Site scans failing due to SSL error

  • Since a few weeks the site scan doesn’t work for multiple sites I’m managing. The error code looks like this:

    id               => 96063
    module           => site-scanner
    type             => warning
    code             => scan-failure-client-error
    timestamp        => 2024-07-25 06:12:45
    init_timestamp   => 2024-07-25 06:12:44
    remote_ip        => ******
    user_id          => [empty string]
    url              => wp-cron
    memory_current   => 42587520
    memory_peak      => 42682536
    data             => Array
        results   => Object WP_Error
            errors       => Array
                http_request_failed   => Array
                    0   => cURL error 56: OpenSSL SSL_read: OpenSSL/3.0.14: error:0A0003FC:SSL routines::sslv3 alert bad record mac, errno 0
            error_data   => Array
                http_request_failed   => Array
                    url   => https://www.example.com
        cached    => [boolean] false

    How can I solve this?

Viewing 15 replies - 1 through 15 (of 15 total)
  • Thread Starter Profi Software Service

    (@jrunkel)

    PS: I’m using the latest version 9.3.3 of Solid Security on all these sites.

    Plugin Support chandelierrr

    (@shanedelierrr)

    Hi @jrunkel, glad you reached out!

    That error looks to be coming from the site/server itself, and there are several reasons why this cURL error 56 is occurring, but most cases, it can be due to the ff:

    • a network issue during SSL/TLS handshake
    • SSL certificate issue
    • server-side restrictions for particular requests such as POST or PUT

    I’d suggest checking in with your host if there’s an issue with the site’s SSL certificate and possibly re-installing it, as well as looking into server settings that can interfere with SSL/TLS connections. The server logs can help provide more clues here, so please check there, too. Lastly,?make sure?your server?allows?all the REST HTTP methods that Solid Security requires:?GET,?POST,?PUT,?PATCH,?DELETE, and?OPTIONS.?

    Please let us know what you can find!

    Thread Starter Profi Software Service

    (@jrunkel)

    Hi @shanedelierrr, thanks for your reply!

    this problem occurs on 6 websites that I manage. They are all hosted at Strato (https://www.strato.de/) which is a mainstream hoster.

    I’m checking SSL certificates regularly, they are all fine.

    I don’t see any related errors in the error logs.

    Concerning the request methods I’ve send test request to all domains and they returned status code 200 for all of these.

    Any clues? I can send you more details if needed on a non-public communication channel.

    Thread Starter Profi Software Service

    (@jrunkel)

    PS: In the Solid Security logs I also see many site check failures due to “Exceeded rate limit. Please wait XXX seconds.” Maybe this is related to it? Even after waiting more than these seconds the scans fail again with the rate limit error.

    Plugin Support chandelierrr

    (@shanedelierrr)

    Hi @jrunkel, thanks for the update!

    The “Exceeded rate limit. Please wait XXX seconds.” error usually indicates that you’ve done too many attempts to scan the site in a row. Solid Security’s Site Scanner has a 10-minute rate limit. For the Basic version, it’s tied to your server’s IP address, so you may run into the rate limit more often if you have plenty of sites on the same server.?

    This error usually resolves after waiting for the specified time to pass, but if it continues, the next thing I would recommend is conducting a?conflict check. Try deactivating all plugins, switch to a default WP theme, and check if running a manual Site Scan is successful. Don’t forget to clear all sorts of caching when troubleshooting. If the manual scan is successful, reactivate the plugins one at a time to isolate the culprit.

    The other thing you can try would be to increase the server resources, as this issue had something to do with the server.

    Hope this helps, and please let me know if you find anything!

    Thread Starter Profi Software Service

    (@jrunkel)

    Hi @shanedelierrr,

    thanks for coming back to this. As for the rate limit I created a separate topic as I think this is a shared hosting issue:
    https://www.ads-software.com/support/topic/site-scans-failing-due-to-rate-limit/

    Can you please respond to the initial question that is the failing with the SSL error?

    Plugin Support chandelierrr

    (@shanedelierrr)

    @jrunkel for sure! I’ll paste my initial reply there.

    If the “cURL error” that was initially reported in this post is okay now, please mark this as “resolved”.

    Thank you!

    Thread Starter Profi Software Service

    (@jrunkel)

    Hi @shanedelierrr, thanks for replying. No, the initial SSL error is not resolved. I would be glad for help on this!

    Thread Starter Profi Software Service

    (@jrunkel)

    @shanedelierrr : My issue is still not resolved. Can you help?

    Plugin Support chandelierrr

    (@shanedelierrr)

    Hi @jrunkel!

    Sorry for the slow turnaround here!

    I’ve reached out to our development team for insights regarding your issue, but it seems clear that the problem stems from the server itself and should be resolved there, given that it occurs on multiple sites hosted there.

    The issue is most likely the server’s failure to establish SSL/TLS connections/handshake, so while waiting for insights from our team, can you please check the following information with your hosting provider?

    • Check if the server is using modern and/or latest versions of SSL/TLS cipher suites
    • Review the current SSL/TLS settings for any mismatch or outdated protocols
    • Review the server/network logs for any signs of network interruptions during the site scan runs
    • Check for any server firewall setting that could be blocking Solid Security’s scans from running
    • Ensure the server allows all these REST HTTP methods: GET, POST, PUT, PATCH, DELETE, and OPTIONS
    • Try to whitelist Solid Security’s Site Scanner IP on the server: 207.246.255.60

    And depending on our team’s feedback, we may need additional info about your setup, so please provide the below:

    • Server
    • Site URL/s
    • WP version
    • PHP version
    • cURL version
    • Open SSL version

    Let us know what you can find!

    Thread Starter Profi Software Service

    (@jrunkel)

    Hi @shanedelierrr ,

    thanks for coming back to this. My homework is not easy, this is a shared hosting and I don’t have access to the server specs, neither does the first level support of Strato. Let’s try this:

    Software versions

    • Server: linux-gnu / x86_64 / Linux 4.18.0-553.el8_10.x86_64 #1 SMP
    • Site URL: https://profi-software-service.de
    • WP version: 6.6.1
    • PHP version: 8.2.22
    • cURL version:
      • curl 8.8.0 (x86_64-pc-linux-gnu) libcurl/8.8.0 OpenSSL/3.0.14 zlib/1.2.13 libpsl/0.21.5 libssh2/1.11.0 nghttp2/1.62.1
      • Release-Date: 2024-05-22
      • Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
      • Features: alt-svc AsynchDNS HSTS HTTP2 HTTPS-proxy IPv6 Largefile libz NTLM PSL SSL threadsafe TLS-SRP UnixSockets
    • OpenSSL 3.0.14 4 Jun 2024 (Library: OpenSSL 3.0.14 4 Jun 2024)

    SSL ciphers (openssl ciphers -v)

    TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD
    TLS_CHACHA20_POLY1305_SHA256   TLSv1.3 Kx=any      Au=any   Enc=CHACHA20/POLY1305(256) Mac=AEAD
    TLS_AES_128_GCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(128)            Mac=AEAD
    ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256)            Mac=AEAD
    ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2 Kx=ECDH     Au=RSA   Enc=AESGCM(256)            Mac=AEAD
    DHE-RSA-AES256-GCM-SHA384      TLSv1.2 Kx=DH       Au=RSA   Enc=AESGCM(256)            Mac=AEAD
    ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
    ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2 Kx=ECDH     Au=RSA   Enc=CHACHA20/POLY1305(256) Mac=AEAD
    DHE-RSA-CHACHA20-POLY1305      TLSv1.2 Kx=DH       Au=RSA   Enc=CHACHA20/POLY1305(256) Mac=AEAD
    ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128)            Mac=AEAD
    ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2 Kx=ECDH     Au=RSA   Enc=AESGCM(128)            Mac=AEAD
    DHE-RSA-AES128-GCM-SHA256      TLSv1.2 Kx=DH       Au=RSA   Enc=AESGCM(128)            Mac=AEAD
    ECDHE-ECDSA-AES256-SHA384      TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)               Mac=SHA384
    ECDHE-RSA-AES256-SHA384        TLSv1.2 Kx=ECDH     Au=RSA   Enc=AES(256)               Mac=SHA384
    DHE-RSA-AES256-SHA256          TLSv1.2 Kx=DH       Au=RSA   Enc=AES(256)               Mac=SHA256
    ECDHE-ECDSA-AES128-SHA256      TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)               Mac=SHA256
    ECDHE-RSA-AES128-SHA256        TLSv1.2 Kx=ECDH     Au=RSA   Enc=AES(128)               Mac=SHA256
    DHE-RSA-AES128-SHA256          TLSv1.2 Kx=DH       Au=RSA   Enc=AES(128)               Mac=SHA256
    ECDHE-ECDSA-AES256-SHA         TLSv1   Kx=ECDH     Au=ECDSA Enc=AES(256)               Mac=SHA1
    ECDHE-RSA-AES256-SHA           TLSv1   Kx=ECDH     Au=RSA   Enc=AES(256)               Mac=SHA1
    DHE-RSA-AES256-SHA             SSLv3   Kx=DH       Au=RSA   Enc=AES(256)               Mac=SHA1
    ECDHE-ECDSA-AES128-SHA         TLSv1   Kx=ECDH     Au=ECDSA Enc=AES(128)               Mac=SHA1
    ECDHE-RSA-AES128-SHA           TLSv1   Kx=ECDH     Au=RSA   Enc=AES(128)               Mac=SHA1
    DHE-RSA-AES128-SHA             SSLv3   Kx=DH       Au=RSA   Enc=AES(128)               Mac=SHA1
    RSA-PSK-AES256-GCM-SHA384      TLSv1.2 Kx=RSAPSK   Au=RSA   Enc=AESGCM(256)            Mac=AEAD
    DHE-PSK-AES256-GCM-SHA384      TLSv1.2 Kx=DHEPSK   Au=PSK   Enc=AESGCM(256)            Mac=AEAD
    RSA-PSK-CHACHA20-POLY1305      TLSv1.2 Kx=RSAPSK   Au=RSA   Enc=CHACHA20/POLY1305(256) Mac=AEAD
    DHE-PSK-CHACHA20-POLY1305      TLSv1.2 Kx=DHEPSK   Au=PSK   Enc=CHACHA20/POLY1305(256) Mac=AEAD
    ECDHE-PSK-CHACHA20-POLY1305    TLSv1.2 Kx=ECDHEPSK Au=PSK   Enc=CHACHA20/POLY1305(256) Mac=AEAD
    AES256-GCM-SHA384              TLSv1.2 Kx=RSA      Au=RSA   Enc=AESGCM(256)            Mac=AEAD
    PSK-AES256-GCM-SHA384          TLSv1.2 Kx=PSK      Au=PSK   Enc=AESGCM(256)            Mac=AEAD
    PSK-CHACHA20-POLY1305          TLSv1.2 Kx=PSK      Au=PSK   Enc=CHACHA20/POLY1305(256) Mac=AEAD
    RSA-PSK-AES128-GCM-SHA256      TLSv1.2 Kx=RSAPSK   Au=RSA   Enc=AESGCM(128)            Mac=AEAD
    DHE-PSK-AES128-GCM-SHA256      TLSv1.2 Kx=DHEPSK   Au=PSK   Enc=AESGCM(128)            Mac=AEAD
    AES128-GCM-SHA256              TLSv1.2 Kx=RSA      Au=RSA   Enc=AESGCM(128)            Mac=AEAD
    PSK-AES128-GCM-SHA256          TLSv1.2 Kx=PSK      Au=PSK   Enc=AESGCM(128)            Mac=AEAD
    AES256-SHA256                  TLSv1.2 Kx=RSA      Au=RSA   Enc=AES(256)               Mac=SHA256
    AES128-SHA256                  TLSv1.2 Kx=RSA      Au=RSA   Enc=AES(128)               Mac=SHA256
    ECDHE-PSK-AES256-CBC-SHA384    TLSv1   Kx=ECDHEPSK Au=PSK   Enc=AES(256)               Mac=SHA384
    ECDHE-PSK-AES256-CBC-SHA       TLSv1   Kx=ECDHEPSK Au=PSK   Enc=AES(256)               Mac=SHA1
    SRP-RSA-AES-256-CBC-SHA        SSLv3   Kx=SRP      Au=RSA   Enc=AES(256)               Mac=SHA1
    SRP-AES-256-CBC-SHA            SSLv3   Kx=SRP      Au=SRP   Enc=AES(256)               Mac=SHA1
    RSA-PSK-AES256-CBC-SHA384      TLSv1   Kx=RSAPSK   Au=RSA   Enc=AES(256)               Mac=SHA384
    DHE-PSK-AES256-CBC-SHA384      TLSv1   Kx=DHEPSK   Au=PSK   Enc=AES(256)               Mac=SHA384
    RSA-PSK-AES256-CBC-SHA         SSLv3   Kx=RSAPSK   Au=RSA   Enc=AES(256)               Mac=SHA1
    DHE-PSK-AES256-CBC-SHA         SSLv3   Kx=DHEPSK   Au=PSK   Enc=AES(256)               Mac=SHA1
    AES256-SHA                     SSLv3   Kx=RSA      Au=RSA   Enc=AES(256)               Mac=SHA1
    PSK-AES256-CBC-SHA384          TLSv1   Kx=PSK      Au=PSK   Enc=AES(256)               Mac=SHA384
    PSK-AES256-CBC-SHA             SSLv3   Kx=PSK      Au=PSK   Enc=AES(256)               Mac=SHA1
    ECDHE-PSK-AES128-CBC-SHA256    TLSv1   Kx=ECDHEPSK Au=PSK   Enc=AES(128)               Mac=SHA256
    ECDHE-PSK-AES128-CBC-SHA       TLSv1   Kx=ECDHEPSK Au=PSK   Enc=AES(128)               Mac=SHA1
    SRP-RSA-AES-128-CBC-SHA        SSLv3   Kx=SRP      Au=RSA   Enc=AES(128)               Mac=SHA1
    SRP-AES-128-CBC-SHA            SSLv3   Kx=SRP      Au=SRP   Enc=AES(128)               Mac=SHA1
    RSA-PSK-AES128-CBC-SHA256      TLSv1   Kx=RSAPSK   Au=RSA   Enc=AES(128)               Mac=SHA256
    DHE-PSK-AES128-CBC-SHA256      TLSv1   Kx=DHEPSK   Au=PSK   Enc=AES(128)               Mac=SHA256
    RSA-PSK-AES128-CBC-SHA         SSLv3   Kx=RSAPSK   Au=RSA   Enc=AES(128)               Mac=SHA1
    DHE-PSK-AES128-CBC-SHA         SSLv3   Kx=DHEPSK   Au=PSK   Enc=AES(128)               Mac=SHA1
    AES128-SHA                     SSLv3   Kx=RSA      Au=RSA   Enc=AES(128)               Mac=SHA1
    PSK-AES128-CBC-SHA256          TLSv1   Kx=PSK      Au=PSK   Enc=AES(128)               Mac=SHA256
    PSK-AES128-CBC-SHA             SSLv3   Kx=PSK      Au=PSK   Enc=AES(128)               Mac=SHA1

      HTTP request methods

      All HTTP methods are allowed (ingoing and outgoing).

      Website

      My website is profi-software-service.de. The last failure due to SSL was on 2024-08-26 12:15:50 GMT.

      Please let me know if you need more information.

      Thread Starter Profi Software Service

      (@jrunkel)

      (For the sake of completeness: the last successful site scan was on 2024-08-21 18:40:27, but before that there were already many failed attempts. Beside of that I frequently get the rate limit errors as written in the other forum post.)

      Plugin Support chandelierrr

      (@shanedelierrr)

      Hi @jrunkel, I really appreciate the effort in getting these details to us!

      I have added this to the internal report for our team to review. Please note that we’re also working updating the Site Scanner server’s OpenSSL version which hopefully, can resolve the cURL error 56 you’re experiencing. I’ll circle back here when I have news on the update implementation.

      Thank you!

      Thread Starter Profi Software Service

      (@jrunkel)

      Thanks for your reply.

      I’m sorry to tell, but unfortunately I can’t wait that long for the site scans to work again. I’ll need my customers websites to be regularly scanned. So I just switched to another security plugin.

      I have a similar issue and host at Strato as well.

      Array

      code => http_request_failed

      data => Array

      url => https://ovvio.info

      PS: I must say that I force http requests to https.

    Viewing 15 replies - 1 through 15 (of 15 total)
    • You must be logged in to reply to this topic.