Lighthttpd errors littering log files

krankykoder

Good morning all!

2.2-RELEASE  (amd64)

I have a fresh install of 2.2 and my system log is full of these errors. As I understand it, it's not much to be concerned about, but haven't seen anyone post about it.

Feb 17 05:28:00 lighttpd[26143]: (connections.c.305) SSL: 1 error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Feb 17 05:12:34 lighttpd[26143]: (connections.c.305) SSL: 1 error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Feb 17 04:57:07 lighttpd[26143]: (connections.c.305) SSL: 1 error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

A) is it truly nothing to be concerned about?
B) if I should be concerned, what do I need to do to correct the problem?

Thanks!

rclough

I send all of my pfSense logs to Splunk and on the 10th of February I was getting an average of about about 2 million of these type of messages per hour for about 10 hours. The log rate peaked at about 3 million log entries in one hour. I am still looking into why this event occurred but I have not seen any messages like this since the 10th.

Here is what my log messages looked like:

Feb 10 23:37:45 10.1.1.2 Feb 10 23:37:45 lighttpd[24763]: (connections.c.305) SSL: 1 error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
Feb 10 23:37:33 10.1.1.2 Feb 10 23:37:33 lighttpd[24763]: (connections.c.137) (warning) close: 17 Connection reset by peer

Unfortunately, I did not see it in time to record packets.
I will post again if I can find any causes. I am still working on trying to correlate events.

The attachment is a screenshot of my Splunk web interface showing the event distribution by hour and some of the log messages.

krankykoder

Poking around a bit I did find this setting for logging. (image attached)

It won't stop the error but should stop it from polluting the logs.

AMizil

Hello,

Are you still getting the same error  ? I have the same error on 2.2.2 amd64 version.

Regards,
Adrian

fibrewire

I get this same message, anyone want to help me troubleshoot this? the firewall traffic stops but I can still operate from the console, however selecting option 5 (reboot) does not succeed.

I'm on pfsense 2.2.5-RELEASE  (i386) nanobsd (2g)

doktornotor

@rclough:

I was getting an average of about about 2 million of these type of messages per hour for about 10 hours. The log rate peaked at about 3 million log entries in one hour.

Perhaps time to stop exposing your firewall GUI to internet?  ::) ::) ::)

cmb

@doktornotor:

Perhaps time to stop exposing your firewall GUI to internet?  ::) ::) ::)

Indeed.

The logs in question are often from a monitoring system that just tries to connect to the TCP port. Or in the case of leaving it open to the Internet, who knows what kind of crap from random scanners.

@fibrewire:

I get this same message, anyone want to help me troubleshoot this? the firewall traffic stops but I can still operate from the console, however selecting option 5 (reboot) does not succeed.

Highly unlikely this log has anything to do with that log. Start a new thread with specifics - can you hit the LAN IP at all, get to Internet from the console?