[RE-OPENED] Error: elliptic curve routines

inspirednz · April 5, 2018, 12:46am

I’ve got Let’s Encrypt set up on a Nginx server.
I’ve noticed a LOT of error log entries with the following information:

2018/04/05 09:54:36 [crit] 3166#3166: *16879 SSL_do_handshake() failed (SSL: error:10067066:elliptic curve routines:ec_GFp_simple_oct2point:invalid encoding error:1408B010:SSL routines:ssl3_get_client_key_exchange:EC lib) while SSL handshaking, client: 210.55.186.173, server: 0.0.0.0:443

Obviously the client IP address varies, but the rest remains the same.

I saw mention of this here, but as this has nothing to do with an SSL lab bot testing my SSL for issues, I suspect this might be another cause.

Can anyone suggest what might be the cause of this?

Here’s my SSL related settings in Nginx, in case they are relevant:

SSL specific settings

These are included into site’s conf file

# Don't use outdated SSLv3 protocol. Protects against BEAST and POODLE attacks.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# Use secure ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

# Define the size of the SSL session cache in MBs.
ssl_session_cache shared:SSL:10m;

# Define the time in minutes to cache SSL sessions.
ssl_session_timeout 1h;

# Use HTTPS exclusively for 1 year, uncomment one. Second line applies to subdomains.
add_header Strict-Transport-Security "max-age=31536000;";
# add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

SSL listen entry

from the site’s conf file. Also the certificate links (which work, as SSL works on the site without any obvious front-end issues)

server {
        # Ports to listen on, uncomment one.
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
...
# Paths to certificate files.
        ssl_certificate /etc/letsencrypt/live/SANITISED.com.au-0001/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/SANITISED.com.au-0001/privkey.pem;
...
server {
	# Ports to listen on, uncomment one.
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	# Server name to listen for
	server_name www.SANITISED.com.au;

	# Path to document root
	root /home/DOMAIN/sites/SANITISED.com.au/public;

	# Paths to certificate files.
	ssl_certificate /etc/SANITISED/live/SANITISED.com.au-0001/fullchain.pem;
	ssl_certificate_key /etc/SANITISED/live/SANITISED.com.au-0001/privkey.pem;

	# File to be used as index
	index index.php;

	# Overrides logs defined in nginx.conf, allows per site logs.
	access_log /home/SANITISED/sites/SANITISED.com.au/logs/access.log;
	error_log /home/SANITISED/sites/SANITISED.com.au/logs/error.log;

	# Default server block rules
	include global/server/defaults.conf;

	# Fastcgi cache rules
	include global/server/fastcgi-cache.conf;

	# SSL rules
	include global/server/ssl.conf;

	location / {
		try_files $uri $uri/ /index.php?$args;
	}

	location ~ \.php$ {
		try_files $uri =404;
		include global/fastcgi-params.conf;

		# Use the php pool defined in the upstream variable.
		# See global/php-pool.conf for definition.
		fastcgi_pass   $upstream;

		# Skip cache based on rules in global/server/fastcgi-cache.conf.
		fastcgi_cache_bypass $skip_cache;
		fastcgi_no_cache $skip_cache;

		# Define memory zone for caching. Should match key_zone in fastcgi_cache_path above.
		fastcgi_cache SANITISED.com.au;

		# Define caching time.
		fastcgi_cache_valid 60m;
	}

	# Rewrite robots.txt
	rewrite ^/robots.txt$ /index.php last;
}

# Redirect http to https
server {
	listen 80;
	listen [::]:80;
	server_name SANITISED.com.au www.SANITISED.com.au;

	return 301 https://www.SANITISED.com.au$request_uri;
}

# Redirect non-www to www
server {
	listen 443 ssl;
	listen [::]:443 ssl;
	server_name SANITISED.com.au;

	return 301 https://www.SANITISED.com.au$request_uri;
}

inspirednz · April 5, 2018, 1:01am

Okay. That was quick. Always seems to be the way, after I take the time to spell out an issue I've spent ages trying to resolve... suddenly I figure out the problem.

Will post this here in case it is of use to other folk facing the same issue.

In the site's nginx conf file was a listen entry to redirect non-www to www version of URL. It was missing the ssl directive.

# Redirect non-www to www
server {
        listen 443;
        listen [::]:443;
        server_name ssl-fastcgi-cache.com;

        return 301 https://www.DOMAIN.com.au$request_uri;
}

Changed to:

# Redirect non-www to www
server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name ssl-fastcgi-cache.com;

        return 301 https://www.DOMAIN.com.au$request_uri;
}

I realise the http2 is not really necessary.
So far the issue has not reoccured.

What got me on the right track was this...

The discussion from SSL_do_handshake() failed:

inspirednz · April 10, 2018, 11:24pm

I thought I’d solved this, but I continue to get a lot of instances of the reported error in the error log. Which, to reiterate, is:

2018/04/11 08:50:16 [crit] 18125#18125: *212 SSL_do_handshake() failed (SSL: error:10067066:elliptic curve routines:ec_GFp_simple_oct2point:invalid encoding error:1408B010:SSL routines:ssl3_get_client_key_exchange:EC lib) while SSL handshaking, client: 210.55.186.171, server: 0.0.0.0:443

system · May 10, 2018, 11:24pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.