Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SSL23_GET_CLIENT_HELLO:unknown protocol

    Scheduled Pinned Locked Moved Captive Portal
    3 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rovshango
      last edited by

      Hi,

      After enabling HTTPS login and importing SSL Certificate (which purchesed from DigiCert) in CP everything is working fine.
      I see HTTPS landing page etc.

      But I am getting lots of "SSL23_GET_CLIENT_HELLO:unknown protocol" system log.

      Please help how to ignore them/fix.
      error.JPG
      error.JPG_thumb

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Hi,

        Looking up "SSL23_GET_CLIENT_HELLO" on this forum will somewhat explain what is it.

        To me it's something like an httpS connection hammering on a http (your portal login page) - or the other way around.

        What I know is that when I launch a connection = my iDevice to my Wifi portal network, there are no such messages.
        A "clean' Windows driven PC with Wifi doesn't produce these messages neither.

        Some "Smart Devices", however, think they have a directly connection to the net when the Wifi ( = Ethernet connection ) comes up - they are NOT "portal" minded. They httpS right out, and of course, are intercepted by the portal interface (http or https) because the user should authenticate first.

        As you should know, intercepting a httpS is considered as a man in the middle attack and the client device (ou Samart Device) isn't liking it, neither is our web server, which is our portal web server in this case. This logs file is flooded with these messages.

        Things get really noisy on the logs when it concerns a stupid apps like (example) Facebook in our Smart Device : the device finds a Wifi connection, and the Wifi comes up (our portal network) : an IP connection is made up to our pfSense box - any other requests to else where are firewalled. The app sees that an (private network) IP is available, that a router is announcing itself, and starts hammering https connections out, because it was at least 30 minutes that your FB wasn't updated with the latest experiences in your live. Your page followers have completely lost trace of you ….. [ humm, I'm loosing trac here  :P ]
        Anyway, the app can't pass through, the only way through is that the Device owner 'starts a web browser' and authenticate first. Only then the connection becomes transparent, and the FB app can go continue doing its work.

        My "conclusion" : these are requests from apps from wifi devices attached to our portal network that are failing because they are NOR portal minded - neither authenticated

        Read also this : https://forum.pfsense.org/index.php?topic=59411.msg319338#msg319338 - or any other message bout the subject (I found a couple of hundred of them, the subject isn't really a recent easy).

        edit: I also, I thought that these messages would disappear if I activated the httpS authentication with a real-valid cert (from startssl.com).
        I was wrong, looks like I receive even more of these "SSL23_GET_CLIENT_HELLO" (and others).
        Again: don't worry - I've seen these for years now.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          It is impossible infeasible to successfully captive portal HTTPS connections unless you control all your prospective client devices and can pre-install trusted root certificates.  It is better to just drop TCP/443 traffic until the portal session has been negotiated via TCP/80.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.