SSL_read() failed (SSL: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 error in nginx
Find the problem when there are several subdomains of the SSL configuration should be the same for all. What I got by putting the SSL parameters in different file and including it in subdomain.conf, you see that in the subdomain that I failed, I had copied the ciphers wrong and there was the problem, now when calling all the subdomains from the same site The SSL configuration instead file by file, it was no longer an error because the configuration is the same for all.
This outline gave me the clue:
https://github.com/jwilder/nginx-proxy/issues/580#issuecomment-249587149
if you have 2 server configurations and and you have ssl_server_tokens set to on in one, it will break the one where it's set to off in certain browsers
Configuring the file /etc/nginx/snippets/ssl-params.conf
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
Related videos on Youtube
Comments
-
Isaac Palacio over 1 year
2017/05/30 09:44:59 [debug] 3486#3486: *1221 free: 000055D2824FBC40, unused: 24 2017/05/30 09:57:01 [debug] 3486#3486: *1223 SSL certificate status callback 2017/05/30 09:57:01 [debug] 3486#3486: *1223 SSL_do_handshake: -1 2017/05/30 09:57:01 [debug] 3486#3486: *1223 SSL_get_error: 2 2017/05/30 09:57:01 [debug] 3486#3486: *1223 reusable connection: 0 2017/05/30 09:57:01 [debug] 3486#3486: *1223 SSL handshake handler: 0 2017/05/30 09:57:01 [debug] 3486#3486: *1223 SSL_do_handshake: 1 2017/05/30 09:57:01 [debug] 3486#3486: *1223 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD" 2017/05/30 09:57:01 [debug] 3486#3486: *1223 reusable connection: 1 2017/05/30 09:57:01 [debug] 3486#3486: *1223 http wait request handler 2017/05/30 09:57:01 [debug] 3486#3486: *1223 malloc: 000055D282587F80:1024 2017/05/30 09:57:01 [debug] 3486#3486: *1223 SSL_read: -1 2017/05/30 09:57:01 [debug] 3486#3486: *1223 SSL_get_error: 2 2017/05/30 09:57:01 [debug] 3486#3486: *1223 free: 000055D282587F80 2017/05/30 09:57:01 [debug] 3486#3486: *1223 http wait request handler 2017/05/30 09:57:01 [debug] 3486#3486: *1223 malloc: 000055D282587F80:1024 2017/05/30 09:57:01 [debug] 3486#3486: *1223 SSL_read: 0 2017/05/30 09:57:01 [debug] 3486#3486: *1223 SSL_get_error: 1 2017/05/30 09:57:01 [info] 3486#3486: *1223 SSL_read() failed (SSL: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message:SSL alert number 10) while waiting for request, client: 195.16.143.6, server: 0.0.0.0:443 2017/05/30 09:57:01 [debug] 3486#3486: *1223 close http connection: 38 2017/05/30 09:57:01 [debug] 3486#3486: *1223 SSL_shutdown: 1 2017/05/30 09:57:01 [debug] 3486#3486: *1223 event timer del: 38: 1496131081192 2017/05/30 09:57:01 [debug] 3486#3486: *1223 reusable connection: 0 2017/05/30 09:57:01 [debug] 3486#3486: *1223 free: 000055D282587F80 2017/05/30 09:57:01 [debug] 3486#3486: *1223 free: 000055D282508980, unused: 24
I do not understand this error when I in nginx I have SSL3 enabled, it only happens to me with this subdomain. The rest of subdomains I have the same and they work.
My
subdomain.conf
:ssl_certificate /etc/letsencrypt/live/musica.domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/musica.domain.com/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM$ ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_stapling on; ssl_stapling_verify on;
Chrome error:
ERR_SSL_PROTOCOL_ERROR
Mozilla error:
An error occurred during a connection to musica.domain.com. SSL received an unexpected New Session Ticket handshake message. Error code: SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET
-
Admin almost 7 yearsWhich client are you using when this error occurs?
-
Admin almost 7 yearsI think nginx only
-
Admin almost 7 yearsnginx is server, not client. Please also include additional information in the question, not in comments since there is no formatting in comments.
-
Admin almost 7 yearsWhen you say client you mean the browser, the OS?
-
Admin almost 7 yearsClient is HTTP client, that is browser, CURL etc.
-