Nginx and SSL Version and DEBUG
SSL Support Version
Recently, our nginx get some exceptions as follow:
2018/06/22 14:38:38 [crit] 17#17: *127594 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 100.111.64.0, server: 0.0.0.0:443
2018/06/22 14:38:59 [warn] 16#16: *127645 using uninitialized "lambda_url" variable, client: 100.110.128.0, server: manage.xxxxxxx.com, request: "GET /api/getPairingCode?serialNumber=xxx&platform=xx_400&firmwareVersion=3.2.1.2088 HTTP/1.1", host: "manage.xxxxxxx.com"
We can easily reproduce that issue with these commands:
> openssl s_client -ssl3 -connect manage4.xxxxxx.com:443
CONNECTED(00000003)
140735735931848:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1498:SSL alert number 40
140735735931848:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
> openssl s_client -ssl3 -connect manage.xxxxxx.com:443
CONNECTED(00000003)
140735735931848:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1498:SSL alert number 40
140735735931848:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
From the google information, we can fix that by changing the configuration of NGINX, but it is not suggested.
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
How to Turn On DEBUG on NGINX
In the configuration nginx.conf
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log notice;
Need to change the notice to debug in error_log
In the start.sh, Instead of starting it with nginx command, we should use nginx-debug
nginx-debug -g "daemon off;"
#nginx -g "daemon off;"
References:
https://serverfault.com/questions/905011/nginx-ssl-do-handshake-failed-ssl-error1417d18cssl
https://community.letsencrypt.org/t/getting-ssl-do-handshake-error-version-too-low-despite-all-the-effort/58040
SSL Support Version
Recently, our nginx get some exceptions as follow:
2018/06/22 14:38:38 [crit] 17#17: *127594 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 100.111.64.0, server: 0.0.0.0:443
2018/06/22 14:38:59 [warn] 16#16: *127645 using uninitialized "lambda_url" variable, client: 100.110.128.0, server: manage.xxxxxxx.com, request: "GET /api/getPairingCode?serialNumber=xxx&platform=xx_400&firmwareVersion=3.2.1.2088 HTTP/1.1", host: "manage.xxxxxxx.com"
We can easily reproduce that issue with these commands:
> openssl s_client -ssl3 -connect manage4.xxxxxx.com:443
CONNECTED(00000003)
140735735931848:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1498:SSL alert number 40
140735735931848:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
> openssl s_client -ssl3 -connect manage.xxxxxx.com:443
CONNECTED(00000003)
140735735931848:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1498:SSL alert number 40
140735735931848:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
From the google information, we can fix that by changing the configuration of NGINX, but it is not suggested.
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
How to Turn On DEBUG on NGINX
In the configuration nginx.conf
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log notice;
Need to change the notice to debug in error_log
In the start.sh, Instead of starting it with nginx command, we should use nginx-debug
nginx-debug -g "daemon off;"
#nginx -g "daemon off;"
References:
https://serverfault.com/questions/905011/nginx-ssl-do-handshake-failed-ssl-error1417d18cssl
https://community.letsencrypt.org/t/getting-ssl-do-handshake-error-version-too-low-despite-all-the-effort/58040
扫一扫
2594
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
