Re: Incomplete SSL negotiation information

On 02/02/2010 14:22, Ryan Barnett wrote:

>> My server has somehow found its self on the end of some strange
>> behaviour originating from the Pushdo botnet as described here:
>>
>> http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100129
>>
>> The infected hosts basically connect to the HTTPS port, send some
>> garbage and then disconnect without the SSL negotiation even being
>> completed. My error log is full of stuff like this:
>>
>> [Mon Feb 01 18:19:37 2010] [error] unusably short session_id provided (1
>> bytes)
>>
>> Annoyingly for some reason Apache doesn't log the IP address in this
>> circumstance. Is there anything I can do with ModSecurity to gather more
>> information on this problem or to mitigate it somehow?
>
> Mike,
> Do you happen to have TLS 1.2 enabled on your web server?  We are starting to get reports
> from our commercial WebDefend users about SSL error events with the following message -
>
> Client violated the SSL protocol
> unknown SSL version 0x303 in SSL record header
>
> At this point, we are not sure if this is related to PushDo botnet or not, however our DEV
> team believes that this may be related to TLS 1.2.  Perhaps PushDo clients are initiating
> TLS 1.2 connections.
>
> Please confirm.