SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking

Server
1

I’ve just installed the Indico registration system from CERN for testing.
I’m running on an AWS EC2 ubuntu v16.04.2 with NGINX and uWSGI on a t2.micro instance.

I’m getting the following handshake error after installing cert from LetsEncrypt, only when doing https://

2017/10/11 07:41:52 [crit] 1192#1192: *225 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking, client: 64.41.200.101, server: 0.0.0.0:443

I’ve reviewed similar issues posted on this site and nothing fixes it.

Here’s my /etc/nginx/sites-available/indico.conf:

server {
listen 80;
listen [::]:80;
server_name npymreg.com www.npymreg.com;
}

server {
listen *:443 ssl http2;
listen [::]:443 ssl http2 default ipv6only=on;
server_name npymreg.com www.npymreg.com;

ssl on;
ssl_certificate /etc/letsencrypt/live/npymreg.com/fullchain.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;

other lists i’ve tried …

#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE
#ssl_ciphers EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-HA256:AES256+EECD
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparams.pem;

access_log /opt/indico/log/nginx/access.log combined;
error_log /opt/indico/log/nginx/error.log;

– followed by some “location” stuff related to indico

}

Any ideas about how to solve the problem would be greatly appreciated.
John

1 Like
2

How often are you getting that error? It's the Qualys SSL Labs test checking if your web server is vulnerable to an OpenSSL security vulnerability that was fixed in 2014. It's not vulnerable, and it logs an error message.

The error is a good thing. You can ignore it.

(Specifically, CVE-2014-0224, the ChangeCipherSpec injection vulnerability. That's what "ccs" in the error message stands for.)

1 Like
3

The error occurs every time I attempt to access the site using https.
btw - when I used the SSL Labs tests on both the port 80 and port 443 settings they both passed with flying (green) colors.

What I see in my browser, when attempting to access using https://npymreg.com is
Internal Server Error.

The only thing showing up in any error logs is the handshake error. And the error Only occurs when attempting access using https://

4

I believe i owe an apology. Although true that the error only occurs using https … and although true that the last errors logged were the ones shown - I just determined that those were red herrings…

You were correct about the error cause (testing) – when I looked at full error.log (instead of tail) it was obviously just the testing. The real problem is being logged elsewhere – and has to do with my indico install — determined by adding the “location” redirects required for uWSGI to the port 80 server block… which led to the error using http://

Sorry for the annoyance – but much appreciate your service!

John

1 Like
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.