SSL_do_handshake() failed

skayt · March 16, 2017, 3:51am

Hi all! I installed an ssl certificate for a domain - example.com and setup the config in nginx as below:

server {
   listen 80;
   server_name example.com www.example.com;
   return 301 https://$server_name$request_uri;
}

server {
   server_name example.com www.example.com;

   include snippets/ssl-example.com.conf;
   include snippets/ssl-params.conf;

   root /var/www/html/example/example.com/dist;
   index index.html;

   location / {
       #try_files $uri $uri/ =404;
       try_files $uri $uri/ /index.html;
   }

   location /.well-known/acme-challenge {
       root /var/www/html/example/example.com;
   }

   error_log /var/log/nginx/example.com-error.log warn;
   access_log /var/log/nginx/example.com-access.log combined;

   #location ~ \.php$ {
   #    include snippets/fastcgi-php.conf;
   #    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
   #}

   location ~ /\.ht {
       deny all;
   }
}

I get the error below in the browser:

This site can’t provide a secure connection

example.com sent an invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR

A check of the nginx error log revealed the lines below:

2017/03/14 17:29:34 [crit] 11795#11795: *382 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking, client: An IP Address, server: 0.0.0.0:443

Please what am I doing wrong?

schoen · March 16, 2017, 6:02am

Hi @skayt,

That doesn’t look like a complete HTTPS configuration to me. For example, it doesn’t refer to your certificate, key, or chain files directly, and doesn’t include a “listen 443 ssl” directive. All of these things should be necessary in order for your web server to speak HTTPS correctly.

Maybe the “snippets” files that you included attempt to do these things, but you didn’t post them here so I’m not sure.

Protocol errors like this can often be a result of speaking HTTP instead of HTTPS on port 443, which can happen in nginx if you say something like “listen 443” instead of “listen 443 ssl”, for example,

ahaw021 · March 16, 2017, 9:41am

hi @skayt

You can review mozillas tls guide which is a good practical guide

there is also a base config generator which you can use for your nginx

https://wiki.mozilla.org/Security/Server_Side_TLS
https://mozilla.github.io/server-side-tls/ssl-config-generator/

Andrei

mnordhoff · March 16, 2017, 9:50am

Are you sure the request in that error.log line comes from your IP address and corresponds to your attempt to connect to the server?

That error.log line appears to be an attempt to scan for or exploit an OpenSSL security vulnerability fixed in 2014:

https://www.openssl.org/news/secadv/20140605.txt

(The first one. You’re not vulnerable.)

What’s your website’s real name?

system · April 15, 2017, 9:50am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SSL_do_handshake() failed Help	18	2933	November 1, 2019
Repeated SSL_do_handshake() errors Server	10	3035	January 11, 2019
SSL_do_handshake() failed (SSL: error:0A00006C Help	25	1912	July 14, 2024
A lot of SSL_do_handshake() failed erors in nginx logs Help	19	22770	April 26, 2019
SSL_do_handshake() failed Help	6	805	October 8, 2023

SSL_do_handshake() failed

Related topics