Hi all, On 22:59 Wed 23 Apr , Willy Tarreau wrote: > Hi again Markus, > > I've checked my own logs and found SSL handshake failures starting > on April 8th, or the day after Heartbleed was disclosed, as can be > seen below with the number of errors per day : > > # err date > 2 Mar 27 > 2 Mar 28 > 1 Mar 29 > 2 Mar 30 > 3 Mar 31 > 3 Apr 1 > 7 Apr 2 > 1 Apr 3 > 2 Apr 4 > 8 Apr 5 > 24 Apr 6 > 2 Apr 7 > 619 Apr 8 > 2 Apr 9 > 2 Apr 10 > 158 Apr 11 > 6 Apr 12 > 2 Apr 13 > 158 Apr 14 > 157 Apr 15 > 168 Apr 16 > 109 Apr 17 > 7 Apr 18 > 7 Apr 19 > 7 Apr 20 > 110 Apr 21 > 497 Apr 22 > 123 Apr 23 > > Interestingly, my version was neither upgraded nor restarted during this > period, so it cannot be caused by a code change, and is very likely caused > by bots trying the attack. So I think it's also possible that you're > experiencing the same things and that you didn't notice them before > upgrading and checking your logs. > > Hoping this helps, > Willy > >
We see similar results with -dev19: 20140401 378 20140402 922 20140403 346 20140404 370 20140405 807 20140406 501 20140407 445 20140408 3509 20140409 360 20140410 1143 20140411 1525 20140412 989 20140413 991 20140414 1217 20140415 1139 20140416 1141 ... Note the spike on the 8th of April, matching the Heartbleed hypothesis. These can be all sorts of failures occurring before the handshake is completed. I sampled a couple of requests using tcpdump: one of them was a plain HTTP request on the HTTPS port and in the other one the client sent a close-notify TLS alert, 250 ms after receiving the certificate (indicating perhaps a network issue). To put things in perspective, on the 8th of April we had a total of 1.38 million SSL connections¹ so these failures account for roughly 0.25%. Granted that on that day we were expecting a lot of unfinished handshakes probing the heartbeat vulnerability, I wouldn't worry much. ¹ actually unique source IP:source port entries Regards, Apollon
