TLS handshake wouldn't work


#1

hi LE community,

I ran certbot certonly with webrootplugin everything went well. certificates looks ok.
Conf : debian8 / nginx 1.11 / openssl 1.0.1

I ran this command: curl -iv https://netvisa.org
It produced this output:

  • Rebuilt URL to: https://netvisa.org/
  • Trying 195.154.172.47…
  • Connected to netvisa.org (195.154.172.47) port 443 (#0)
  • Server aborted the SSL handshake
  • Closing connection 0
    curl: (35) Server aborted the SSL handshake

nginx conf :

server {
listen [::]:80;
listen 80;
server_name netvisa.org www.netvisa.org;
root /home/netviza/www;
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name www.netvisa.org;
include h5bp/directive-only/ssl.conf;
return 301 https://netvisa.org$request_uri;
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name netvisa.org;
root /home/netviza/www;

default h5bp conf

include h5bp/directive-only/ssl.conf;
ssl_certificate /etc/letsencrypt/live/netvisa.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/netvisa.org/privkey.pem;
access_log /home/netviza/log/access.log;
error_log /home/netviza/log/error.log;
error_page 404 /404.html;
index index.php index.html index.htm;
client_max_body_size 20m;
charset utf-8;

default h5bp conf

include h5bp/basic.conf;
}

firewall shouldn’t be a problem

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 20391/nginx.conf
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 20391/nginx.conf
tcp6 0 0 :::80 :::* LISTEN 20391/nginx.conf
tcp6 0 0 :::443 :::* LISTEN 20391/nginx.conf

not sure if I messed something up…
help would be greatly appreciated.

error.log didn’t produce anything usefull :frowning:

Tom


#2

Ah, that’s a funny one. Could be what I have described some time ago - https://do-know.com/guides/blog-Enabling-HTTP-v2-on-your-server.html :slight_smile: I remember when I first tried http2 and Firefox was just not connecting without showing any errors, it was … strange :confused:

Check what’s in your “h5bp/directive-only/ssl.conf” - you might have configured the ciphers in a way that it won’t work.


#3

Hello Alexander,
Thanks for ur answer.

I tried using the cypher you suggested in the article. made no difference.
here is my ssl.conf :

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5:!aNULL;

ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 24h;
keepalive_timeout 300s;

I tried to activate SSLv3 in order to get an error while connecting with openssl
using sslv3 and tls1.2 :
openssl s_client -connect netvisa.org:443 -servername netvisa.org
openssl s_client -ssl3 -connect netvisa.org:443

I got this generic error output :

CONNECTED(00000003)
write:errno=54

and

CONNECTED(00000003)
15563:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.40.2/src/ssl/s3_pkt.c:566:


#4

Interestingly, telnet netvisa.org 443 is able to connect, but the connection is instantly closed by your server (Connection closed by foreign host.).

Any iptable rules that could be interfering? I don’t think nginx would do that.


#5

The fact that process is able to bind and listen, does not mean the connection to that port is actually allowed. Try connecting again and watch logs with tail -f - not only the error log you specified in the configuration, but also /var/log/nginx/error.log and /var/log/syslog (or /var/log/kern.log)

btw, I’m not sure why you listen on ipv6 as well in the configuration, considering that there is no AAAA record for the domain (unless you’re going to add it later) :slight_smile:


#6

ah!

tail -f /var/log/nginx/error.log

[error] 743#743: *472 no “ssl_certificate” is defined in server listening on SSL port while SSL handshaking, client: 93.8.74.91, server: 0.0.0.0:443

as for iptables rules

-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT

edit : OK I fixed it by adding “default_server” in my server block conf.

listen 443 default_server ssl http2;

:grin:
PS : gonna add this AAAA record :stuck_out_tongue:

Thank you very much for your time
enjoy your sunday :slight_smile:


Site doesn't load ssl, no handshake, [nginx] [centos]
#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.