SSL_do_handshake() failed

Hi all! I installed an ssl certificate for a domain - example.com and setup the config in nginx as below:

server {
   listen 80;
   server_name example.com www.example.com;
   return 301 https://$server_name$request_uri;
}

server {
   server_name example.com www.example.com;

   include snippets/ssl-example.com.conf;
   include snippets/ssl-params.conf;

   root /var/www/html/example/example.com/dist;
   index index.html;

   location / {
       #try_files $uri $uri/ =404;
       try_files $uri $uri/ /index.html;
   }

   location /.well-known/acme-challenge {
       root /var/www/html/example/example.com;
   }

   error_log /var/log/nginx/example.com-error.log warn;
   access_log /var/log/nginx/example.com-access.log combined;

   #location ~ \.php$ {
   #    include snippets/fastcgi-php.conf;
   #    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
   #}

   location ~ /\.ht {
       deny all;
   }
}

I get the error below in the browser:

This site can’t provide a secure connection

example.com sent an invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR

A check of the nginx error log revealed the lines below:

2017/03/14 17:29:34 [crit] 11795#11795: *382 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking, client: An IP Address, server: 0.0.0.0:443

Please what am I doing wrong?

Hi @skayt,

That doesn’t look like a complete HTTPS configuration to me. For example, it doesn’t refer to your certificate, key, or chain files directly, and doesn’t include a “listen 443 ssl” directive. All of these things should be necessary in order for your web server to speak HTTPS correctly.

Maybe the “snippets” files that you included attempt to do these things, but you didn’t post them here so I’m not sure.

Protocol errors like this can often be a result of speaking HTTP instead of HTTPS on port 443, which can happen in nginx if you say something like “listen 443” instead of “listen 443 ssl”, for example,

hi @skayt

You can review mozillas tls guide which is a good practical guide

there is also a base config generator which you can use for your nginx

https://wiki.mozilla.org/Security/Server_Side_TLS
https://mozilla.github.io/server-side-tls/ssl-config-generator/

Andrei

Are you sure the request in that error.log line comes from your IP address and corresponds to your attempt to connect to the server?

That error.log line appears to be an attempt to scan for or exploit an OpenSSL security vulnerability fixed in 2014:

https://www.openssl.org/news/secadv/20140605.txt

(The first one. You’re not vulnerable.)

What’s your website’s real name?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.