curl "Connection refused" caused by SSL config
Fry-kun
nginx-forum at nginx.us
Thu Mar 5 01:10:28 UTC 2015
Hi all,
I have a strange problem with nginx:
I tried to harden the TLS stack by setting default to recommended values
from https://wiki.mozilla.org/Security/Server_Side_TLS but one server has to
keep backward compatibility -- so I set it up as
http {
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers ...
ssl_prefer_server_ciphers on;
server {
listen 443 spdy;
server_name .foo.com bar.foo.com;
}
server {
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ...
ssl_prefer_server_ciphers on;
listen 443 spdy;
server_name foobar.foo.com;
}
}
Problem is that foobar.foo.com starts freezing up randomly after a few
seconds -- though sometimes comes back for a short while.
curl from outside reports error as "connection refused"; using curl
localhost:443 responds properly with "* SSL: no alternative certificate
subject name matches target host name 'localhost'"
CPU usage is not much different from older config; there are no obvious
errors in error_log.
Problem goes away if http-level ssl config is commented out (ssl_protocols,
especially). I think that indicates this config is not properly parsed at
the "server" level (does not override http level?)
Seems that I can use the http-level config inside .foo.com server config
without interfering, but I'd like it to be config default instead.
Other notes: 2 nginx hosts in questions are behind a hardware load balancer
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,257064,257064#msg-257064
More information about the nginx
mailing list