I’ve got Let’s Encrypt set up on a Nginx server.
I’ve noticed a LOT of error log entries with the following information:
2018/04/05 09:54:36 [crit] 3166#3166: *16879 SSL_do_handshake() failed (SSL: error:10067066:elliptic curve routines:ec_GFp_simple_oct2point:invalid encoding error:1408B010:SSL routines:ssl3_get_client_key_exchange:EC lib) while SSL handshaking, client: 210.55.186.173, server: 0.0.0.0:443
Obviously the client
IP address varies, but the rest remains the same.
I saw mention of this here, but as this has nothing to do with an SSL lab bot testing my SSL for issues, I suspect this might be another cause.
Can anyone suggest what might be the cause of this?
Here’s my SSL related settings in Nginx, in case they are relevant:
SSL specific settings
These are included into site’s conf file
# Don't use outdated SSLv3 protocol. Protects against BEAST and POODLE attacks.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Use secure ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# Define the size of the SSL session cache in MBs.
ssl_session_cache shared:SSL:10m;
# Define the time in minutes to cache SSL sessions.
ssl_session_timeout 1h;
# Use HTTPS exclusively for 1 year, uncomment one. Second line applies to subdomains.
add_header Strict-Transport-Security "max-age=31536000;";
# add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
SSL listen entry
from the site’s conf file. Also the certificate links (which work, as SSL works on the site without any obvious front-end issues)
server {
# Ports to listen on, uncomment one.
listen 443 ssl http2;
listen [::]:443 ssl http2;
...
# Paths to certificate files.
ssl_certificate /etc/letsencrypt/live/SANITISED.com.au-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/SANITISED.com.au-0001/privkey.pem;
...
server {
# Ports to listen on, uncomment one.
listen 443 ssl http2;
listen [::]:443 ssl http2;
# Server name to listen for
server_name www.SANITISED.com.au;
# Path to document root
root /home/DOMAIN/sites/SANITISED.com.au/public;
# Paths to certificate files.
ssl_certificate /etc/SANITISED/live/SANITISED.com.au-0001/fullchain.pem;
ssl_certificate_key /etc/SANITISED/live/SANITISED.com.au-0001/privkey.pem;
# File to be used as index
index index.php;
# Overrides logs defined in nginx.conf, allows per site logs.
access_log /home/SANITISED/sites/SANITISED.com.au/logs/access.log;
error_log /home/SANITISED/sites/SANITISED.com.au/logs/error.log;
# Default server block rules
include global/server/defaults.conf;
# Fastcgi cache rules
include global/server/fastcgi-cache.conf;
# SSL rules
include global/server/ssl.conf;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include global/fastcgi-params.conf;
# Use the php pool defined in the upstream variable.
# See global/php-pool.conf for definition.
fastcgi_pass $upstream;
# Skip cache based on rules in global/server/fastcgi-cache.conf.
fastcgi_cache_bypass $skip_cache;
fastcgi_no_cache $skip_cache;
# Define memory zone for caching. Should match key_zone in fastcgi_cache_path above.
fastcgi_cache SANITISED.com.au;
# Define caching time.
fastcgi_cache_valid 60m;
}
# Rewrite robots.txt
rewrite ^/robots.txt$ /index.php last;
}
# Redirect http to https
server {
listen 80;
listen [::]:80;
server_name SANITISED.com.au www.SANITISED.com.au;
return 301 https://www.SANITISED.com.au$request_uri;
}
# Redirect non-www to www
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name SANITISED.com.au;
return 301 https://www.SANITISED.com.au$request_uri;
}