Nginx server closes ssl connection for some clients

ssl nginx https
17,415

Solution 1

It looks to me like any client which tries to use TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 fails. This is your most preferred cipher but all the clients that succeed do not support it so skip past it and all those that fail do support it.

I'm not sure why this is to be honest - maybe a bad implementation of TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 in whatever SSL library you are using (openssl?)? Not aware of any issues that would cause this but at same time this is not usually a cipher people would pick. If your SSL software supports SHA256 then it must be pretty modern and there's usually better ciphers you'd want over this one.

The other interesting thing to note is that the better ciphers are NOT listed - even though you have set ssl_ciphers to ALL. That is very odd! It would suggest to me you are on an old version of your SSL software but then why would it offer TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 at all (though it seems to me even when it does it doesn't support it)? At the same time it does support TLSv1.2 and successfully uses TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA for that (at least according to ssllabs) suggesting it's a more recent library. Very odd indeed.

Which SSL library are you using and what version? That might clear things up a little.

However in the meantime if you disable TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 I'd imagine this will work. You can use the Mozilla SSL configuration tool to get the settings you need, but these are the settings I use to have good support even for most older browsers but use the newer ciphers first if client supports them:

ssl_ciphers 'EECDH+AES128:EECDH+AES256:+SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RSA+3DES:!DSS';

Note your version of your SSL library may not support all of these ciphers.

Solution 2

I know this is an old post but in case anyone else runs into this issue or a similar SSL issue I found after a days worth of troubleshooting that it was related to my nginx version.

I was on nginx/1.6.3 and updated to current nginx/1.14.0 and the errors were solved.

I believe this was due to the older version of nginx using an older openSSL version which caused it not to properly read my newer SSL Certificate.

Solution 3

I found this, which made me test openssl s_client -connect with -tls1/-tls1_1/-tls1_2.

-tls1 and tls1_1 worked, but -tls1_2 failed as before with error 104.

I should probably dig further with this new information, but I am so fed up right now. So since it seems to work I will leave it for now.

Too bad the ssllabs score now is capped at C because of lacking TLS1.2, though.

Share:
17,415
Admin
Author by

Admin

Updated on June 04, 2022

Comments

  • Admin
    Admin almost 2 years

    I have been having some problems with https connections on a box running nginx. Most browsers I have tried work, but some Safari-versions, and openssl fails to connect. https://www.ssllabs.com/ssltest/analyze.html?d=test.relis.no show many attemts as "Server closed connection"

    The problem seems to be connected to cipher suits based on some things I have read while googling log content.

    When connecting with openssl s_client -connect test.relis.no:443: CONNECTED(00000003)

    write:errno=104

    no peer certificate available

    No client certificate CA names sent

    SSL handshake has read 0 bytes and written 295 bytes

    New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE

    Expansion: NONE

    Nginx config: 

    server {
        listen       443 ssl;
        server_name  test.relis.no;

        location / {
            proxy_pass http://localhost:8081;
            proxy_read_timeout 3600;
        }

        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto https;

        ssl_certificate /etc/letsencrypt/live/test.relis.no/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/test.relis.no/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;

        ssl_ciphers ALL;
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        add_header Strict-Transport-Security max-age=15768000;
}

    (ssl_ciphers ALL; is just for testing)

    Adding debug connection information yields(this client is Safari on Ipad): 

    13409#0: *390 accept: 195.18.161.2 fd:3
 13409#0: posix_memalign: 00007F8FF0719A90:256 @16
 13409#0: *390 event timer add: 3: 60000:1463745705191
 13409#0: *390 reusable connection: 1
 13409#0: *390 epoll add event: fd:3 op:1 ev:80002001
 13409#0: *390 http check ssl handshake
 13409#0: *390 http recv(): 1
 13409#0: *390 https ssl handshake: 0x16
 13409#0: *390 SSL server name: "test.relis.no"
 13409#0: *390 SSL NPN advertised
 13409#0: *390 SSL_do_handshake: -1
 13409#0: *390 SSL_get_error: 2
 13409#0: *390 reusable connection: 0
 13409#0: *390 SSL handshake handler: 0
 13409#0: *390 SSL_do_handshake: -1
 13409#0: *390 SSL_get_error: 5
  2016/05/20 14:00:45 [info] 13409#0: *390 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking, client: 195.18.161.2, server: 0.0.0.0:443
 13409#0: *390 close http connection: 3
 13409#0: *390 SSL_shutdown: 1
 13409#0: *390 event timer del: 3: 1463745705191
 13409#0: *390 reusable connection: 0
 13409#0: *390 free: 00007F8FF0731FF0, unused: 3
 13409#0: *390 free: 00007F8FF0719A90, unused: 136
 13409#0: *391 accept: 195.18.161.2 fd:3
 13409#0: posix_memalign: 00007F8FF0719A90:256 @16
 13409#0: *391 event timer add: 3: 60000:1463745705259
 13409#0: *391 reusable connection: 1
 13409#0: *391 epoll add event: fd:3 op:1 ev:80002001
 13409#0: *391 http check ssl handshake
 13409#0: *391 http recv(): 1
 13409#0: *391 https ssl handshake: 0x16
 13409#0: *391 SSL_do_handshake: -1
 13409#0: *391 SSL_get_error: 1
  2016/05/20 14:00:45 [info] 13409#0: *391 SSL_do_handshake() failed (SSL: error:140A1175:SSL routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback) while SSL handshaking, client: 195.18.161.2, server: 0.0.0.0:443
 13409#0: *391 close http connection: 3
 13409#0: *391 SSL_shutdown: 1
 13409#0: *391 event timer del: 3: 1463745705259
 13409#0: *391 reusable connection: 0
 13409#0: *391 free: 00007F8FF0731FF0, unused: 16
 13409#0: *391 free: 00007F8FF0719A90, unused: 136
 13409#0: *392 accept: 195.18.161.2 fd:3
 13409#0: posix_memalign: 00007F8FF0719A90:256 @16
 13409#0: *392 event timer add: 3: 60000:1463745705310
 13409#0: *392 reusable connection: 1
 13409#0: *392 epoll add event: fd:3 op:1 ev:80002001
 13409#0: *392 http check ssl handshake
 13409#0: *392 http recv(): 1
 13409#0: *392 https ssl handshake: 0x16
 13409#0: *392 SSL_do_handshake: -1
 13409#0: *392 SSL_get_error: 1
  2016/05/20 14:00:45 [info] 13409#0: *392 SSL_do_handshake() failed (SSL: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number) while SSL handshaking, client: 195.18.161.2, server: 0.0.0.0:443
 13409#0: *392 close http connection: 3
 13409#0: *392 SSL_shutdown: 1
 13409#0: *392 event timer del: 3: 1463745705310
 13409#0: *392 reusable connection: 0
 13409#0: *392 free: 00007F8FF0731FF0, unused: 16
 13409#0: *392 free: 00007F8FF0719A90, unused: 136

    OpenSSL(version 1.0.1e-fips 11 Feb 2013) ciphers prints: 

    ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-DSS-CAMELLIA256-SHA
ECDH-RSA-AES256-GCM-SHA384
ECDH-ECDSA-AES256-GCM-SHA384
ECDH-RSA-AES256-SHA384
ECDH-ECDSA-AES256-SHA384
ECDH-RSA-AES256-SHA
ECDH-ECDSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
CAMELLIA256-SHA
PSK-AES256-CBC-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-DSS-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
ECDHE-RSA-DES-CBC3-SHA
ECDHE-ECDSA-DES-CBC3-SHA
DHE-RSA-SEED-SHA
DHE-DSS-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
ECDH-RSA-AES128-GCM-SHA256
ECDH-ECDSA-AES128-GCM-SHA256
ECDH-RSA-AES128-SHA256
ECDH-ECDSA-AES128-SHA256
ECDH-RSA-AES128-SHA
ECDH-ECDSA-AES128-SHA
ECDH-RSA-DES-CBC3-SHA
ECDH-ECDSA-DES-CBC3-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
SEED-SHA
CAMELLIA128-SHA
DES-CBC3-SHA
IDEA-CBC-SHA
PSK-AES128-CBC-SHA
PSK-3DES-EDE-CBC-SHA
KRB5-IDEA-CBC-SHA
KRB5-DES-CBC3-SHA
KRB5-IDEA-CBC-MD5
KRB5-DES-CBC3-MD5
ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA
ECDH-RSA-RC4-SHA
ECDH-ECDSA-RC4-SHA
RC4-SHA
RC4-MD5
PSK-RC4-SHA
KRB5-RC4-SHA
KRB5-RC4-MD5

    ldd which nginx | grep ssl: libssl.so.10 => /lib64/libssl.so.10 (0x00007f413c860000)

    nginx -V:

    nginx version: nginx/1.6.3
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) 
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_spdy_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-pcre --with-pcre-jit --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'
  • Admin
    Admin almost 8 years
    Thank you for your answer. THe SSL library is OpenSSL 1.0.1e-fips. I tried the Mozilla configuration tool before posting, same result. I'll have to keep debugging.
  • Admin
    Admin almost 8 years
    Tried forcing protocol with -tls1, -tls1_1 and -tls1_2. openssl s_client -connect test.relis.no:443 -tls1_2 gives: CONNECTED(00000003) 140521595524768:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
  • Barry Pollard
    Barry Pollard almost 8 years
    I would guess that Nginx was built with older version of openssl and was updated on system after without rebuilding Nginx?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Nginx config to proxy pass to external ip and port (https -> http)
Redirect HTTP to HTTPS from Nginx is not working
How to fix PR_END_OF_FILE_ERROR when using nginx with ssl?
Does renewing SSL certificate require re-issuing the cert?
Error code: ssl_error_rx_record_too_long for https in nginx on ruby on rails application
nginx: forward ssl connection to another server
Error code: ssl_error_rx_record_too_long on nginx ubuntu server
Setting up SSL - https works, http not working
NGINX + SSL certificate securing the connection in some browsers only
Why I cannot connect to my website in HTTP using curl?