By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hello, 2-3 weeks ago i started getting errors from my website based on laravel:
I can't find any reasons or solution of this error.
Ubuntu 22.04 LTS

php -v :
PHP 8.1.2 (cli) (built: Jun 13 2022 13:52:54) (NTS)

openssl version -a :
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

nginx -v :
nginx version: nginx/1.18.0 (Ubuntu)

SSL certificate from Let's encrypt via certbot

Has the OpenSSL version been updated? OpenSSL 3 (a major release) changed some behaviour compared to 1.1.1 with respect to peers that fail to shutdown a TLS connection cleanly.

Previously, if a peer unexpectedly shutdown a connection an OpenSSL IO function (such as SSL_read() ) would report an error and SSL_get_error() would report SSL_ERROR_SYSCALL and errno would be 0. This was considered a bug in 1.1.1 (you should never get SSL_ERROR_SYSCALL but with errno as 0). However fixing it in 1.1.1 broke some apps. We delayed the fix until the next major version (OpenSSL 3.0).

In OpenSSL 3.0 this error is now reported from SSL_get_error() as SSL_ERROR_SSL and the unexpeced eof while reading error is put on the OpenSSL error stack. We also added a new option SSL_OP_IGNORE_UNEXPECTED_EOF which treats an unexpected EOF from the peer as if they had performed an orderly shutdown. See:

https://www.openssl.org/docs/man3.0/man3/SSL_set_options.html

Updating nginx resolve the problem for me.
Ubuntu default nginx version 1.18 is old. The newest version is 1.22.

https://askubuntu.com/questions/1389719/install-nginx-1-20-2-on-ubuntu-20-04
http://nginx.org/en/CHANGES-1.22

Hope this may help you.

My public facing site is bombarded by these messages in the nginx error.log.

A quick 'dig -x' shows hostnames that are not consistent with our target audience.
Also, one host causes the messages for way longer then typical for our site usage.

Is it possible these messages are caused by some probes looking to break into SSL sessions?

(ps: ubuntu 22.04 updated almost weekly)

i cant update to new version nginx 1.22 becasue passenger not support how i can solve it manualy

I have the same issue with Passenger holding me back and getting this massive stream of errors, a lot are from the same IP's again and again, so I think its bots hunting around. My site seems fine to access from all devices I can test it on and on https://globalsign.ssllabs.com/

I got theys errors with Apache2 ..

[Sun Sep 04 13:44:07.303103 2022] [ssl:info] [pid 86541] (70014)End of file found: [client 213.216.205.177:60718] AH02008: SSL library error 1 in handshake (server thesite.fi:443)
[Sun Sep 04 13:44:07.303116 2022] [ssl:info] [pid 86541] SSL Library Error: error:0A000126:SSL routines::unexpected eof while reading

openssl version -a

OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
built on: Mon Jul 4 11:20:23 2022 UTC
platform: debian-amd64
options: bn(64,64)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -ffile-prefix-map=/build/openssl-Q8dQt3/openssl-3.0.2=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-3"
MODULESDIR: "/usr/lib/x86_64-linux-gnu/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_ia32cap=0x7ffaf3bfffebffff:0x29c67af

lsb_release -a

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04 LTS
Release: 22.04
Codename: jammy

apache2 -V

Server version: Apache/2.4.52 (Ubuntu)
Server built: 2022-06-14T12:30:21
Server's Module Magic Number: 20120211:121
Server loaded: APR 1.7.0, APR-UTIL 1.6.1
Compiled using: APR 1.7.0, APR-UTIL 1.6.1
Architecture: 64-bit
Server MPM:
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_PROC_PTHREAD_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/etc/apache2"
-D SUEXEC_BIN="/usr/lib/apache2/suexec"
-D DEFAULT_PIDLOG="/var/run/apache2.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="mime.types"
-D SERVER_CONFIG_FILE="apache2.conf"

I got letsencrypt's certs, they are ok. Just updated by force.

We've updated to ubuntu 22.04 and we get the same issue while doing HTTP requests to Canvas LMS
The requests return 200 - OK but this error happens

Any solution for apache users?

We've updated to ubuntu 22.04 and we get the same issue while doing HTTP requests to Canvas LMS The requests return 200 - OK but this error happens

Any solution for apache users?

There really isn't a solution, these are spammers/scammers/hackers trying to infiltrate your server by sending malformed connections. You need to look at a WAF / Web Application Firewall to filter and block these from even getting to your web server

I don't follow, i mean we get this error when sending requests, not when receiving or something

There really isn't a solution, these are spammers/scammers/hackers trying to infiltrate your server by sending malformed connections. You need to look at a WAF / Web Application Firewall to filter and block these from even getting to your web server

I don't follow, i mean we get this error when sending requests, not when receiving or something

These warnings are normally from hackers trying to infiltrate your web server. They send incorrectly formed ssl connection requests. If you are the one initiating the connections then it's a config problem. Are both ends using http/2 with correct certificates? Try https://hstspreload.org/ and https://globalsign.ssllabs.com/analyze.html

Certificates are correct but not sure how to see if both servers provide http/2, i mostly see http/1.1
Both servers also have "no" next to SSL 2 and SSL 3 under protocols

Which config would be the trigger? The config on the server we send request from, or the config on the server we send request to?

My Scene:

I use openssl ciphers -v | awk '{print $2}' | sort | uniq fetch openssl ciphers for shown

Information:
Trans Server:

Os : RockyLinux 9
openssl version:  OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021)
nginx version: nginx/1.22.1
Kernel :Linux fa-xx 5.14.0-70.22.1.el9_0.x86_64 #1 SMP PREEMPT Tue Aug 9 19:45:51 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
openssl ciphers: SSLv3 TLSv1 TLSv1.2 TLSv1.3
Business Server
Os : Centos 7
openssl version:  OpenSSL 1.0.2k-fips  26 Jan 2017
nginx version: nginx/1.20.2
Kernel :Linux business-xx 3.10.0-1160.36.2.el7.x86_64 #1 SMP Wed Jul 21 11:57:15 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
openssl ciphers: SSLv3  TLSv1.2
Hopes to refound this question.
      With OpenSSL 3 when SSL connection is terminated by peer, the library
issues the error
'error:0A000126:SSL routines::unexpected eof while reading'
which causes the following MTR tests to fail:
galera.pxc_encrypt_rest_redo
galera.pxc_encrypt_rest_fpt
galera.pxc_encrypt_rest_gt
galera.pxc_encrypt_rest_system
galera.pxc_encrypt_rest_mkey_rotate
galera.pxc_encrypt_rest_blog
galera.pxc_encrypt_rest_parallel_dblwr
galera.pxc_encrypt_rest_tt
galera.pxc_encrypt_rest_undo
It is related to fixing bug discussed in
openssl/openssl#18866
and introducing SSL_OP_IGNORE_UNEXPECTED_EOF flag.
SSL_OP_IGNORE_UNEXPECTED_EOF has been set for OpenSSL 3 and the error
handled gracefuly.
          I faced the same unexpected eof issue on a Rocky 9.1.

I've tested with the native openssl version then build 3.0.7 and also compile the 3.1 release.

I've got alwas the following message :
OpenSSL 3.1.0-beta1 21 Dec 2022 (Library: OpenSSL 3.1.0-beta1 21 Dec 2022)
[root@rundeck bin]# ./openssl s_client -debug -connect ansible-galaxy.s3.amazonaws.com:443 
CONNECTED(00000003)
write to 0x24e32b0 [0x24f6ba0] (333 bytes => 333 (0x14D))
0000 - 16 03 01 01 48 01 00 01-44 03 03 15 5c fb b1 45   ....H...D...\..E
0010 - a8 74 1c bd 0a b0 19 29-48 ba 36 0a 18 c7 0d 62   .t.....)H.6....b
0020 - 3e dd db 89 36 c8 f6 ff-85 7c 14 20 da e8 c1 e0   >...6....|. ....
0030 - bf 8e af db b3 72 61 e3-c2 be fb 73 4a 1e 01 b8   .....ra....sJ...
0040 - 4c 38 67 fd ce 6f fe da-16 89 e6 0e 00 3e 13 02   L8g..o.......>..
0050 - 13 03 13 01 c0 2c c0 30-00 9f cc a9 cc a8 cc aa   .....,.0........
0060 - c0 2b c0 2f 00 9e c0 24-c0 28 00 6b c0 23 c0 27   .+./...$.(.k.#.'
0070 - 00 67 c0 0a c0 14 00 39-c0 09 c0 13 00 33 00 9d   .g.....9.....3..
0080 - 00 9c 00 3d 00 3c 00 35-00 2f 00 ff 01 00 00 bd   ...=.<.5./......
0090 - 00 00 00 24 00 22 00 00-1f 61 6e 73 69 62 6c 65   ...$."...ansible
00a0 - 2d 67 61 6c 61 78 79 2e-73 33 2e 61 6d 61 7a 6f   -galaxy.s3.amazo
00b0 - 6e 61 77 73 2e 63 6f 6d-00 0b 00 04 03 00 01 02   naws.com........
00c0 - 00 0a 00 16 00 14 00 1d-00 17 00 1e 00 19 00 18   ................
00d0 - 01 00 01 01 01 02 01 03-01 04 00 23 00 00 00 16   ...........#....
00e0 - 00 00 00 17 00 00 00 0d-00 2a 00 28 04 03 05 03   .........*.(....
00f0 - 06 03 08 07 08 08 08 09-08 0a 08 0b 08 04 08 05   ................
0100 - 08 06 04 01 05 01 06 01-03 03 03 01 03 02 04 02   ................
0110 - 05 02 06 02 00 2b 00 05-04 03 04 03 03 00 2d 00   .....+........-.
0120 - 02 01 01 00 33 00 26 00-24 00 1d 00 20 4e 0c bd   ....3.&.$... N..
0130 - 21 d4 5a 11 b3 0d de 4a-fc ac 25 7c 4c a3 bd b4   !.Z....J..%|L...
0140 - 8e ea 65 df 8f 5f f4 15-21 a9 8c 38 66            ..e.._..!..8f
read from 0x24e32b0 [0x24ed983] (5 bytes => 0)
write to 0x24e32b0 [0x24f6ba0] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 32                              ......2
805B9E32657F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:321:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 340 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
read from 0x24e32b0 [0x249e970] (8192 bytes => 0)
hope it could help
          I am getting this error with Postfix. The latest version of Postfix 3.7.4 that got released yesterday has implemented this >
Workaround: with OpenSSL 3 and later always turn on SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages and missed opportunities for TLS session reuse. This is safe because the SMTP protocol implements application-level framing, and is therefore not affected by TLS truncation attacks. Fix by Viktor Dukhovni.
On Arch Linux, only Postfix 3.7.3 is available.

https://archlinux.org/packages/extra/x86_64/postfix/
So I will update manually the PKGBUILD / package to 3.7.4.

I also contacted the maintainer, as installing selectively some subpackages of a meta package is not done straight away.
EDIT: postfix 3.7.4 got released on Arch Linux. I also was able to update it myself with pikaur that is able to do a selective install of the postfix meta package.
As MariaDB uses SSL_set_quiet_shutdown on the server side to perform
an abrupt shutdown this leaves the client issuing warnings
often on every TLS connection.
ref: openssl/openssl#18866 (comment)