incorrect https

Maxim Dounin mdounin at
Sat Jul 4 05:48:22 UTC 2015


On Thu, Jun 25, 2015 at 06:16:42PM +0900, Edho Arief wrote:

> I noticed that has https/SNI configured for the host
> but no actual ssl configuration (how do you even do that):

The domain isn't available via https.

The IP address maps to does have other sites 
answering on https/SNI though, and to avoid sending invalid 
certificate the "ssl_ciphers aNULL;" is used in the default server 
configuration.  This is what causes the message you see.

> $ openssl s_client -connect -servername
> CONNECTED(00000003)
> 140010415498912:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> failure:s23_clnt.c:770:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 318 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---


You can use something like

$ openssl s_client -connect -servername -cipher aNULL

to establish a connection.  (Requests won't work though, as the 
same server also have "return 444;" in the configuration.)

> Relevant (which is how I noticed it in the first place):

When people try to use something they weren't asked to, it 
strikes back.

Maxim Dounin

More information about the nginx mailing list