after nginx is upgraded to 1.14, there is a strange phenomenon: after nginx restarts, the website can be opened, then the website cannot be opened for a while, and then the nginx, website can be accessed again, but after a while, it cannot be accessed again. It feels like it"s HTTPS"s problem, but the myssl test didn"t find anything wrong.
View error log:
SSL_do_handshake () failed (SSL: error:1417D102:SSL routines:tls_process_client_hello:unsupported protocol
I hope this article will help you
nginx as a forward proxy https encounters SSL_do_handshake () handshake failure
use wireshark to grab packets to find out the SSL protocol used by the client.
use openssl s_client-connect < host >: < port > < protocol > to check the server's protocols, such as tls1.1 , tls1.2 . For more information on the usage of
, please refer to man s_client .
you can also use nmap to scan all protocols supported by your own server ( Note: scanning its port without someone else's authorization may be against the law! ),
such as
nmap --script ssl-enum-ciphers -p 443 localhostthe result is similar to
Starting Nmap xx.xxx ( https://nmap.org ) at xxxx-xx-xx xx:xx
Nmap scan report for localhost (xx.xx.xx.xx)
Host is up (xx.xx latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.1:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.2:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
|_ least strength: C
Nmap done: 1 IP address (1 host up) scanned in xx.xx seconds
it shows that the server supports tls1 , tls1.1 and tls1.2 protocols.
determines whether it is still a certificate problem, and there is no problem with the configuration. The final solution is to delete all the certificate files and apply again.
Hello, prawns! there are two services in my NGINX, which occupy port 8080 and port 8088 respectively. The services in nginx.conf are forwarded on different ports. The specific configuration is as follows: server { listen 80; lis...
here is my nginx configuration file ssl on; ssl_certificate 1_www.***.top_bundle; ssl_certificate_key 2_www.***.top.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!a...
nginx version 1.13.12 nginx s original ssl version configuration: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; then I changed it to this: ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; with myssl.com test, the protocol is still 1.01.1 and 1.2Jing 1.0 is not turn...