Intermittent SSL handshake errors

1. Caddy version (caddy version):

v2.0.0 h1:pQSaIJGFluFvu8KDGDODV8u4/QRED/OPyIR+MWYYse8=

2. How I run Caddy:

using the systemctl it is started with ExecStart=/usr/local/bin/caddy run -config /etc/caddy/Caddyfile

a. System environment:

Linux server01 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux

b. Command:

systemctl start caddy

c. Service/unit/compose file:

paste full file contents here

d. My complete Caddyfile or JSON config:

tracypearson.me {
        file_server {
                root /var/www/tracypearson.me
        }
}

tracypearson.com {
        file_server {
                root /var/www/tracypearson.com
        }
}

tracypearson.net {
        file_server {
                root /var/www/tracypearson.net
        }
}

git.tracypearson.net {
        reverse_proxy localhost:3000
}

server01.lan {
        tls internal
        file_server {
                root /var/www/server01
        }
}

3. The problem I’m having:

The SSL handshake keeps failing. It works sometimes. The

4. Error messages and/or full log output:

C:\Users\tracy\Downloads\Tools\CaddyServer\caddy_2.0.0_windows_amd64>curl -k -v https://server01.lan
* Rebuilt URL to: https://server01.lan/
*   Trying 192.168.17.111...
* TCP_NODELAY set
* Connected to server01.lan (192.168.17.111) port 443 (#0)
* schannel: SSL/TLS connection with server01.lan port 443 (step 1/3)
* schannel: disabled server certificate revocation checks
* schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates.
* schannel: sending initial handshake data: sending 168 bytes...
* schannel: sent initial handshake data: sent 168 bytes
* schannel: SSL/TLS connection with server01.lan port 443 (step 2/3)
* schannel: encrypted data got 7
* schannel: encrypted data buffer: offset 7 length 4096
* schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.
* Closing connection 0
* schannel: shutting down SSL/TLS connection with server01.lan port 443
* schannel: clear security context handle
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.

and a success

C:\Users\tracy\Downloads\Tools\CaddyServer\caddy_2.0.0_windows_amd64>curl -v -k https://server01.lan
* Rebuilt URL to: https://server01.lan/
*   Trying 192.168.17.111...
* TCP_NODELAY set
* Connected to server01.lan (192.168.17.111) port 443 (#0)
* schannel: SSL/TLS connection with server01.lan port 443 (step 1/3)
* schannel: disabled server certificate revocation checks
* schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates.
* schannel: sending initial handshake data: sending 168 bytes...
* schannel: sent initial handshake data: sent 168 bytes
* schannel: SSL/TLS connection with server01.lan port 443 (step 2/3)
* schannel: encrypted data got 1122
* schannel: encrypted data buffer: offset 1122 length 4096
* schannel: sending next handshake data: sending 93 bytes...
* schannel: SSL/TLS connection with server01.lan port 443 (step 2/3)
* schannel: encrypted data got 186
* schannel: encrypted data buffer: offset 186 length 4096
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with server01.lan port 443 (step 3/3)
* schannel: stored credential handle in session cache
> GET / HTTP/1.1
> Host: server01.lan
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 350
* schannel: encrypted data buffer: offset 350 length 103424
* schannel: decrypted data length: 321
* schannel: decrypted data added: 321
* schannel: decrypted data cached: offset 321 length 102400
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: decrypted data buffer: offset 321 length 102400
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 321
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Length: 103
< Content-Type: text/html; charset=utf-8
< Etag: "qc3gff2v"
< Last-Modified: Wed, 17 Jun 2020 23:40:27 GMT
< Server: Caddy
< Date: Thu, 18 Jun 2020 00:32:14 GMT
<
<!DOCTYPE html>
<head>
<title>Testing</title>
</head>
<body>
<h1>Testing web site</h1>
</body>
</html>
* Connection #0 to host server01.lan left intact

5. What I already tried:

I’m at a loss as to where to go. Is this a Caddy problem or an SSL problem on the Debian system I recently built.

I have been having problems with upload speeds and had the internet company come out. But now I have tested with the internal certificate of Caddy and have the same failure…

6. Links to relevant resources:

EDIT

I have captured a failure using OpenSSL on the system that is running Caddy.

* Expire in 0 ms for 6 (transfer 0x563a83d5ddc0)
* Expire in 1 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 0 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 1 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 0 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 0 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 1 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 0 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 0 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 1 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 0 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 0 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 1 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 0 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 0 ms for 1 (transfer 0x563a83d5ddc0)
* Expire in 0 ms for 1 (transfer 0x563a83d5ddc0)
*   Trying 127.0.1.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x563a83d5ddc0)
* Connected to server01.lan (127.0.1.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
tracy@server01:~$ openssl s_client -connect server01.lan:443
CONNECTED(00000003)
140099183916160:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:../ssl/record/rec_layer_s3.c:1544:SSL alert number 80
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 304 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Would this be a bug I need to write up against Caddy now?

tracy@server01:~$ openssl version
OpenSSL 1.1.1d  10 Sep 2019

Best as I can determine, this problem has gone away once I have corrected the Caddyfile and actually completely restarted Caddy.

I do not know what iterations of incorrectly structured Caddy files I had reloaded. I feel something during reloads did not clear correctly and caused this intermittent problem.

I added a log directive. However, that directive will only take affect on the start of Caddy, not a reload.

This topic was automatically closed after 30 days. New replies are no longer allowed.