SSL_do_handshake() failed

2019/10/02 03:36:19 [crit] 13344#0: *3396 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking, client: 64.41.200.104, server: 0.0.0.0:443

Basically can not access, but sometimes can open occasionally, I would like to ask how to solve this problem?

That error message is from SSL Labs sending an improper message to detect if you’re using an ancient version of OpenSSL that has a certain vulnerability. Since you’re not vulnerable, OpenSSL and Nginx reject it and log an error message.

It’s not an indication of any problems.

What do you mean by “can not access”?


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

centos7 nginx1.16.1 certbot 0.38.0
I can SSH in.
Can’t visit, is my website can’t open.

Can you answer the other questions?

Has anything changed recently? When did it stop working?

1 Like

I only used HTTPS the day before yesterday. Yesterday and today, my website has been unable to open, sometimes it can be opened occasionally.

My domain is: fujieb.com

I ran this command: Visit my website

It produced this output: 2019/10/02 03:36:19 [crit] 13344#0: *3396 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking, client: 64.41.200.104, server: 0.0.0.0:443

My web server is (include version): nginx 1.16.1

The operating system my web server runs on is (include version): 3.10.0-1062.1.1.el7.x86_64 #1 SMP Fri Sep 13 22:55:44 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is: aliyun

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.38.0

1 Like

Hi @krhomme

there is a check of your website, created yesterday - https://check-your-website.server-daten.de/?q=fujieb.com

Grade C - no problem with your certificate.

And the certificate is new.

CN=fujieb.com
	29.09.2019
	28.12.2019
expires in 87 days	api.fujieb.com, db.krhomme.com, fujieb.com, www.fujieb.com - 4 entries

Now checked with OpenSsl, no problem.

Ssllabs show A+ - SSL Server Test: fujieb.com (Powered by Qualys SSL Labs)

Perhaps share a screenshot.

1 Like

PS: Your website supports only Tls.1.2.

So if you use an old client / browser / OS without Tls.1.2-support, that can’t work.

That may produce this error message.

But occasionally I can open my website.

Share a screenshot of the error message.

Error displayed when unable to open.

Please: What tool, which command? It’s impossible to see what you are doing.

MAC terminal SSH to connect to the server, the tail - n 10 / usr/local/nginx1.16.1 / logs/error log

That's completely unrelevant.

May be a buggy client, may be a test software like Ssllabs.

There are tons of buggy clients which can't connect a webserver.

And you have disabled Tls.1.0 and 1.1, there are a lot of bots using Tls.1.0 / 1.1. So they are blocked.

error4

Do I need to turn them all on?

If I’m using a client that doesn’t support Tls1.0 or 1.1 it should never open, but I do occasionally. So that’s not the problem!

Find the reason, it is caused by GFW!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.