TLS handshake wouldn't work

tomazo · June 26, 2016, 4:39am

hi LE community,

I ran certbot certonly with webrootplugin everything went well. certificates looks ok.
Conf : debian8 / nginx 1.11 / openssl 1.0.1

I ran this command: curl -iv https://netvisa.org
It produced this output:

Rebuilt URL to: https://netvisa.org/

Trying 195.154.172.47…

Connected to netvisa.org (195.154.172.47) port 443 (#0)

Server aborted the SSL handshake

Closing connection 0
curl: (35) Server aborted the SSL handshake

nginx conf :

server {
listen [::]:80;
listen 80;
server_name netvisa.org www.netvisa.org;
root /home/netviza/www;
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name www.netvisa.org;
include h5bp/directive-only/ssl.conf;
return 301 https://netvisa.org$request_uri;
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name netvisa.org;
root /home/netviza/www;

default h5bp conf

include h5bp/directive-only/ssl.conf;
ssl_certificate /etc/letsencrypt/live/netvisa.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/netvisa.org/privkey.pem;
access_log /home/netviza/log/access.log;
error_log /home/netviza/log/error.log;
error_page 404 /404.html;
index index.php index.html index.htm;
client_max_body_size 20m;
charset utf-8;

default h5bp conf

include h5bp/basic.conf;
}

firewall shouldn’t be a problem

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 20391/nginx.conf
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 20391/nginx.conf
tcp6 0 0 :::80 :::* LISTEN 20391/nginx.conf
tcp6 0 0 :::443 :::* LISTEN 20391/nginx.conf

not sure if I messed something up…
help would be greatly appreciated.

error.log didn’t produce anything usefull

Tom

leader · June 26, 2016, 8:21am

Ah, that’s a funny one. Could be what I have described some time ago - https://do-know.com/guides/blog-Enabling-HTTP-v2-on-your-server.html I remember when I first tried http2 and Firefox was just not connecting without showing any errors, it was … strange

Check what’s in your “h5bp/directive-only/ssl.conf” - you might have configured the ciphers in a way that it won’t work.

tomazo · June 26, 2016, 12:26pm

Hello Alexander,
Thanks for ur answer.

I tried using the cypher you suggested in the article. made no difference.
here is my ssl.conf :

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5:!aNULL;

ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 24h;
keepalive_timeout 300s;

I tried to activate SSLv3 in order to get an error while connecting with openssl
using sslv3 and tls1.2 :
openssl s_client -connect netvisa.org:443 -servername netvisa.org
openssl s_client -ssl3 -connect netvisa.org:443

I got this generic error output :

CONNECTED(00000003)
write:errno=54

and

CONNECTED(00000003)
15563:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.40.2/src/ssl/s3_pkt.c:566:

pfg · June 26, 2016, 12:37pm

Interestingly, telnet netvisa.org 443 is able to connect, but the connection is instantly closed by your server (Connection closed by foreign host.).

Any iptable rules that could be interfering? I don’t think nginx would do that.

leader · June 26, 2016, 12:56pm

The fact that process is able to bind and listen, does not mean the connection to that port is actually allowed. Try connecting again and watch logs with tail -f - not only the error log you specified in the configuration, but also /var/log/nginx/error.log and /var/log/syslog (or /var/log/kern.log)

btw, I’m not sure why you listen on ipv6 as well in the configuration, considering that there is no AAAA record for the domain (unless you’re going to add it later)

tomazo · June 26, 2016, 2:16pm

ah!

tail -f /var/log/nginx/error.log

[error] 743#743: *472 no “ssl_certificate” is defined in server listening on SSL port while SSL handshaking, client: 93.8.74.91, server: 0.0.0.0:443

as for iptables rules

-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT

edit : OK I fixed it by adding “default_server” in my server block conf.

listen 443 default_server ssl http2;

PS : gonna add this AAAA record

Thank you very much for your time
enjoy your sunday

system · July 26, 2016, 2:16pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.