Some times ago I found out that my website was not available (ERR_SSL_PROTOCOL_ERROR), on some school network. It was surprising, but I just forgot about it because it was only occurring at this place.
Today I installed a new wifi in my house with a new ISP, and again, my website returns ERR_SSL_PROTOCOL_ERROR. When I switch to 4G, or any other network, it works.
Issue reproduced with different devices.
Other https websites work, only my website doesnt
- Chrome returns
ERR_SSL_PROTOCOL_ERROR - Firefox returns
SSL_ERROR_RX_RECORD_TOO_LONG - Curl returns
SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number - openssl returns
openssl s_client -connect my.domain:443
CONNECTED(00000005)
4377921132:error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.240.1/libressl-2.6/ssl/ssl_pkt.c:386:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1571644864
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
This server only holds nginx which serves as a loadbalancer.
Here is the nginx config file:
upstream app {
server unix:/var/www/myproject.uwsgi.sock;
}
server {
listen 443 ssl;
listen [::]:443 ssl ipv6only=on;
server_name {{ server_name }};
charset utf-8;
client_max_body_size 1G;
ssl_certificate /etc/letsencrypt/live/{{ server_name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ server_name }}/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
##################################
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
##################################
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
include uwsgi_params;
uwsgi_pass app;
}
}
server {
if ($host = {{ server_name }}) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name {{ server_name }};
return 404; # managed by Certbot
}
Again, everything works on some networks, but it fails on some other. I have no idea what is causing the issue. How can I solve this?