Client can't negotiate with TLS 1.0 and 1.1
Fabiano Furtado Pessoa Coelho
fusca14 at gmail.com
Thu Aug 25 00:16:51 UTC 2022
Hi... same behavior! :(
secure.example.com = 10.0.0.1
insecure.example.com = 10.0.0.2
Using curl with "host" header:
$ curl -kv --tlsv1.0 --tls-max 1.1 -H 'host: insecure.example.com'
https://10.0.0.2/
* Trying 10.0.0.2:443...
* Connected to 10.0.0.2 (10.0.0.2) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.1 (OUT), TLS handshake, Client hello (1):
* TLSv1.1 (IN), TLS header, Unknown (21):
* TLSv1.1 (IN), TLS alert, internal error (592):
* error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection 0
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error
Using curl without "host" header:
$ curl -kv --tlsv1.0 --tls-max 1.1 https://10.0.0.2/
* Trying 10.0.0.2:443...
* Connected to 10.0.0.2 (10.0.0.2) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.1 (OUT), TLS handshake, Client hello (1):
* TLSv1.1 (IN), TLS header, Unknown (21):
* TLSv1.1 (IN), TLS alert, internal error (592):
* error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection 0
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error
On Wed, Aug 24, 2022 at 5:45 PM Maxim Dounin <mdounin at mdounin.ru> wrote:
>
> Hello!
>
> On Wed, Aug 24, 2022 at 05:22:10PM -0300, Fabiano Furtado Pessoa Coelho wrote:
>
> > I'm using NGINX 1.22.0 with OpenSSL 3.0.5 in a Linux x86_64 server
> > with one NIC and 2 IPs, with the following config:
[...]
> What's the IP address of "insecure.example.com" in your tests?
> What happens when you test with IP addresses you've configured,
> 10.0.0.1 and 10.0.0.2, rather than names?
>
> --
> Maxim Dounin
> http://mdounin.ru/
> _______________________________________________
> nginx mailing list -- nginx at nginx.org
> To unsubscribe send an email to nginx-leave at nginx.org
More information about the nginx
mailing list