<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_ym19_1_1471462665281_68369">Thank you Maxim for your answer.<br></div><div id="yui_3_16_0_ym19_1_1471462665281_68284">You are right I should start by upgrading to a more recent version. This machine is a debian machine and pointed to its release source list. Next I'll do captures. I'll also correct my configuration.<br></div><div id="yui_3_16_0_ym19_1_1471462665281_68375">Poka<br></div><div id="yui_3_16_0_ym19_1_1471462665281_68261"><span></span></div> <div class="qtdSeparateBR"><br><br></div><div style="display: block;" class="yahoo_quoted"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"><font face="Arial" size="2"> Le Jeudi 18 août 2016 1h12, Maxim Dounin <mdounin@mdounin.ru> a écrit :<br></font></div> <blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; margin-top: 5px; padding-left: 5px;"> <br><br> <div class="y_msg_container">Hello!<br clear="none"><br clear="none">On Wed, Aug 17, 2016 at 12:05:24PM +0000, Mik J wrote:<br clear="none"><br clear="none">> nginx version: 1.6.2<br clear="none">> Hello,<br clear="none">> The client and Nginx server seem to have problem to establish a SSL connection. In the logs I have this[crit] 18386#0: *1 SSL_do_handshake() failed (SSL: error:14094456:SSL routines:SSL3_READ_BYTES:tlsv1 unsupported extension:SSL alert number 110) whle SSL handshaking, client: @IP_client, server: 0.0.0.0:443I have searched this message on google but couldn't see anything that would help<br clear="none">> My vhost configurationserver {<br clear="none">> listen 80;<br clear="none">> listen 443 ssl; server_name www.example.org;<br clear="none">> ... ssl on;<br clear="none"><br clear="none">Note: such a configuration is invalid and will try to negotiate <br clear="none">SSL on the port 80. You should remove "ssl on", just "listen ... <br clear="none">ssl" on appropriate sockets is enough. See <br clear="none"><a shape="rect" href="http://nginx.org/en/docs/http/configuring_https_servers.html" target="_blank">http://nginx.org/en/docs/http/configuring_https_servers.html </a>for <br clear="none">details.<br clear="none"><br clear="none">> ssl_certificate /etc/ssl/certs/cert.crt;<br clear="none">> ssl_certificate_key /etc/ssl/private/key.key; ssl_session_cache shared:SSL:10m;}<br clear="none">> Do you know what could be wrong and where should I dig to solve this problem.<br clear="none"><br clear="none">The message suggests that the client aborted the connection. The <br clear="none">reason claimed is defined as follows, <br clear="none">https://tools.ietf.org/html/rfc5246#section-7.2.2:<div class="yqt5742467458" id="yqtfd95454"><br clear="none"><br clear="none"> unsupported_extension</div><br clear="none"> sent by clients that receive an extended server hello containing<br clear="none"> an extension that they did not put in the corresponding client<br clear="none"> hello. This message is always fatal.<br clear="none"><br clear="none">You may try looking at the handshake using Wireshark to see if <br clear="none">it's indeed what happens. You may also try looking for additional <br clear="none">information on the client side.<br clear="none"><br clear="none">Quick search suggests such errors previously appeared due to bugs <br clear="none">in OpenSSL beta versions, see, e.g., here:<br clear="none"><br clear="none"><a shape="rect" href="http://openssl.6102.n7.nabble.com/1-0-1beta1-incompatibility-with-gnutls-td8366.html" target="_blank">http://openssl.6102.n7.nabble.com/1-0-1beta1-incompatibility-with-gnutls-td8366.html</a><br clear="none"><br clear="none">If you are using some attic version of OpenSSL (much like the <br clear="none">version of nginx you are using), it may be a good idea to check if <br clear="none">an upgrade fixes things.<br clear="none"><br clear="none">This also can be a bug in the client. In this case, probably <br clear="none">disabling TLS via ssl_protocols is the only option if you want to <br clear="none">support the client, though it's not a solution to be used <br clear="none">nowadays.<br clear="none"><br clear="none">-- <br clear="none">Maxim Dounin<br clear="none"><a shape="rect" href="http://nginx.org/" target="_blank">http://nginx.org/</a><br clear="none"><br clear="none">_______________________________________________<br clear="none">nginx mailing list<br clear="none"><a shape="rect" ymailto="mailto:nginx@nginx.org" href="mailto:nginx@nginx.org">nginx@nginx.org</a><br clear="none"><a shape="rect" href="http://mailman.nginx.org/mailman/listinfo/nginx" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br><br></div> </blockquote> </div> </div> </div></div></body></html>