SSL Errors when using CloudFlare and NAT: ssl.SSLError: [SSL: BAD_KEY_SHARE] bad key share (_ssl.c:997)

Get help with all aspects of SABnzbd
Forum rules
Help us help you:
  • Are you using the latest stable version of SABnzbd? Downloads page.
  • Tell us what system you run SABnzbd on.
  • Adhere to the forum rules.
  • Do you experience problems during downloading?
    Check your connection in Status and Interface settings window.
    Use Test Server in Config > Servers.
    We will probably ask you to do a test using only basic settings.
  • Do you experience problems during repair or unpacking?
    Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
Post Reply
froz
Newbie
Newbie
Posts: 6
Joined: December 27th, 2010, 2:12 am

SSL Errors when using CloudFlare and NAT: ssl.SSLError: [SSL: BAD_KEY_SHARE] bad key share (_ssl.c:997)

Post by froz »

Howdy,
I've been playing around with this but can't seem to figure it out. My end goal is to only allow nzb sites to send NZBs to sab via nzb api key over ssl and that seems to work fine but I get a lot of errors about SSL handshakes. I've been getting this error for probably more than a year over all of the releases since. I get the error regardless of actually sending an api call at regular intervals. The two today are exactly a half hour apart. If I goto my domain externally on that port, I receive the sab login page and a valid cloudflare cert and happy security icon in chrome.

My setup is a docker container exposing port 9090 in sab config with docker redirecting 2083 (a cloudflare accepted port) to 9090. I use pfsense to forward traffic from my 2083 to my docker host on 2083. My guess is I don't have the sab certs applied probably but I've played around with it and haven't figured it out yet. Cloudflare is fine with a self-signed cert on the host side as it provides the encryption.

Is there something simple I'm missing?

Thanks in advance

[27/Nov/2022:01:02:12] ENGINE Error in HTTPServer.serve
Traceback (most recent call last):
File "/usr/lib/python3.10/site-packages/cheroot/server.py", line 1823, in serve
self._connections.run(self.expiration_interval)
File "/usr/lib/python3.10/site-packages/cheroot/connections.py", line 203, in run
self._run(expiration_interval)
File "/usr/lib/python3.10/site-packages/cheroot/connections.py", line 246, in _run
new_conn = self._from_server_socket(self.server.socket)
File "/usr/lib/python3.10/site-packages/cheroot/connections.py", line 300, in _from_server_socket
s, ssl_env = self.server.ssl_adapter.wrap(s)
File "/usr/lib/python3.10/site-packages/cheroot/ssl/builtin.py", line 277, in wrap
s = self.context.wrap_socket(
File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.10/ssl.py", line 1071, in _create
self.do_handshake()
File "/usr/lib/python3.10/ssl.py", line 1342, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: BAD_KEY_SHARE] bad key share (_ssl.c:997)
User avatar
sander
Release Testers
Release Testers
Posts: 8811
Joined: January 22nd, 2008, 2:22 pm

Re: SSL Errors when using CloudFlare and NAT

Post by sander »

This can happen when ugly port scanners directly access your SAB over HTTPS. AFAIK they send malformed SSL traffic to SAB, which triggers those cherrypy SSL errors (which we can't catch in SAB). Annoying, but harmless.

As a forum admin, I can see the IP address from where you posted. Using https and port 2083 I could access your SAB's login page, which proves the above.

What can you do?
- make sure you have the newest python and newest cherrypy. That solves a part of the error messages. But you're probably restricted by what the docker image provides you?
- ignore it
- let not send indexers push the NZB to you, but let SAB pull them via RSS cart, and close your port
- not use HTTPS but HTTP between cloudflare and you
- maybe, maybe: only accept the IP-ranges of cloudflare ... maybe define them as local in SABnzbd? Long shot. EDIT: I checked, and I don't think SAB can do this.
froz
Newbie
Newbie
Posts: 6
Joined: December 27th, 2010, 2:12 am

Re: SSL Errors when using CloudFlare and NAT: ssl.SSLError: [SSL: BAD_KEY_SHARE] bad key share (_ssl.c:997)

Post by froz »

Thanks for the deep dive Sander. So in your opinion it’s not just a cert mismatch config?

I might be able to filter traffic upstream somehow without paying an arm or a leg. It’s curios on the time stamps being so regular tho I guess that could mean automated scans too.

The cart idea is probably the simplest. I have no automation upstream I just never looked into it and those ports are pretty finite resource.

Thanks much!
Post Reply