# Invalid method in request \x16\x03



## joint (Jan 23, 2010)

Does anybody may know something about those lines that appears every day during the same hour the in apache22 httpd-error.log:

```
[error] [client 194.72.238.62] Invalid method in request \x16\x03
```
?


----------



## DutchDaemon (Jan 23, 2010)

That client is apparently trying to speak SSL to a non-SSL server (an https connection on an http server/port).


----------



## joint (Jan 24, 2010)

Ok, Thank you for your reply.
I've got the SSL running at 443 port with self_signed certificate.
Is that mean that I've got something wrong in SSL_configuration and it is causing errors writing down those lines in http-error.log?


----------



## DutchDaemon (Jan 24, 2010)

To me it seems like someone is talking SSL to the wrong port (i.e. usually 80). The httpd-error.log logs regular web traffic (non-SSL port). I think SSL traffic usually gets logged to something like httpd-ssl_request.log.


----------



## joint (Jan 24, 2010)

Ok, here are couple lines from httpd-ssl_request.log where 'xx.xx.xxx.xxx' are hidden IPs:

```
[24/Jan/2010:02:26:49 +0100] xx.xx.xxx.xxx TLSv1 AES128-SHA "POST /manager/ispmgr HTTP/1.1" 249
[24/Jan/2010:02:26:50 +0100] xx.xx.xxx.xxx TLSv1 AES128-SHA "GET /manager/ispmgr?func=cron HTTP/1.1" 2480
[24/Jan/2010:02:53:43 +0100] xx.xx.xxx.xxx TLSv1 AES128-SHA "GET /manager/ispmgr?func=user HTTP/1.1" 6507
[24/Jan/2010:03:00:25 +0100] xx.xx.xxx.xxx TLSv1 AES128-SHA "GET /manager/ispmgr?func=keepalive HTTP/1.1" 53
```
Those strings creates web_server_control panel that runs as https://TLD-name_or_IP/manager
Is these lines are not errors? - I hope no.
Also, I've tried to match the time stamps for those errors between httpd-error.log and httpd-ssl_request.log - the score is:
There are not matching at all, i.e. when I see error in httpd-error.log -- there are no even close lines written in httpd-ssl_request.log.
Is it sounds strange to you?


----------



## DutchDaemon (Jan 24, 2010)

Someone will not connect to port 80 (non-SSL) and 443 (SSL) at the same time, so it's unlikely you'll see timestamp matches. Like I said: someone tried to speak SSL to the non-SSL port. Don't know why, and if the IP address doesn't mean anything to you, it's just an error, a portscan or an intrusion attempt. If your http and https sites work, all's well.


----------



## monicca (Nov 1, 2010)

*Invalid method in request \x16\x03 on http server*

I am also having the same problem:


```
[Mon Nov 01 08:36:21 2010] [error] [client 10.1.23.76] Invalid method in request \x16\x03
```

I tried everything that was mentioned but cannot get the error to go away. Anyone with a different solution?


----------



## SirDice (Nov 1, 2010)

You can't remove the 'error'. It's somebody that visits your site that does that.


----------



## jalla (Nov 1, 2010)

SirDice said:
			
		

> You can't remove the 'error'. It's somebody that visits your site that does that.



Or maybe you can. The client looks like it might be internal to your network (10.1.23.76)


----------



## monicca (Nov 2, 2010)

Yes, the client is internal to our network.

I removed the client's IP from the configs, tested SSL and the servers are connected to both port 80 and 443. Rebooted the server but I still get the error.


----------



## SirDice (Nov 2, 2010)

It's the client that's sending them. You should focus on that instead of the server.


----------

