Occasionally report error from my running application server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:hqyc1973.com

It produced this output:[26/Apr/2021:10:07:36] ENGINE Error in HTTPServer.tick
Traceback (most recent call last):
File "/home/ubuntu/.local/lib/python3.6/site-packages/cheroot/server.py", line 1776, in serve
self.tick()
File "/home/ubuntu/.local/lib/python3.6/site-packages/cheroot/server.py", line 1999, in tick
conn = self.connections.get_conn(self.socket)
File "/home/ubuntu/.local/lib/python3.6/site-packages/cheroot/connections.py", line 180, in get_conn
return self._from_server_socket(server_socket)
File "/home/ubuntu/.local/lib/python3.6/site-packages/cheroot/connections.py", line 199, in _from_server_socket
s, ssl_env = self.server.ssl_adapter.wrap(s)
File "/home/ubuntu/.local/lib/python3.6/site-packages/cheroot/ssl/builtin.py", line 244, in wrap
sock, do_handshake_on_connect=True, server_side=True,
File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
_context=self, _session=session)
File "/usr/lib/python3.6/ssl.py", line 817, in init
self.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: BAD_DH_G_LENGTH] bad key share (_ssl.c:852)

2021-04-26 10:07:36 AM HTTPServer Thread-3 140035224721152 [26/Apr/2021:10:07:36] ENGINE Error in HTTPServer.tick
Traceback (most recent call last):
File "/home/ubuntu/.local/lib/python3.6/site-packages/cheroot/server.py", line 1776, in serve
self.tick()
File "/home/ubuntu/.local/lib/python3.6/site-packages/cheroot/server.py", line 1999, in tick
conn = self.connections.get_conn(self.socket)
File "/home/ubuntu/.local/lib/python3.6/site-packages/cheroot/connections.py", line 180, in get_conn
return self._from_server_socket(server_socket)
File "/home/ubuntu/.local/lib/python3.6/site-packages/cheroot/connections.py", line 199, in _from_server_socket
s, ssl_env = self.server.ssl_adapter.wrap(s)
File "/home/ubuntu/.local/lib/python3.6/site-packages/cheroot/ssl/builtin.py", line 244, in wrap
sock, do_handshake_on_connect=True, server_side=True,
File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
_context=self, _session=session)
File "/usr/lib/python3.6/ssl.py", line 817, in init
self.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: BAD_DH_G_LENGTH] bad key share (_ssl.c:852)

My web server is (include version): Cherrypy

The operating system my web server runs on is (include version):Ubuntu 18.04 LTS

My hosting provider, if applicable, is: AWS route 53

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.14.0

Could you please give us more context?

Yesterday, your site was working perfectly on HTTPS.. What changed?

Sure.

I just left my website server running for the night, didn't change any settings. This morning when I read through the logs I found so many errors. Could it be due to my settings?

Here is my server settings in Cherrypy:
"global": {
'server.socket_host':
'0.0.0.0',
'server.socket_port':
443,
'server.ssl_module':
'builtin',
'server.ssl_certificate':
os.path.join(ROOT_ABSOLUTE_PATH, "cert.pem"),
'server.ssl_private_key':
os.path.join(ROOT_ABSOLUTE_PATH, "privkey.pem"),
'server.ssl_certificate_chain':
os.path.join(ROOT_ABSOLUTE_PATH, "chain.pem")
},

Seems to be an issue with DH key exchange. If I only advertise DHE cipher suites using openssl, I can't connect:

openssl s_client -connect hqyc1973.com:443 -tls1_2 -cipher DH
CONNECTED(00000003)
140576096184128:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1543:SSL alert number 40
(...)

But your webserver still works using ECDHE and conventional RSA. Note that conventional RSA key exchange is not recommended due to lack of forward secrecy.

This is some food for thought, I'll do more research on this RSA stuff. Is it safe just for now to continue running my server and ignore this error report?

I believe it is. The DH (Diffie-Hellman) key exchange protocol is rather CPU-heavy and there's a fine fast and safe alternative ECDH(E) ([Ephemeral] Elliptic Key Diffie-Hellman) which is working nicely on your server, so if you'd ask me: not really a big problem.

Some ancient clients don't have ECDHE capabilities, but the plain old RSA key exchange (which isn't very good) can fill that gap. DHE (Ephemeral Diffie-Hellman), which does have forward secrecy, is an alternative for older clients and have forward secrecy, but I'm guessing not many clients fall into that category.

Thanks. By the way, I tried replacing "chain.pem" with "fullchain.pem" in my settings and the server just work exactly fine! Is it safe to just use "fullcian.pem" here?

Not sure, depends on how CherryPy handles the certs. If you also specified chain.pem already, it's not very usefull to change cert.pem to fullchain.pem.

If CherryPy handles the certs in a dumb/unusual way, it might unnecessary increase the TLS handshake by adding the intermediate certificate twice.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.