Repeated SSL_do_handshake() errors


#1

I am getting the following repeated Handshake error in my NGINX logs

2018/12/12 11:40:01 [crit] 1097#1097: *8328 SSL_do_handshake() failed (SSL: error:10067066:elliptic curve routines:ec_GFp_simple_oct2point:invalid encoding error:1419C010:SSL routines:tls_process_cke_ecdhe:EC lib) while SSL handshaking, client: 37.255.12.19, server: 0.0.0.0:443

It does not show for every connection made over https just occasional connections.

My NGINX config is:

server {

    listen 80;                                                                                                                                                       
    root /var/www/html;                                                                                                                           
    index index.php index.html index.htm index.nginx-debian.html;                                                                                                    
    server_name propertyindustryeye.com www.propertyindustryeye.com;                                                                                                 
                                                                                                                                                                     
    access_log /var/log/nginx/access.log;                                                                                                                        
    error_log /var/log/nginx/error.log;                                                                                                                          
                                                                                                                                                                     
    location = /favicon.ico { log_not_found off; access_log off; }                                                                                                   
    location = /robots.txt { log_not_found off; access_log off; allow all; }                                                                                         
    location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {                                                                                                                   
            expires max;                                                                                                                                             
            log_not_found off;                                                                                                                                       
    }                                                                                                                                                                
                                                                                                                                                                     
    location / {                                                                                                                                                     
           # try_files $uri $uri/ =404;                                                                                                                              
            try_files $uri $uri/ /index.php$is_args$args;                                                                                                            
    }                                                                                                                                                                
                                                                                                                                                                     
    location ~ \.php$ {                                                                                                                                              
            include snippets/fastcgi-php.conf;                                                                                                                       
            fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;                                                                                                          
            fastcgi_read_timeout 240;                                                                                                                            
    }                                                                                                                                                                
                                                                                                                                                                     
    location ~ /\.ht {                                                                                                                                               
            deny all;                                                                                                                                                
    }                                                                                                                                                                
                                                                                                                                                                     
    client_max_body_size 100m;                                                                                                                                       
    client_body_buffer_size 128k;                                                                                                                                    
                                                                                                                                                                     
    listen 443 ssl; # managed by Certbot                                                                                                                             
    ssl_certificate /etc/letsencrypt/live/propertyindustryeye.com/fullchain.pem; # managed by Certbot                                                                
    ssl_certificate_key /etc/letsencrypt/live/propertyindustryeye.com/privkey.pem; # managed by Certbot                                                              
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot                                                                                            
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot                                                                                              

}

I can’t seem to find any info on what this part of the error means tls_process_cke_ecdhe. But my SSL protocols are:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;


#2

Hi,

That seems to be an client incompatibility with your tls configuration. (Although I’m not exactly sure what that error message means, I guess it’s come by your DH parameters?)

Your configuration seems to be OK and covered almost all devices, so unless you have a huge group of users reporting not able to access your server, you could ignore this error.

Thank you


#3

Although the config looks good, I would add:
ssl_ecdh_curve sect571r1:secp521r1:sect409r1:secp384r1:sect283r1:prime256v1;
[to insure strongest to weakest is used]

As @stevenzhu, I also think it may be a client incompatibility with DHE.
Your site is currently using 2048 bit DH; did this change recently?
Understand that DH primes are never negotiated between server and client.
[which is why many people do not include DHE ciphers]

Otherwise, it may be some sort of “attack” attempt.
You should review the access logs from that IP to confirm their intentions.
Also, you may need to increase the parameters included in the logs to “see” more of what is going on.


#4

Thanks for the feedback.

The site was migrated to a fresh server set up yesterday with a newly registered certificate so the DHE settings will be the default that were in place.

Im not sure its an attack as i get these errors from different ip addresses every 10 minutes or so, some are repeated IP addresses but largely they are different.


#5

Do you have access to the configuration used in the previous server?
Did you NOT see similar entries in the error log of the previous server?


#6

Yes, i still have access to the old server, and no these errors were not present in the logs. That being said though we were not using letsencrypt on that server.

The configuration was slightly different looking at it:

Old Server
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEE$
ssl_ecdh_curve secp384r1;
ssl_stapling on;

New Server
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA$


#7

This stands out (to me):

I refer back to my first post:


#8

Ive just tried adding that to my config and am waiting to see if anymore come in. Ill give it some time and let you know how it goes

Thanks!


#9

But, with the added previous info, would now exclude anything lower than 384:
ssl_ecdh_curve sect571r1:secp521r1:sect409r1:secp384r1;

[Additionally]
Although the ciphers shown above appear to be truncated/cutoff, they essentially produce the same allowed list.
So there is no difference there.
Same protocols…
Same ciphers…
Same cipher order…
That only leaves the ecdh curve difference.
Or it is just some lame bot attacking and this is all for naught - LOL


#10

Hi @into

did you checked your Ssl configuration with a tool like https://www.ssllabs.com/ ?

Has the new server a new ip address?

Then I would check the location of some of the ip addresses with this error (sample tool http://www.utrace.de/ ).

There are a lot of curious bots.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.