Get SSL error SSL_ERROR_RX_RECORD_TOO_LONG in server side

1
votes

I have written my own webserver in C#.

And I always established SSL certificates for my sites in new IP on port 443. And always it works fine.

But this time I get this error:

Secure Connection Failed

An error occurred during a connection to www.sayehrooshan-co.com. SSL received a record that exceeded the maximum permissible length. Error code:

SSL_ERROR_RX_RECORD_TOO_LONG

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.

this is page address:

https://www.sayehrooshan-co.com

this is my code always worked with .pfx file for other sites:

sslstream = new SslStream(new NetworkStream(mySocket, false), false);
//commented for nedaye arzhang
X509Certificate2 serverCertificate = new X509Certificate2(Path, Password);
//X509Certificate2 serverCertificate = new X509Certificate2("www_nedaye-arzhang_com.cer");                           

sslstream.AuthenticateAsServer(serverCertificate, false, System.Security.Authentication.SslProtocols.Tls, true);

searched alot but didn't get any solution Anyone get any idea?

3
c#sslssl-certificate

3 Answers

4
votes

The server is broken. Trying with openssl s_client shows that the TLS handshake is done successfully and the certificate is fine, but that it breaks later in the communication:

$ openssl s_client -connect www.sayehrooshan-co.com:443 -servername www.sayehrooshan-co.com -crlf
CONNECTED(00000003)
...
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    ...
    Verify return code: 0 (ok)
---
GET / HTTP/1.1
Host: www.sayehrooshan-co.com

140040623380160:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:365:

Doing a packet capture during the experiment one can see that the server sends plain text on the TLS connection:

> various TLS encrypted stuff from client (likely HTTP request) ....
< followed by sudden plain text from the server:
   Cannot find table 0.

   at System.Data.DataTableCollection.get_Item(Int32 index)
   at MyWebServerNamespace.MyWebServer.SetTableRowValue(DataSet& ds, String type, String name, String value) in D:\iteration source - table 13 removed\MyWebServer\MyWebServer.cs:line 4024
   at MyWebServerNamespace.MyWebServer.LoadCmsValues(Content cms, Ssl sslClass, DataSet& Ds, DataTable& fileDt, Socket& mySocket, Byte[]& contentBytes, Boolean& showCmsError) in D:\iteration source - table 13 removed\MyWebServer\MyWebServer.cs:line 1761
   at MyWebServerNamespace.MyWebServer.HandleTcpRequest(Object state) in D:\iteration source - table 13 removed\MyWebServer\MyWebServer.cs:line 1027
LoadCmsValues enter

The client will try to interpret this plain text message as a TLS record. This means it will parse the initial bytes and extract the TLS protocol version and payload length. Given that this is no TLS record at all these values will be garbage. Depending on the actual implementation of the TLS stack in the client this will then result in error messages like "wrong version number" (the claimed TLS protocol version is not supported) or "SSL_ERROR_RX_RECORD_TOO_LONG" (the length of the payload as specified is not the actual length of the payload) or the more general "ERR_SSL_PROTOCOL_ERROR" or similar.

0
votes

It is not just C#, Firefox shows the same error message.

"Error code: ssl_error_rx_record_too_long. This usually means the implementation of SSL on your server is not correct. The error is usually caused by a server side problem which the server administrator will need to investigate."

Source

Another page discussing this issue

Firefox:

enter image description here

Chrome

enter image description here

IE

enter image description here

0
votes

Grasshopper has same problem possibly because of two routers and dns bind being installed on one ip address and ssl mod the other. The fact that Apache2 status is up and running like a charm tells me that it’s an install/ops error. Tomorrow is another day.