SSL_read() 失败(SSL:错误:140943F2:SSL 例程:SSL3_READ_BYTES:nginx 中的 sslv3 错误)

SSL_read() 失败(SSL:错误:140943F2:SSL 例程:SSL3_READ_BYTES:nginx 中的 sslv3 错误)
2017/05/30 09:44:59 [debug] 3486#3486: *1221 free: 000055D2824FBC40, unused: 24
2017/05/30 09:57:01 [debug] 3486#3486: *1223 SSL certificate status callback
2017/05/30 09:57:01 [debug] 3486#3486: *1223 SSL_do_handshake: -1
2017/05/30 09:57:01 [debug] 3486#3486: *1223 SSL_get_error: 2
2017/05/30 09:57:01 [debug] 3486#3486: *1223 reusable connection: 0
2017/05/30 09:57:01 [debug] 3486#3486: *1223 SSL handshake handler: 0
2017/05/30 09:57:01 [debug] 3486#3486: *1223 SSL_do_handshake: 1
2017/05/30 09:57:01 [debug] 3486#3486: *1223 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD"
2017/05/30 09:57:01 [debug] 3486#3486: *1223 reusable connection: 1
2017/05/30 09:57:01 [debug] 3486#3486: *1223 http wait request handler
2017/05/30 09:57:01 [debug] 3486#3486: *1223 malloc: 000055D282587F80:1024
2017/05/30 09:57:01 [debug] 3486#3486: *1223 SSL_read: -1
2017/05/30 09:57:01 [debug] 3486#3486: *1223 SSL_get_error: 2
2017/05/30 09:57:01 [debug] 3486#3486: *1223 free: 000055D282587F80
2017/05/30 09:57:01 [debug] 3486#3486: *1223 http wait request handler
2017/05/30 09:57:01 [debug] 3486#3486: *1223 malloc: 000055D282587F80:1024
2017/05/30 09:57:01 [debug] 3486#3486: *1223 SSL_read: 0
2017/05/30 09:57:01 [debug] 3486#3486: *1223 SSL_get_error: 1
2017/05/30 09:57:01 [info] 3486#3486: *1223 SSL_read() failed (SSL: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message:SSL alert number 10) while waiting for request, client: 195.16.143.6, server: 0.0.0.0:443
2017/05/30 09:57:01 [debug] 3486#3486: *1223 close http connection: 38
2017/05/30 09:57:01 [debug] 3486#3486: *1223 SSL_shutdown: 1
2017/05/30 09:57:01 [debug] 3486#3486: *1223 event timer del: 38: 1496131081192
2017/05/30 09:57:01 [debug] 3486#3486: *1223 reusable connection: 0
2017/05/30 09:57:01 [debug] 3486#3486: *1223 free: 000055D282587F80
2017/05/30 09:57:01 [debug] 3486#3486: *1223 free: 000055D282508980, unused: 24

当我在 nginx 中启用 SSL3 时,我不明白为什么会出现此错误,只有我使用此子域时才会出现此错误。我拥有的其他子域也存在同样的问题,并且它们都可以正常工作。

我的subdomain.conf

ssl_certificate /etc/letsencrypt/live/musica.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/musica.domain.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM$
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;

Chrome 错误:

SSL协议错误

Mozilla 错误:

连接到 musica.domain.com 时发生错误。SSL 收到意外的新会话票证握手消息。错误代码:SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET

答案1

发现当有多个子域时 SSL 配置应该对所有子域都相同,这是个问题。我将 SSL 参数放在不同的文件中,并将其包含在 subdomain.conf 中,您会看到在我失败的子域中,我复制了错误的密码,因此出现了问题,现在当从同一个站点调用所有子域时,SSL 配置不再是逐个文件,因为所有配置都相同,所以不再是错误。

这个大纲给了我线索:

https://github.com/jwilder/nginx-proxy/issues/580#issuecomment-249587149

如果你有 2 个服务器配置,并且其中一个服务器的 ssl_server_tokens 设置为开启,那么在某些浏览器中,它将破坏设置为关闭的服务器

配置文件 /etc/nginx/snippets/ssl-params.conf

ssl_协议 TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers开启;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl_ciphers'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH + AESGC M:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA- AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SH A256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!导出:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

ssl_会话_超时1d;

ssl_session_cache共享:SSL:50米;

ssl_stapling开启;

ssl_stapling_verify开启;

添加标头严格传输安全最大年龄=15768000;

答案2

您的 nginx 子域配置文件未启用 SSLv3;仅启用 TLSv1.0/1.1/1.2。如果您的客户端(浏览器)尝试仅协商 SSLv3(这应该只适用于旧版浏览器,或者浏览器或操作系统配置为仅使用 SSLv3),则它将失败。

另一个更可能的情况是客户端不支持您的密码集。如果您放宽密码限制,您的网络浏览器还能连接吗?

相关内容