Openssl 1.1.1 + nginx 1.14.0 не работает tls1.1

ingtar nginx-forum на forum.nginx.org
Вт Дек 11 13:43:16 UTC 2018


Добрый день!
Подскажите, пожалуйста, решение следующей проблемы:
собран openssl 1.1.1a из исходников, собран nginx 1.14.0 из исходников. 
В конфиге включена поддержка tls1.3 и некоторые шифры для него
Конфиг для ssl такой:

ssl_session_timeout 10m;
ssl_session_cache shared:SSL:100m;

ssl_dhparam /etc/nginx/dhparam.2048.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers
'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

Поддержка tls1.3 работает, клиенты подключаются. Так же работает 1.2.

А вот 1 и 1.1 перестали работать с ошибкой:

CONNECTED(00000003)
139733715125760:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert
protocol version:../ssl/record/rec_layer_s3.c:1528:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 125 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1544535599
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
В логах соответственно:
2018/12/11 15:57:15 [crit] 26894#0: *460747266 SSL_do_handshake() failed
(SSL: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol) while SSL
handshaking, client: 10.9.211.224, server: 0.0.0.0:443
2018/12/11 16:18:06 [crit] 26894#0: *460752738 SSL_do_handshake() failed
(SSL: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol) while SSL
handshaking, client: 10.9.211.224, server: 0.0.0.0:443
2018/12/11 16:21:55 [crit] 26894#0: *460753742 SSL_do_handshake() failed
(SSL: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol) while SSL
handshaking, client: 10.9.211.224, server: 0.0.0.0:443
2018/12/11 16:39:59 [crit] 26894#0: *460758488 SSL_do_handshake() failed
(SSL: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol) while SSL
handshaking, client: 185.89.12.132, server: 0.0.0.0:443


openssl показывает поддержку tls1.1:

openssl ciphers -v | awk '{print $2}' | sort | uniq
SSLv3
TLSv1
TLSv1.2
TLSv1.3

Помогите, пожалуйста.

Posted at Nginx Forum: https://forum.nginx.org/read.php?21,282343,282343#msg-282343



Подробная информация о списке рассылки nginx-ru