SSL_write() failed (SSL: error:140800FF:SSL routines:ssl3_accept:unknown state) while processing HTTP/2

[mentik_yusmantara]

Help, sir
I have a problem in server log...

2020/06/13 06:01:44 [crit] 8835#0: *68438 SSL_write() failed (SSL: error:140800FF:SSL routines:ssl3_accept:unknown state) while processing HTTP/2 connection, client: 114.124.174.169, server:
2020/06/13 06:01:44 [crit] 8836#0: *68439 SSL_write() failed (SSL: error:140800FF:SSL routines:ssl3_accept:unknown state) while processing HTTP/2 connection, client: 114.124.174.169, server:
2020/06/13 06:02:12 [crit] 8834#0: *68469 SSL_write() failed (SSL: error:140800FF:SSL routines:ssl3_accept:unknown state) while processing HTTP/2 connection, client: 114.124.174.169, server:

I using Let's Encrypt SSL.
The SSL work, but i see this massage in server log...
i have seen before, not secure, then i reload page... (secure again)
How i can fix this or why its happened?

Thanks sir ...

 

[ikkeben]

ssl3

The POODLE Attack and the End of SSL 3.0 – Mozilla Security Blog

Summary SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid ...

blog.mozilla.org

could be

 

[mentik_yusmantara]

ssl3

The POODLE Attack and the End of SSL 3.0 – Mozilla Security Blog

Summary SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid ...

blog.mozilla.org

could be

So what should i use? How to do?
Do article suggest TLSv1.0

 

[ikkeben]

I don't know while is and could be client depended. ( using "old" client software whatever)

So if so and it is you connection you are using that is giving the log message, take care to not block yourself , first be sure what you are using support default tls 1.2 or higher is recomended, and do some real tests.

Please i can't help while not working with to "old" things.

First look at de OS and versions you're using for clients and also server! Then do some websearch..
I am not sure if what i posted is your problem!

 

[mentik_yusmantara]

I don't know while is and could be client depended. ( using "old" client software whatever)

So if so and it is you connection you are using that is giving the log message, take care to not block yourself , first be sure what you are using support default tls 1.2 or higher is recomended, and do some real tests.

Please i can't help while not working with to "old" things.

First look at de OS and versions you're using for clients and also server! Then do some websearch..
I am not sure if what i posted is your problem!

Thanks Ikkeben for your answer

 

[factor]

So what should I use? How to do?
Do article suggest TLSv1.0

Well, what os do you have?

in the options.conf file what do you have set for

ssl_configuration=

 

[mentik_yusmantara]

@bdacus01 i using CentOs 7 64 bit

here the options.conf in /usr/local/directadmin/custombuild/options.conf

#Advanced Settings
autoconf=yes
automake=yes
libtool=yes
curl=yes
new_pcre=yes
ssl_configuration=intermediate

 

[factor]

2020/06/13 06:02:12 [crit] 8834#0: *68469 SSL_write() failed (SSL: error:140800FF:SSL routines:ssl3_accept:unknown state) while processing HTTP/2 connection, client: 114.124.174.169, server:

Are these users that have these errors.

then i reload page... (secure again)

Or are these errors you see by accessing DA?


Are you using a LAN based system where the server IP is a Private address like 192.168.x.x?
what is your openssl version

 openssl version

 

[mentik_yusmantara]

@bdacus01
I using openssl version 1.0.2k-fips 26 Jan 2017

In DA i not meet the error
But the error showing in domain error log
The server IP is 185.149.xxx.xxx is the private IP or not?

 

[mentik_yusmantara]

Please
I also get this, i just cheked
2020/06/16 07:25:56 [crit] 846#0: *294756 SSL_do_handshake() failed (SSL: error:1006706B:elliptic curve routines:ec_GFp_simple_oct2poin: point is not on curve error:1408B010:SSL routines:ssl3_get_client_key_exchange:EC lib) while SSL handshaking, client: 114.4.221.42, server: 185.149.xxx.xxx:443

its different error log information

 

[factor]

The server IP is 185.149.xxx.xxx is the private IP or not?

Private network - Wikipedia

en.wikipedia.org

elliptic curve routines

is not supported by RH/Centos based systems last I checked. It means someone is trying to connect with really old software most likely

for ssl3 I hope you didn't enable that somehow.

use this guide to test your server the various methods.

https://help.directadmin.com/item.php?id=316

 

[mentik_yusmantara]

Private network - Wikipedia

en.wikipedia.org

is not supported by RH/Centos based systems last I checked. It means someone is trying to connect with really old software most likely

for ssl3 I hope you didn't enable that somehow.

use this guide to test your server the various methods.

https://help.directadmin.com/item.php?id=316

Thanks for the answer... @bdacus01
Looking for that test...
Yes, i think the people access the port
185.149.xxx.xxx:443
And its not show same result as https://help.directadmin.com/item.php?id=316

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1592351500
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---

When access it manual will show
400 Bad Request
The plain HTTP request was sent to HTTPS port
nginx