Sibaprasad Maiti
Sibaprasad Maiti

Reputation: 557

TLS handshake error from xx.xx.xx.xx:14333: EOF

I am running a HTTPS server in Linux (RHEL 7). I am getting the below error as soon as I start the server.

2019/09/04 15:46:16 http: TLS handshake error from xx.xx.xx.xx:60206: EOF
2019/09/04 15:46:21 http: TLS handshake error from xx.xx.xx.xx:31824: EOF

This error is coming automatically and continuously in the terminal. Below is the go code for creating https server -

package main

import (
    "fmt"
    "net/http"

    "github.com/gin-gonic/gin"
)

func main() {
    fmt.Println("Starting webserver")

    router := gin.Default()
    router.GET("/", func(c *gin.Context) {
        c.JSON(http.StatusOK, gin.H{
            "success": true,
        })
    })

    router.RunTLS(":9001", "server.pem", "server.key")
}

We have purchased and combined the server certificate, intermidate certificate and root certificate into a single file to make the server.pem file.

As this error is coming continuously and in the terminal as soon as I start the server, I think there is some configuration problem in the VM?

Please suggest what are the things I can check here.

NOTE: This error is specific to the Go. I have tested on the same server on the same port with same certificates in Node JS. And it works fine. Also the IP in the error message is of the reverse proxy server (WAF) which is continuosly doing health monitoring of the web application server.

Upvotes: 2

Views: 9380

Answers (1)

kostix
kostix

Reputation: 55553

I would attack the problem from two angles:

  1. What is this xx.xx.xx.xx address? I'd expect that when I start some random piece of software, there is nothing to connect to it all by itself, right?

  2. Is there anything special about that 9001 port? Try running nc -l -p 9001 and see whether those unidentified connections happen as well.

    Run tcpdump and see whether there is any incoming traffic from the clients making those connections: those EOFs (that's "end of file") reported by the TLS mchinery most probably mean those clients—whatever they are—close their side of the connection somewhere amidst the TLS handshake—while the server is expecting to read some data from them. This hints at that those clients do not actually expect to see TLS protocol in the connection they open; and they pretty much may send some plaintext in it, so you'll be able to peek at it.

  3. Googling for "9001 port" hints at that it's used for some "ETL service manager" protocol—whatever it is. This hints at that traffic on 9001 might be related to VoIP.

    I have no idea what to do with this, but it might give you some lead for further research.

Upvotes: 2

Related Questions