We have seen much more SSL error than before when we move to a new server. The total SSL error rate is not high. Many of them are:
error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0
We finally found these requests are actually successful requests. Why these error was generated is that openssl found these were fatal error. Add more debug info show that:
ssl_callback_info:SSL_CB_READ_ALERT fatal error close notify
But from rfc2246:
7.2.1. Closure alerts
The client and the server must share knowledge that the connection is
ending in order to avoid a truncation attack. Either party may
initiate the exchange of closing messages.
close_notify
This message notifies the recipient that the sender will not send
any more messages on this connection. The session becomes
unresumable if any connection is terminated without proper
close_notify messages with level equal to warning.
We are wondering if there some special clients send "alert 0" as fatal . Or this related some known issue of openssl. We are using openssl-1.0.1e now. Before migration we used openssl-1.0.0-25.
Any suggestions would be appreciated.
Update:
I investigated the access log and found almost all the "fatal alert 0" was sent by Safari on Apple devices(Mac, iPhone, iPad).
Through the code of libsecurity_ssl which the library of SSL engine. I found that this library would send "fatal alert 0" in sometimes that was totally different with other SSL libraries, for example openssl, NSS.
SSLFatalSessionAlert(SSL_AlertCloseNotify, ctx);
http://www.opensource.apple.com/source/libsecurity_ssl/libsecurity_ssl-32463/lib/sslRecord.c
This mostly occurred when Safari meet unexpected abort of the connection. As my server would not sent a "warning alert 0" to close the connection.
Related
I'm getting this error intermittently on our site upstream connect error or disconnect/reset before headers. reset reason connection termination", once at the start of the day, and it goes away after refresh (not always reproducible as well).
Before this error, we get this Error (intermittently) this server could not prove that it is test.somedomain.xyz; its security certificate is from *.somedomain.xyz. this may be caused by a misconfiguration or an attacker intercepting your connection and when we choose to proceed unsafely, we ends up getting above upstream error (intermittently).
I read that we get this error security certificate error when invalid domain is added in the ssl certificate, but in our case it couldn't be the case because it starts working upon refresh.
Need to understand the possible reasons that can cause this issue. Thanks.
I've been developing an embedded system with wolfSSL inside. I have a test program to verify the wolfSSL. I used 'openurl https://www.microchip.com/' to test wolfSSL against the xxx company page.
I tried several other web pages other than www.microchip.com, but the result is the same.
Then I found the server rejected 'Client Hello' with 'handshake failure' (with error code = 40). My question is how I can know the cause of why the server rejected the connection negotiation. How can I know what I could miss before the rejection?
My test program is from Microchip's git hub: "https://github.com/Microchip-MPLAB-Harmony/net_apps_pic32mz/blob/master/docs/GUID-EAFAC274-BD06-4CB8-8797-15A853587DD8.md" and it's supposed to be trustable.
What we are trying to do is send an email from a pod (running Linux based on the image "microsoft/dotnet") on a client's Openshift environment using MailKit:
https://github.com/jstedfast/MailKit
We get an exception thrown when trying to set up the SSL Handshake:
MailKit.Security.SslHandshakeException: An error occurred while
attempting to establish an SSL or TLS connection.
System.Security.Cryptography.CryptographicException: Error occurred
during a cryptographic operation
We have tried using the.NET SMTP client as well and it worked (using a secure connection)! Unfortunately this component is now obsolete and Microsoft recommends to use MailKit.
Going through the .NET source code the exception raised is a generic catch all exception which looks like it comes from unexpected code returned from the OpenSSL library. Unfortunately I can't see how to get the error code (it is logged using "Debug.Fail", but I am unable to setup a trace to see it) so I am not sure what it is.
I have written a test just to build the X509Chain. When we have the Revocation Mode set to Online (the default) we get the exception. When the revocation is disabled it seems to build the chain OK.
When I run the test on our Test Openshift environment that is totally independent to the client's we get the following error, but do not see the exception: "unable to get certificate CRL"
The only thing I have noticed about the Revocation List is that there is a LDAP and HTTP URLs. Perhaps there is an issue processing the LDAP URL?
Any help on this would be appreciated!
This is something you should report to github.com/microsoft/dotnet
While making a network request with low connectivity very rarely I see that I get
<-- HTTP FAILED: java.net.UnknownHostException: Unable to resolve host ....
while my server seems to have got the request correctly. I found 1 instance of it with device logs which shows actually an SSLException happened
D/NativeCrypto: jniThrowException: javax/net/ssl/SSLException: Read error: ssl=0x7dc365f080: I/O error during system call, Software caused connection abort
D/NativeCrypto: jniThrowException: javax/net/ssl/SSLException: SSL shutdown failed: ssl=0x7dc365f080: I/O error during system call, Broken pipe
My question is why does okhttp and retrofit throw UnknownHostException and not SSLException, and is there a way to actually get the SSLException as currently my app thinks the request did not go while server processes that request.
I am using
okhttp:3.10.0
retrofit:2.2.0
adapter-rxjava2:2.2.0
In our software, we are keep getting this warning/error message intermittently. Not sure how/why this message appears.
HTTP asio handshake failed: error:140000DB:SSL routines:SSL
routines:short read
I searched in the Internet, but the mostly the result pointing me to a VMware problem. Which not the case for me.
Until I found out that actually this error is thrown by OpenSSL that is used by Boost-Asio. I have downloaded the source code of OpenSSL/Asio/Boost but couldn't find this error code in the source. My question, Is there anyone knows what this error means? What could be the trigger of this error message? I just want to understand a bit to find out the reproduction. So we can fix our software if there is any hole in the software.
Many Thanks in advance!
Reference:
http://ib-krajewski.blogspot.my/2016/03/https-support-for-casablanca-client.html
how to clean boost::asio::ssl::stream after closed by server
A commit in OpenSSL removed the error SSL_R_SHORT_READ.
The commit before before OpenSSL removed the error SSL_R_SHORT_READ still has it defined as 219 == 0xDB. This error of 0xDB is what comes out of OpenSSL as 0x140000DB.
In general a short read happens on TCP when the connection ended before the other side could send enough data to decode the current message. This may happen for example because the other side crashed or a network problem.
Found the root cause for my problem. There is mismatch of cipher the host and the client that trying to connect to. Then this error is thrown from the client.