Jump to content
Not connected, Your IP: 3.219.233.54
paladinair

ANSWERED SSL_ERROR_RX_RECORD_TOO_LONG with port forward

Recommended Posts

Hello,
I've been using port forwarding with AirVPN since the beginning. I've used both the same destination port and also port forwarding to a different port and both worked fine in the past.
For I few months now it doesn't work anymore.
I have a web interface in LAN with portforwarding by AirVPN. I can connect fine through local LAN, but when I try to connect from WAN with https://xxx.airdns.org:1234  I always get the error message "SSL_ERROR_RX_RECORD_TOO_LONG" I've tried with several different web UIs (bittorrent, file manager,...), nothing works anymore. The ports themselves seem to work, at least AirVPN shows ports open (green light) when I click "check".

Share this post


Link to post

This error indicates that you're trying to connect to a website served with HTTP using the HTTPS protocol. Can you check if http://xxx.airvpn.org:1234 works?


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Thanks for the reply. I already checked, when I try http, I get ERR_INVALID_HTTP_RESPONSE (I can only try in chrome because firefox automatically changes to https; the chromer error message, when I try to use https, is: ERR_CONNECTION_CLOSED); . It is definitely https, because I can connect through https://192.168.x.x:1234 in my local lan without problems.
I've had the problem in the past with an http web ui. Firefox always changed to https and brought the "record too long" error. That's why I've searched and installed different products with https web UIs.
Thank You,
Peter

Share this post


Link to post

You could try connecting with curl and see if more meaningful error messages are coming back. Works best on Linux/BSD, probably on macOS, too, but on Windows, well… :) not exactly an admins' OS, I must say, but try your luck on the downloads page.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Hi, thanks for your help. Here are the reults for curl in both https and http: (name and port are sanitized)
#curl https://xxx.airdns.org:1234
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
#curl http://xxx.airdns.org:1234
curl: (52) Empty reply from server

If I use curl from within the LAN: curl https://192.168.x.x:1234, it works without error.
I don't know if it's important but I use openvpn on a ubitquity edgerouter x. with a destination nat from the openvpn interface to the host 192.168.x.x and port 1234.

Share this post


Link to post

Please do the same but with verbose switches.

$ curl -vvv http://the.website:1234

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Hi,
here are the results:
# curl https://xxx.airdns.org:1234 -vvv
* About to connect() to xxx.airdns.org port 1234 (#0)
*   Trying xxx.xxx.xxx.xxx...
* connected
* Connected to xxx.airdns.org (xxx.xxx.xxx.xxx) port 1234 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection #0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

# curl http://xxx.airdns.org:1234 -vvv
* About to connect() to xxx.airdns.org port 1234 (#0)
*   Trying xxx.xxx.xxx.xxx...
* connected
* Connected to xxx.airdns.org (xxx.xxx.xxx.xxx) port 1234 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.26.0
> Host: xxx.airdns.org:1234
> Accept: */*
>
* additional stuff not fine transfer.c:1037: 0 0
* additional stuff not fine transfer.c:1037: 0 0
the last line repeated until I pressed Ctrl-c
 

Share this post


Link to post
24 minutes ago, paladinair said:

* SSLv3, TLS handshake, Client hello (1):


There must be something wrong with your configuration, it's trying to connect using SSLv3. Are you absolutely sure your ports are forwarded to that device? Can you see connection attempts on the device?
What TLS certificate is returned if you connect via AirDDNS? A quick search returned something like this could help:
openssl s_client -showcerts -connect your.website:443|openssl x509 -text|grep -A2 validity
Can you make sure you get the same output on both a local and remote attempt?

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Hello,
through AirDDNS I get:
connect: Connection refused
connect:errno=111
unable to load certificate
3069650128:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

in my LAN I get:
depth=0 C = AT, O = xxx, CN = xxx
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AT, O = xxx, CN = xxx
verify return:1

Could this be the problem? I created a certificate myself. I wouldn't have any problems with a warning that it is no trusted certificate...

Thank You.

Share this post


Link to post
@paladinair

A couple of ideas coming to mind:

1) You run some curl version linked to a library that does not support the underlying cipher that your server proposes

2) You run some curl version linked to a library that does not support the TLS protocol required by your server (example: your server requires TLS 1.x and curl does not support it)

Kind regards
 

Share this post


Link to post

Thanks for the help. I only use curl for testing (see first posts). I want to connect (with Chrome or Firefox) through Airddns portforwarding to an https - web ui.
The web ui works fine with https from local lan and airvpn reports the forwarded port as open. But when I try to open the web ui through airddns, I get the above errors. I think it has something to do with my router. I use a ubiquiti edgerouter x with openvpn and a portforwarding (destination NAT) to my host for the web ui.
Thank You

Share this post


Link to post

Hello!

A few router web servers, by default settings, only accept connections from IP addresses in the LAN for security reasons. That would explain why you get error 111 (connection refused) and the other SSL related issue only when the connection comes from the outside. Checking the router web server configuration is worthwhile.

Kind regards
 

Share this post


Link to post

It works now. I've forgotten to set a firewall rule on the router allowing this port. It's strange that the port was seen open at all.
Thank You for Your help.

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...