SPDY errors in log

i just noticed several entries in the main nginx log here that are:

[error] 28042#0: *12244 inflate() failed: -5 while processing SPDY,
client:
xx.xx.xx.xx, server: 0.0.0.0:443

anyone know what this is caused by? i haven’t found anything in the
search
engines that relate yet

Posted at Nginx Forum:

oh, and another:

*188425 SSL_do_handshake() failed (SSL: error:14094085:SSL
routines:SSL3_READ_BYTES:ccs received early) while SSL handshaking,
client:
xx.xx.xx.xx.xx, server: 0.0.0.0:443

is this maybe a result of hackers attempting to break into the server?

Posted at Nginx Forum:

CCS-scan probably, see
https://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/#ccs-early-changecipherspec-attack)

what openssl-version do you use?

cheers,

mex

Posted at Nginx Forum:

hi tunist,

if you want to test your server for CCS-vuln you might use

or the testscript from https://testssl.sh/
when you prefer to test locally.

though when i run openssl version, i see: OpenSSL 1.0.1e-fips 11 Feb
2013 not sure why…!?

distros backport patched but usually dont ship new versions,
thus dont update version-numbers; same here, although
this system is fully patched

$ openssl version
OpenSSL 1.0.1e 11 Feb 2013

Posted at Nginx Forum:

fedora 20 - latest version of openssl = 1:openssl-1.0.1e-40.fc20.x86_64

though when i run openssl version, i see: OpenSSL 1.0.1e-fips 11 Feb
2013
not sure why…!?

mex Wrote:

mex

Posted at Nginx Forum:

thanks, yes - i just thought to do that before i read your reply. the
test
says my server is not vulnerable to the attack - so the bugfixes appear
to
have been integrated into the latest fedora version of openssl, even
though
running the openssl version command does not show this to be the case.

so i just put up with the regular error log entries for inflate?

mex Wrote:

though when i run openssl version, i see: OpenSSL 1.0.1e-fips 11
Feb
2013 not sure why…!?

distros backport patched but usually dont ship new versions,
thus dont update version-numbers; same here, although
this system is fully patched

$ openssl version
OpenSSL 1.0.1e 11 Feb 2013

Posted at Nginx Forum: