Problem with SSL handshake
Maxim Dounin
mdounin at mdounin.ru
Wed Aug 17 23:12:34 UTC 2016
Hello!
On Wed, Aug 17, 2016 at 12:05:24PM +0000, Mik J wrote:
> nginx version: 1.6.2
> Hello,
> The client and Nginx server seem to have problem to establish a SSL connection. In the logs I have this[crit] 18386#0: *1 SSL_do_handshake() failed (SSL: error:14094456:SSL routines:SSL3_READ_BYTES:tlsv1 unsupported extension:SSL alert number 110) whle SSL handshaking, client: @IP_client, server: 0.0.0.0:443I have searched this message on google but couldn't see anything that would help
> My vhost configurationserver {
> listen 80;
> listen 443 ssl; server_name www.example.org;
> ... ssl on;
Note: such a configuration is invalid and will try to negotiate
SSL on the port 80. You should remove "ssl on", just "listen ...
ssl" on appropriate sockets is enough. See
http://nginx.org/en/docs/http/configuring_https_servers.html for
details.
> ssl_certificate /etc/ssl/certs/cert.crt;
> ssl_certificate_key /etc/ssl/private/key.key; ssl_session_cache shared:SSL:10m;}
> Do you know what could be wrong and where should I dig to solve this problem.
The message suggests that the client aborted the connection. The
reason claimed is defined as follows,
https://tools.ietf.org/html/rfc5246#section-7.2.2:
unsupported_extension
sent by clients that receive an extended server hello containing
an extension that they did not put in the corresponding client
hello. This message is always fatal.
You may try looking at the handshake using Wireshark to see if
it's indeed what happens. You may also try looking for additional
information on the client side.
Quick search suggests such errors previously appeared due to bugs
in OpenSSL beta versions, see, e.g., here:
http://openssl.6102.n7.nabble.com/1-0-1beta1-incompatibility-with-gnutls-td8366.html
If you are using some attic version of OpenSSL (much like the
version of nginx you are using), it may be a good idea to check if
an upgrade fixes things.
This also can be a bug in the client. In this case, probably
disabling TLS via ssl_protocols is the only option if you want to
support the client, though it's not a solution to be used
nowadays.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list