nginx 1.17.3 and TLSv1.3

Maxim Dounin mdounin at
Fri Aug 16 18:32:40 UTC 2019


On Fri, Aug 16, 2019 at 02:15:22PM -0400, benztoy wrote:

> I want to run two nginx services on one host. They are nginxA  and nginxB
> nginxA listening on https443 port. Only the tslv1.3 protocol is available.
> The configuration file is as follows:


>     Server {
>         Listen 443 ssl;
>         Server_name localhost;
>         Ssl_certificate cert.pem;
>         Ssl_certificate_key cert.key;
>         Ssl_session_cache shared: SSL: 1m;
>         Ssl_session_timeout 5m;
> Ssl_protocols TLSv1.3;

So only TLSv1.3 is enabled on the 443 port.


> 	location / {
> 		 proxy_pass;
> 		 proxy_ssl_session_reuse off;	
> 		}

And no proxy_ssl_protocols set for proxying, so it only has TLSv1, 
TLSv1.1, and TLSv1.2 enabled by default.


> But when I visit
> Return to 502 Bad Gateway
> Among them, nginx serving port 444 has error.log:
> SSL_do_handshake() failed (SSL: error:1409442E:SSL
> routines:ssl3_read_bytes:tlsv1 alert protocol version:SSL alert number 70)
> while SSL handshaking to upstream, client:, server: localhost,
> request: "GET / HTTP/1.1 ", upstream: "", host:
> ""
> Dear friends, What is the reason for this?
> My first service ssl protocol version of nginxA must be tslv1.3 only. There
> is no other lower version. Can I successfully access
> by modifying the nginxA or nginxB configuration file?

The problem is that you are trying to connect to a TLSv1.3-only 
port by using the proxy not configured to use TLSv1.3.  You have 
to enable TLSv1.3 in your proxy configuration, something like:

    proxy_ssl_protocol TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

should work.  See for 
additional details.

Maxim Dounin

More information about the nginx mailing list