i just noticed several entries in the main nginx log here that are:
[error] 28042#0: *12244 inflate() failed: -5 while processing SPDY,
client:
xx.xx.xx.xx, server: 0.0.0.0:443
anyone know what this is caused by? i haven’t found anything in the
search
engines that relate yet
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,254144,254144#msg-254144
oh, and another:
*188425 SSL_do_handshake() failed (SSL: error:14094085:SSL
routines:SSL3_READ_BYTES:ccs received early) while SSL handshaking,
client:
xx.xx.xx.xx.xx, server: 0.0.0.0:443
is this maybe a result of hackers attempting to break into the server?
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,254144,254145#msg-254145
CCS-scan probably, see
https://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/#ccs-early-changecipherspec-attack)
what openssl-version do you use?
cheers,
mex
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,254144,254146#msg-254146
hi tunist,
if you want to test your server for CCS-vuln you might use
https://www.ssllabs.com/ssltest/
or the testscript from https://testssl.sh/
when you prefer to test locally.
though when i run openssl version, i see: OpenSSL 1.0.1e-fips 11 Feb
2013 not sure why…!?
distros backport patched but usually dont ship new versions,
thus dont update version-numbers; same here, although
this system is fully patched
$ openssl version
OpenSSL 1.0.1e 11 Feb 2013
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,254144,254148#msg-254148
fedora 20 - latest version of openssl = 1:openssl-1.0.1e-40.fc20.x86_64
though when i run openssl version, i see: OpenSSL 1.0.1e-fips 11 Feb
2013
not sure why…!?
mex
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,254144,254147#msg-254147
thanks, yes - i just thought to do that before i read your reply. the
test
says my server is not vulnerable to the attack - so the bugfixes appear
to
have been integrated into the latest fedora version of openssl, even
though
running the openssl version command does not show this to be the case.
so i just put up with the regular error log entries for inflate?
though when i run openssl version, i see: OpenSSL 1.0.1e-fips 11
Feb
2013 not sure why…!?distros backport patched but usually dont ship new versions,
thus dont update version-numbers; same here, although
this system is fully patched$ openssl version
OpenSSL 1.0.1e 11 Feb 2013
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,254144,254149#msg-254149
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs