022-05-31 15:04:16: mod_openssl.c.3095) SSL: 1 error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher
2022-05-31 15:04:17: mod_openssl.c.3095) SSL: 1 error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share
2022-05-31 15:59:59: mod_openssl.c.3095) SSL: 1 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
2022-05-31 16:07:57: mod_openssl.c.3095) SSL: 1 error:1408F10B:SSL routines:ssl3_get_record:wrong version number

After I had encountered the error with my browser last night, I reloaded lighttpd but the same error persisted. Then I restarted lighttpd and the error message disappeared temporarily but it hits me now again.

Thank you in advance for help!


Replies (8)

RE: mod_openssl.c.3095 - Added by gstrauss about 1 month ago

There is very likely something else in your lighttpd.conf (or includes) which is causing this, but you have not shared your whole config.
Please see How to get help

The lighttpd TLS docs have more info about lighttpd TLS config.

Based on ssl3_get_record:wrong version number and tls_early_post_process_client_hello:version too low, you have probably configured lighttpd to deny anything below TLSv1.3. ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2") may fix your misconfiguration.

RE: mod_openssl.c.3095 - Added by lcn 30 days ago

I much appreciate your prompt help!

I have added to lighttpd.conf just now the directive you suggested and made all (I think) the TLS related directives become below:

server.port=443
ssl.engine="enable" 
ssl.pemfile="/etc/lighttpd/ssl.pem" 
ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")

Perhaps, and hopefully, my issue was because Cloudflare randomly tries TLSv1.2 or TLSv1.3, and lighttpd accepts only TLSv1.3 if MinProtocol is not specified.

I will keep an eye on error.log.

This ticket can be closed at this moment if I can come back for further help if any issue remains.

RE: mod_openssl.c.3095 - Added by gstrauss 30 days ago

Perhaps, and hopefully, my issue was because Cloudflare randomly tries TLSv1.2 or TLSv1.3, and lighttpd accepts only TLSv1.3 if MinProtocol is not specified.

Clearly, you have not bothered to read the lighttpd TLS docs which specifies that the default in recent lighttpd versions is "MinProtocol" => "TLSv1.2"

Do try to keep your groundless speculations to yourself. Prefer to spend a minute reading the documentation.

RE: [Solved] mod_openssl.c ssl3_get_record:wrong version number; tls_early_post_process_client_hello:version too low - Added by lcn 30 days ago

Ooops!

The errors persist:

2022-06-01 11:22:15: mod_openssl.c.3095) SSL: 1 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
2022-06-01 12:07:53: server.c.1976) server stopped by UID = 0 PID = 1
2022-06-01 12:07:54: server.c.1513) server started (lighttpd/1.4.59)
2022-06-01 13:39:06: mod_openssl.c.3095) SSL: 1 error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low
2022-06-01 13:39:47: mod_openssl.c.3095) SSL: 1 error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
2022-06-01 13:42:20: mod_openssl.c.3095) SSL: 1 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
2022-06-01 13:42:21: mod_openssl.c.3095) SSL: 1 error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher
2022-06-01 13:42:22: mod_openssl.c.3095) SSL: 1 error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share
2022-06-01 14:29:44: mod_openssl.c.3095) SSL: 1 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
2022-06-01 14:44:27: mod_openssl.c.3095) SSL: 1 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
2022-06-01 14:50:22: mod_openssl.c.3095) SSL: 1 error:1408F09C:SSL routines:ssl3_get_record:http request

RE: mod_openssl.c.3095 - Added by lcn 30 days ago

gstrauss wrote in RE: mod_openssl.c.3095:

Clearly, you have not bothered to read the lighttpd TLS docs which specifies that the default in recent lighttpd versions is "MinProtocol" => "TLSv1.2"

Do try to keep your groundless speculations to yourself. Prefer to spend a minute reading the documentation.

In fact I did read the doc before posting. My problem was that I stopped at Chained certificates and didn't go far enough.

RE: [Solved] mod_openssl.c ssl3_get_record:wrong version number; tls_early_post_process_client_hello:version too low - Added by lcn 30 days ago

lcn wrote in RE: [Solved] mod_openssl.c ssl3_get_record:wrong version ...:

Ooops!

The errors persist:

[...]

I am so sorry that I didn't know that Clouflare's Minimum TLS Version is default to TLS 1.0!

I have tuned it to TLS 1.3 just now.

RE: [Solved] mod_openssl.c ssl3_get_record:wrong version number; tls_early_post_process_client_hello:version too low - Added by lcn 29 days ago

lcn wrote in RE: [Solved] mod_openssl.c ssl3_get_record:wrong version ...:

I am so sorry that I didn't know that Clouflare's Minimum TLS Version is default to TLS 1.0!

I have tuned it to TLS 1.3 just now.

Hmm...

It seems unlikely my incorrect settings in Cloudflare.

error.log continues to add this entry:

mod_openssl.c.3095) SSL: 1 error:1408F10B:SSL routines:ssl3_get_record:wrong version number

I then upgraded openssl to version 1.1.1n. After the upgrade, below entry still occurred to error.log

2022-06-01 20:55:41: mod_openssl.c.3095) SSL: 1 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol

However, the file pointed to by accesslog.filename doesn't have access record at around 2022-06-01 20:55:41.

I guess the last error is the result of port scan or failed intrusion and assume the last error is harmless.

RE: [Solved] mod_openssl.c ssl3_get_record:wrong version number; tls_early_post_process_client_hello:version too low - Added by gstrauss 29 days ago

I guess the last error is the result of port scan or failed intrusion and assume the last error is harmless.

Yes, if you have configured Cloudflare to use TLSv1.3 and lighttpd to use "MinProtocol" => "TLSv1.3", then other clients/scanners using TLSv1.2 will result in that error trace. That error trace occurs during TLS negotation with the client, before the HTTP request, and so there will not be any access log record since the connection was closed before an HTTP request was received.

    (1-8/8)